Search

US-20260129066-A1 - ASYNCHRONOUS DATA PROCESSING IN EXTENDED DETECTION AND RESPONSE SYSTEMS

US20260129066A1US 20260129066 A1US20260129066 A1US 20260129066A1US-20260129066-A1

Abstract

This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems.

Inventors

  • Tomas Jirsik
  • Cenek Skarda
  • David Sislak
  • Jaroslav Hlavac

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20251231

Claims (20)

  1. 1 . A method comprising: receiving, from a first computing entity, a request to obtain a first device identifier for a computing device identified by a second device identifier, wherein the request comprises a first indication of the second device identifier and a second indication of a first time, and wherein the first device identifier is a common device identifier across a plurality of monitoring components; receiving, from a second computing entity associated with a first monitoring component of the plurality of monitoring components, first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein the first monitoring data comprises a third indication of a third device identifier for the computing device; determining, at a second time after the threshold period, a monitoring data batch based on the first monitoring data; and determining the first device identifier based on the monitoring data batch, wherein determining the first device identifier comprises: determining a correlation between the second device identifier and the third device identifier, and mapping the correlation to the first device identifier; and providing the first device identifier to the first computing entity.
  2. 2 . The method of claim 1 , wherein threshold period is determined based on a wait period and a smoothing window size.
  3. 3 . The method of claim 2 , wherein the smoothing window size represents a number of timesteps after the first time whose respective monitoring data should be included in the monitoring data batch.
  4. 4 . The method of claim 1 , further comprising: receiving second monitoring data associated with the computing device, wherein the second monitoring data is recorded before the first monitoring data but received after the first monitoring data and within the threshold period; and determining the monitoring data batch to represent that the second monitoring data is recorded before the first monitoring data.
  5. 5 . The method of claim 1 , further comprising: based on receiving the request, providing a retry indication to the first computing entity, wherein the retry indication comprises the second time.
  6. 6 . The method of claim 1 , wherein the first computing entity is a monitoring component and providing the first device identifier comprises: providing feedback data representing one or more device identifiers determined for the computing device based on the monitoring data batch.
  7. 7 . The method of claim 1 , wherein the first computing entity is configured to determine a security prediction associated with the computing device based on the first monitoring data.
  8. 8 . The method of claim 1 , wherein the first computing entity is configured to perform a responsive operation in relation to the computing device based on the first monitoring data.
  9. 9 . A system comprising: one or more processors; and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, from a first computing entity, a request to obtain a first device identifier for a computing device identified by a second device identifier, wherein the request comprises a first indication of the second device identifier and a second indication of a first time, and wherein the first device identifier is a common device identifier across a plurality of monitoring components; receiving, from a second computing entity associated with a first monitoring component of the plurality of monitoring components, first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein the first monitoring data comprises a third indication of a third device identifier for the computing device; determining, at a second time after the threshold period, a monitoring data batch based on the first monitoring data; and determining the first device identifier based on the monitoring data batch, wherein determining the first device identifier comprises: determining a correlation between the second device identifier and the third device identifier, and mapping the correlation to the first device identifier; and providing the first device identifier to the first computing entity.
  10. 10 . The system of claim 9 , wherein threshold period is determined based on a wait period and a smoothing window size.
  11. 11 . The system of claim 10 , wherein the smoothing window size represents a number of timesteps after the first time whose respective monitoring data should be included in the monitoring data batch.
  12. 12 . The system of claim 9 , the operations further comprising: receiving second monitoring data associated with the computing device, wherein the second monitoring data is recorded before the first monitoring data but received after the first monitoring data and within the threshold period; and determining the monitoring data batch to represent that the second monitoring data is recorded before the first monitoring data.
  13. 13 . The system of claim 9 , the operations further comprising: based on receiving the request, providing a retry indication to the first computing entity, wherein the retry indication comprises the second time.
  14. 14 . The system of claim 9 , wherein the first computing entity is a monitoring component and providing the first device identifier comprises: providing feedback data representing one or more device identifiers determined for the computing device based on the monitoring data batch.
  15. 15 . The system of claim 9 , wherein the first computing entity is configured to determine a security prediction associated with the computing device based on the first monitoring data.
  16. 16 . The system of claim 9 , wherein the first computing entity is configured to perform a responsive operation in relation to the computing device based on the first monitoring data.
  17. 17 . One or more non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, from a first computing entity, a request to obtain a first device identifier for a computing device identified by a second device identifier, wherein the request comprises a first indication of the second device identifier and a second indication of a first time, and wherein the first device identifier is a common device identifier across a plurality of monitoring components; receiving, from a second computing entity associated with a first monitoring component of the plurality of monitoring components, first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein the first monitoring data comprises a third indication of a third device identifier for the computing device; determining, at a second time after the threshold period, a monitoring data batch based on the first monitoring data; and determining the first device identifier based on the monitoring data batch, wherein determining the first device identifier comprises: determining a correlation between the second device identifier and the third device identifier, and mapping the correlation to the first device identifier; and providing the first device identifier to the first computing entity.
  18. 18 . The one or more non-transitory computer-readable media of claim 17 , wherein threshold period is determined based on a wait period and a smoothing window size.
  19. 19 . The one or more non-transitory computer-readable media of claim 18 , wherein the smoothing window size represents a number of timesteps after the first time whose respective monitoring data should be included in the monitoring data batch.
  20. 20 . The one or more non-transitory computer-readable media of claim 17 , the operations further comprising: receiving second monitoring data associated with the computing device, wherein the second monitoring data is recorded before the first monitoring data but received after the first monitoring data and within the threshold period; and determining the monitoring data batch to represent that the second monitoring data is recorded before the first monitoring data.

Description

CROSS-REFERENCES TO RELATED APPLICATION(S) This present application is a continuation of U.S. patent application Ser. No. 18/454,553, filed on Aug. 23, 2023, titled “Asynchronous Monitoring Data Processing in Extended Detention and Response Systems”, and U.S. Provisional Patent Application No. 63/461,379, filed on Apr. 24, 2023, titled “Asset Representation and Tracking for Extended Detection and Response (XDR) Systems,” which are incorporated by reference herein in its entirety. TECHNICAL FIELD This present application pertains to the field of computer security and more specifically, to techniques for monitoring data processing in extended detection and response systems. BACKGROUND Extended detection and response (XDR) systems are an emerging technology for advanced threat detection and security incident response. XDR platforms integrate data from the entire information technology (IT) infrastructure of a computing system to provide unified visibility and automated actions against cyberattacks. A core challenge in XDR systems is correlating security events and identifying common assets across the various data sources ingested from different security monitoring tools. Endpoint detection and response (EDR) systems, intrusion detection systems (IDS), firewalls, email security platforms and more each use different schemes to identify assets like devices, users, and applications. For example, an EDR may utilize agent identifiers while an IDS may use internet protocol (IP) addresses for device identification. This fragmentation means that, without effective translation and mapping capabilities, the XDR cannot establish connections between related events involving the same assets across different monitoring tools. However, accurate and efficient asset tracking is important for XDR systems to perform cross-domain data analytics, detect multi-stage attacks, and initiate appropriate incident response workflows. Therefore, there is a need for novel techniques to enable reliable asset identification and monitoring within XDR platforms even in the face of heterogeneous and large-scale security data feeds. Robust asset tracking mechanisms are crucial for XDRs to realize their full potential in amplifying security operation center (SOC) capabilities. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 depicts an environment with an Extended Detection and Response (XDR) system that interacts with a set of monitoring components. FIG. 2 depicts an example architecture for a tracking component of an XDR system. FIG. 3 is a flowchart diagram of an example process for providing feedback data regarding device identifier mappings to a requesting component. FIG. 4 is a flowchart diagram of an example process for determining one or more global device identifiers based on a device identifier graph. FIGS. 5A-5G provide operational examples of generating global device identifiers for device identifier graphs. FIG. 6 provides an operational example of a mismatch of device identifiers that can happen when two or more monitoring components asynchronously report security events to a tracking component. FIG. 7 is a flowchart diagram of an example process for mapping a local device identifier reported by a monitoring component to a global device identifier. FIG. 8 provides an operational example of determining a batch in response to a first request and a second request, both of which are associated with the same timestamp. FIG. 9 provides a data flow diagram of an example process 900 providing global device identifiers in response to two requesting devices. FIG. 10 shows an example computer architecture for a computing device (or network routing device) capable of executing program components for implementing the functionality described above. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. In some aspects, the techniques described herein relate to a method including receiving, from a first computing entity, a request to obtain a device identifier for a computing device, wherein the request comprises an indication of a first time. The method may further include receiving first monitoring data associated with the computing device, wherein the first monitoring data is recorded before the first time but is received within a threshold period of the first time, and wherein threshold period i