An approach for providing managed security services is disclosed. A
database, within a server or a pre-existing anomalous event detection
system, stores a rule set specifying a security policy for a network
associated with a customer. An anomalous detection event module is
deployed within a premise of the customer and retrieves rule sets from
the database. The anomalous detection event module monitors a sub-network
of the network based on the rule sets. The anomalous event detection
module is further configured to self-organize by examining components of
the network and to monitor for anomalous events according to the examined
components, and to self-provision by selectively creating another
instance of the anomalous detection event module to monitor another
sub-network of the network.