| CPC G06F 21/566 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); G06F 2221/034 (2013.01)] | 18 Claims |
|
1. A computer-implemented method, executed on a computing device, comprising:
monitoring and logging activity with respect to a computing platform by a plurality of security-relevant subsystems;
detecting a plurality of detection events by the plurality of security-relevant subsystems;
receiving the plurality of detection events concerning a plurality of security events occurring on two or more of the plurality of security-relevant subsystems within the computing platform, wherein the plurality of security events are detected on the plurality of security-relevant subsystems via detection rules native to, and executed on, each of the respective plurality of security-relevant subsystems;
associating one or more artifacts with each of the plurality of detection events;
identifying two or more associated detection events included within the plurality of detection events, including identifying two or more detection events included within the plurality of detection events that have common artifacts/log entries;
grouping the two or more associated detection events to define a security incident, including:
grouping the one or more overlapping artifacts/log entries associated with each of the two or more associated detection events resulting in identifying the two or more associated detection events; and
grouping differing artifacts/log entries associated with each of the two or more associated detection events that did not result in identifying the two or more associated detection events;
processing an event repository including at least a portion of the grouped associated detection events to define one or more identified attack patterns;
one or more of defining a new detection rule and modifying an existing detection rule based upon one or more identified attack patterns; and
automatically initiating an investigation of current activity within the computing platform based upon the current activity being similar to one or more of the identified attack patterns as part of remedial action.
|