US Patent 9137258 Techniques for sharing network security event information

This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.