System and method for detecting real-time security threats in a network datacenter

Abstract

The system and method described herein may include a configuration management database that describes every known service endpoint in a network datacenter to represent a steady state for the datacenter. One or more listeners may then observe traffic in the datacenter in real-time to detect network conversations initiating new activity in the datacenter, which may be correlated, in real-time, with the information in the configuration management database representing the steady state for the datacenter. Thus, in response to the new activity failing to correlate with the known service endpoints, a real-time security alert may be generated to indicate that any network conversations initiating such activity fall out-of-scope from the steady state for the information technology datacenter.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS[0001]This application claims the benefit of U.S. Provisional Patent Application Ser. No. 61 / 352,257, entitled “System and Method for Creating and Leveraging a Configuration Management Database,” filed Jun. 7, 2010, the contents of which are hereby incorporated by reference in their entirety.[0002]In addition, this application is related to U.S. patent application Ser. No. ______, entitled “System and Method for Modeling Interdependencies in a Network Datacenter,” filed on an even date herewith, and U.S. patent application Ser. No. ______, entitled “System and Method for Managing Changes in a Network Datacenter,” filed on an even date herewith, both of which further claim the benefit of U.S. Provisional Patent Application Ser. No. 61 / 352,257, and the contents of which are hereby incorporated by reference in their entirety.FIELD OF THE INVENTION[0003]The invention relates to a system and method for detecting real-time security threats in a netwo...

AI Technical Summary

Benefits of technology

[0009]According to one aspect of the invention, the system and method described herein may be used to create a configuration management database in a network datacenter, wherein the configuration management database may model interdependencies, detect real-time security threats, and manage proposed changes in the network datacenter. In particular, the system and method described herein may obtain accurate and timely information describing relationships and interdependencies in the datacenter, which may be modeled in a dependency database. As such, the information modeling the relationships and interdependencies in the dependency database may be used to seed the configuration management database. Further, the system and method described herein may employ Netflow or other network protocols that can suitably collect information relating to network traffic in the datacenter in a lightweight and non-impacting manner, which may achieve the desired end result of seeding the configuration management database with information describing various resources in the datacenter and relationships and interdependencies between the resources without consuming or needlessly risking impact on the operations performed by the resources in the datacenter.

[0010]According to one aspect of the invention, the system and method described herein may deliberately sample or selectively extract certain portions of information from various available network flows that traverse the datacenter. The deliberate sampling or selective extraction techniques may deliberately damper or reduce impacts on operations in the datacenter, as a number of flows needed to build a dependency map for the resources contained therein may be deliberately dampered. For example, any particular connection or “conversation” between network resources in the datacenter may be observed, wherein the observed connection or “conversation” may generally include two flows (i.e., one directed from an originating resource to a destination resource and another directed from the destination resource to the originating resource). As such, because the deliberately sampled mode may intentionally damper the number of observed flows needed to build the dependency map, the system and method may include various components that can distinguish which one of the resources originated the connection to thereby model a directional dependency between the originating resource and the destination resource. Thus, the deliberate sampling techniques may lessen impact on the datacenter without compromising the ability to model the relationships and dependencies between the resources therein to optimally balance effectiveness and practicality.

[0015]According to one aspect of the invention, in response to performing the discovery scan to create the resource inventory describing the resources in the datacenter, the configuration management database may be seeded with various configuration items describing the inventoried resources. Further, in response to detecting any new or changed relationships or other dependencies within the datacenter, the relationships or dependencies may be modeled with configuration items describing the relationships or dependencies in the configuration management database. The configuration management database may therefore include various configuration items describing every resource modeled in the resource inventory and every dependency modeled in the dependency database. The dependency engine may further dynamically update the configuration management database in response to discovering any new or changed information associated with the resources and dependencies modeled therein. Furthermore, a management infrastructure may then reference the configuration management database to provide management over the datacenter in various ways (e.g., to detect real-time security threats in the datacenter, assess the scope and impact proposed changes may have in the datacenter, and manage conflicts that the proposed changes may have in the datacenter.

Problems solved by technology

The deliberate sampling or selective extraction techniques may deliberately damper or reduce impacts on operations in the datacenter, as a number of flows needed to build a dependency map for the resources contained therein may be deliberately dampered.

Furthermore, the listeners may be particularly configured to negate challenges, including expense upon resources in the datacenter and risk that the operation of the resources will be dangerously impacted due to excess bandwidth consumption, which could otherwise arise from processing every conversation that occurs in the datacenter.

Images