US 9,813,449 B1
Systems and methods for providing a security information and event management system in a distributed architecture
Igor Unanue Buenechea, Zumaia (ES); and Victor Jurado Martinez, Madrid (ES)
Assigned to Lookwise S.L., Orcoyen (ES)
Filed by Lookwise S.L., Orcoyen, Navarra (ES)
Filed on Aug. 12, 2013, as Appl. No. 13/964,809.
Claims priority of provisional application 61/681,875, filed on Aug. 10, 2012.
Int. Cl. G06F 17/00 (2006.01); H04L 29/06 (2006.01); H04L 29/08 (2006.01); G06F 21/10 (2013.01)
CPC H04L 63/20 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); G06F 21/10 (2013.01); H04L 63/145 (2013.01); H04L 67/10 (2013.01)] 12 Claims
OG exemplary drawing
 
1. A computer-implemented distributed security information and event management system (DSIEMS) that manages a computer network comprising a plurality of remote nodes configured to collect and process security event information relating to security events occurring on the computer network and provides for dynamic reconfiguration of functionalities of the plurality of remote nodes, comprising:
the plurality of remote nodes within the computer network for executing software modules for implementing one or more of a plurality of selectively configurable security functionalities related to network security monitoring, each remote node comprising a computing device, wherein each node includes core software comprising at least a software agent, an updater, and a client;
the security functionalities including at least a direct node-to-node communication functionality, a collection functionality for collecting security event information, and a correlation functionality that evaluates security event information and generates alerts;
the software agent of a respective remote node comprising an executable responsive to a configuration file received from a central management system to load plugins for a software module, the plugins comprising one or more dynamic link-libraries (DLLs) that effect aspects of at least one selectively configurable functionality on a remote node;
the updater of the respective remote node comprising an executable associated with the software agent of the respective remote node that enables the software agent to install, uninstall, or update plugins for a software module on the respective remote node;
the client of the respective remote node comprising a DLL that effects connectivity between the respective remote node and the central management system and between the respective remote node and another remote node that are both configured with a functionality for direct node-to-node communication;
the central management system for managing the plurality of remote nodes and security event information relating to security events affecting each respective remote node, for providing a configuration file to respective remote nodes to install, uninstall, or update plugins on the respective remote nodes, and for receiving remote node configuration instructions from a user;
a storage system maintained by the central management system that stores security event information identified at each respective remote node;
a communication link between the plurality of remote nodes and the central management system that enables transmission of information between the plurality of remote nodes and the central management system and between nodes that are configured for direct node-to-node communications, and to communicate commands comprising binaries of a software modules to be installed or updated on the remote nodes and configuration files from the central management system to the remote nodes; and
in response to the user interacting with the central management system to specify a particular configurable functionality for a specified remote node, the central management system generating a command to the specified remote node to implement the specified configurable functionality, the command comprising binaries of the software module to be installed or updated on the specified remote node and a configuration file;
in response to receipt at the specified remote node of the command from the central management system to implement the specified configurable functionality, the software agent at the specified remote node processing the command by processing the configuration file and executing the updater in accordance with the configuration file to install the binaries of the software module to be installed or updated to effect the specified configurable functionality at the specified remote node;
in response to execution of an installed software module at a specified remote node for effecting a collection functionality at the specified remote node, collecting security event information at the specified remote node;
in response to execution of an installed software module at the specified remote node for effecting a correlation functionality at the specified remote node, subscribing to a collection software module at another remote node to obtain security event information from said another remote node via the direct node-to-node communication functionality;
in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, processing the security event information received from the collection module at the said another remote node to generate an alert; and
in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, generating an alert at the specified remote node and communicating the alert to the central management system.