Abstract: The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.

Abstract: Described herein is a system and method for auditing governance, risk, and compliance using an event correlation architecture. In particular, the event correlation architecture may include a solution designer for defining a solution pack that enforces one or more specific governance, risk, or compliance controls, and a solution manager for deploying the solution pack within the event correlation architecture to configure the architecture for enforcement of the one or more controls. Thus, a collection of content defined in the solution pack may be used to enrich one or more events received at the event correlation architecture, and a correlation engine may then correlate the events using the content in the solution pack to enforce the one or more governance, risk, or compliance controls.

Abstract: The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.

Abstract: The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.

Abstract: Apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to generate a reference statistical model of an operating system, such as a computer system, and display the reference statistical model as a hierarchical, segmented time series event stream graph, along with a graph representing current behavior of the system. The event stream graph may be derived from one or more streams of security events. Additional operations may include receiving requests to display further detail respecting discrepancies between the reference statistical model and the current behavior. Other apparatus, systems, and methods are disclosed.

Abstract: Methods and apparatus teach defining an access policy to digital data available on one or more computing devices, including identifying one or more semantic attributes of at least one first digital data set and using the identified attributes to define policy dictating user access privileges. On receipt of a user request to access at least one second digital data set, semantic attributes are compared to the at least one first digital data set and access is allowed or not allowed based on the policy. Semantic attributes are selected from at least one of a closeness attribute, a relatedness attribute, and a semantic vector attribute. Also is taught configuring a policy enforcement agent on the one or more computing devices to undertake the comparing and to allow or not allow access. In turn, computer program products and computing systems for accomplishing the foregoing are provided.

Abstract: Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts. Additional apparatus, systems, and methods are disclosed.

Abstract: Apparatus, systems, and methods may operate to generate a reference statistical model of an operating system, such as a computer system, and display the reference statistical model as a hierarchical, segmented time series event stream graph, along with a graph representing current behavior of the system. The event stream graph may be derived from one or more streams of security events. Additional operations may include receiving requests to display further detail respecting discrepancies between the reference statistical model and the current behavior. Other apparatus, systems, and methods are disclosed.

Abstract: A system for pluggable event correlation may include an input manager that receives a plurality of events and converts the events into a format compatible with one or more of a plurality of correlation engines. The correlation engines may then evaluate the converted events using various rules and generate correlated events when the evaluated events trigger at least one of the rules. An action manager may execute remedial actions when the correlation engines generate the correlated events. Moreover, extensibility may be provided by enabling a user to define rules to be triggered when events occur in a predetermined pattern, and actions to be executed when a predetermined rule triggers a correlated event. Further, to plug a new correlation engine into the system, adapters may be deployed to handle input and output, while the user-defined rules may be validating according to semantic requirements of the new correlation engine.

Abstract: Methods and apparatus teach defining an access policy to digital data available on one or more computing devices, including identifying one or more semantic attributes of at least one first digital data set and using the identified attributes to define policy dictating user access privileges. On receipt of a user request to access at least one second digital data set, semantic attributes are compared to the at least one first digital data set and access is allowed or not allowed based on the policy. Semantic attributes are selected from at least one of a closeness attribute, a relatedness attribute, and a semantic vector attribute. Also is taught configuring a policy enforcement agent on the one or more computing devices to undertake the comparing and to allow or not allow access. In turn, computer program products and computing systems for accomplishing the foregoing are provided.

Abstract: A computer-implemented device provides security events from publishers to subscribers. There is provided a message bus, configured to contain a plurality of security events. Also provided is a receiver unit, responsive to a plurality of publishers, to receive the plurality of security events from the publishers. There is also a queue unit, responsive to receipt of the security events, to queue the plurality of security events in the message bus. Also, there is a transport unit, responsive to the security events in the message bus, to transport the plurality of security events in the message bus to a plurality of subscribers.

Abstract: A computer-implemented device provides security events from publishers to subscribers. There is provided a message bus, configured to contain a plurality of security events. Also provided is a receiver unit, responsive to a plurality of publishers, to receive the plurality of security events from the publishers. There is also a queue unit, responsive to receipt of the security events, to queue the plurality of security events in the message bus. Also, there is a transport unit, responsive to the security events in the message bus, to transport the plurality of security events in the message bus to a plurality of subscribers.

Abstract: Described herein is a system and method for auditing governance, risk, and compliance using an event correlation architecture. In particular, the event correlation architecture may include a solution designer for defining a solution pack that enforces one or more specific governance, risk, or compliance controls, and a solution manager for deploying the solution pack within the event correlation architecture to configure the architecture for enforcement of the one or more controls. Thus, a collection of content defined in the solution pack may be used to enrich one or more events received at the event correlation architecture, and a correlation engine may then correlate the events using the content in the solution pack to enforce the one or more governance, risk, or compliance controls.

Abstract: A system for pluggable event correlation may include an input manager that receives a plurality of events and converts the events into a format compatible with one or more of a plurality of correlation engines. The correlation engines may then evaluate the converted events using various rules and generate correlated events when the evaluated events trigger at least one of the rules. An action manager may execute remedial actions when the correlation engines generate the correlated events. Moreover, extensibility may be provided by enabling a user to define rules to be triggered when events occur in a predetermined pattern, and actions to be executed when a predetermined rule triggers a correlated event. Further, to plug a new correlation engine into the system, adapters may be deployed to handle input and output, while the user-defined rules may be validating according to semantic requirements of the new correlation engine.

Abstract: The invention relates to a system and method for customizing and storing workflow processes for use in remediation incidents such as security events. One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process, among other things.