Abstract: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.

Abstract: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.

Abstract: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

Abstract: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.

Abstract: A query for security event can be represented as an event channel. The event channel may be displayed as a grid of events. In one embodiment, the events included in the event channel are dynamic and can change after initial observation. In one embodiment, the present invention includes creating an event channel defined by a timeframe and an event filter, the event channel including security events stored in an event database that satisfy the timeframe and the event filter. When a security event changes after the event channel has been created, one embodiment of the invention further includes observing a change to a security event stored in the event database, and dynamically updating the event channel based on the observed change.

Abstract: A unique identifier is assigned to a network node and is used to obtain an “asset model” corresponding to the node and to determine whether the node is a member of a particular category. An asset model is a set of information about a node (e.g., the node's role within the enterprise, software installed on the node, and known vulnerabilities/weaknesses of the node). An identifier lookup module determines a node's identifier based on characteristics of the node (such as IP address, host name, network zone, and/or MAC address), which are used as keys into lookup data structures. A category lookup module determines whether a particular node is a member of (i.e., within) a particular category using a transitive closure to model the categories (properties) that can be attached to an asset model. A transitive closure for a particular asset category is stored as a bitmap, similar to bitmap indexing.