US20160164917A1 - Action recommendations for computing assets based on enrichment information - Google Patents
Action recommendations for computing assets based on enrichment information Download PDFInfo
- Publication number
- US20160164917A1 US20160164917A1 US14/675,075 US201514675075A US2016164917A1 US 20160164917 A1 US20160164917 A1 US 20160164917A1 US 201514675075 A US201514675075 A US 201514675075A US 2016164917 A1 US2016164917 A1 US 2016164917A1
- Authority
- US
- United States
- Prior art keywords
- security incident
- incident
- identifying
- security
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/285—Clustering or classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2425—Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
Definitions
- aspects of the disclosure are related to computing environment security, and in particular to providing action recommendations to administrators based on enrichment information.
- This server based infrastructure includes real and virtual computing devices that are used to provide a variety of services, such as data storage, cloud processing, web sites and services, amongst other possible services.
- various antivirus, encryption, and firewall implementations may be used across an array of operating systems, such as Linux and Microsoft Windows.
- computing environments may implement security information and event management (SIEM) systems to provide real-time analysis of security alerts generated by network hardware and applications.
- SIEM systems allow for real-time monitoring, correlation of events, notifications, and console views for end users.
- SIEM systems may provide log storage capable of managing historical information about various security events within the network.
- SIEMs generate security alerts within the network, administrators may be forced to translate each of these alerts into particular action.
- time and resources that could be used on other tasks may be used in researching and determining the course of action to handle the possible security threat.
- a method of operating an advisement system to provide action recommendations in a computing environment comprising a plurality of computing devices includes identifying a security incident for an asset in the computing environment. The method further includes, in response to identifying the security incident, identifying enrichment information about the security incident. The method also provides determining a rule set for the security incident based on the enrichment information, and identifying one or more action recommendations for an administrator based on the rule set.
- FIG. 1 illustrates a computing environment to provide action recommendations for a plurality of network assets.
- FIG. 2 illustrates a method of operating an advisement system to provide action recommendations for a plurality of network assets.
- FIG. 3 illustrates an overview of generating action recommendations for a network asset.
- FIG. 4 illustrates an advisement computing system to provide action recommendations for a plurality of network assets.
- FIG. 5 illustrates a computing environment to identify rule sets and recommend security actions for security incidents.
- FIG. 6 illustrates an overview of providing a recommendation interface for an administrator of a computing environment.
- SIEM Security information and event management
- the network hardware and processes may include routers, firewalls, operating systems, applications executing on one or more computing devices, switches, or intrusion detection systems, amongst a variety of other network devices and processes.
- a SIEM system may identify an issue and flag the issue as a possible security threat. Once flagged, the SIEM system may provide information to an administrator or store information about the threat to be analyzed for a possible solution.
- an advisement system may be used to identify and recommend the appropriate course of action to the related administrator. For example, if a SIEM system identified a possible security threat within a router of the network, information about the threat could be transferred to the advisement system, supplementary information about the threat could be identified from internal and external sources, and a recommendation could be determined based on the gathered supplementary information and a preconfigured rule set. Once the action recommendations are determined, the recommendations may be provided to an administrator, allowing the administrator to select a desired action and implement the action within the computing environment.
- the advisement system may be configured to provide a workflow allowing the administrator to step through the necessary steps of implementing the action.
- advisement system may include connector or translator software modules that may automate or script the process of implementing the desired modification to the asset or computing environment.
- a connector may be provided to implement actions, such as blocking a particular process, blocking a particular network address, taking a snapshot of a computing environment, or other possible actions.
- one or more data structures may be accessible by the advisement system that relate rule sets to assets, incidents, and enrichment information. For example, an incident may be reported for an unknown process executing on a virtual machine asset. Once enrichment information is gathered about the unknown process, the advisement system may identify a rule set that applies to virtual machines, unknown processes, and the enrichment information determined about the unknown process. Accordingly, an unknown process that is known to be malicious from the enrichment information may be associated with a different rule set than an unknown process that cannot be confirmed to be malicious.
- FIG. 1 illustrates a computing environment 100 to provide action recommendations for a plurality of network assets.
- Computing environment 100 includes computing assets 110 - 116 , SIEM system 120 , advisement system 130 , sources 140 , and administration system 150 .
- Computing assets 110 - 116 include applications 110 , routers 111 , intrusion detection systems and intrusion prevention system (IDS/IDP) 112 , virtual private networks (VPNs) 113 , firewalls 114 , switches 115 , and operating systems 116 , although other assets may exist.
- Assets 110 - 116 may execute via any number of computing systems or devices.
- these computing devices may include server computers, desktop computers, laptop computers, and the like.
- assets may be defined at computing system level. Accordingly, assets may be defined as servers, end user computing systems, host computing systems, and the like that each include an operating system, applications, processes, and firewalls.
- SIEM system 120 , advisement system 130 , sources 140 , and administration system 150 may each include communication interfaces, network interfaces, processing systems, computer systems, microprocessors, storage systems, storage media, or some other processing devices or software systems, and can be distributed among multiple devices.
- SIEM system 120 , advisement system 130 , and sources 140 may comprise one or more server, desktop, laptop, or other similar computing devices.
- Administration system 150 may comprise an end user device, such as a desktop computer, laptop computer, smartphone, tablet, or any other similar computing device.
- Advisement system 130 communicates with SIEM system 120 , sources 140 , and administration system 150 via communication links that may use Time Division Multiplex (TDM), asynchronous transfer mode (ATM), internet protocol (IP), Ethernet, synchronous optical networking (SONET), hybrid fiber-coax (HFC), circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof.
- SIEM system 120 may gather information from assets 110 - 116 via a plurality of communication links to the computing systems associated with the assets, wherein the links may use TDM, ATM, IP, Ethernet, SONET, HFC, circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. While not illustrated in the present example, it should be understood that advisement system 130 might communicate with the assets over various communication links and communication formats to implement desired security actions.
- SIEM system 120 receives data and performance information from assets 110 - 116 and performs inspections to identify possible security issues. Once SIEM system 120 identifies a possible security threat, information about the security threat is transferred to advisement system 130 .
- Advisement system 130 identifies the security threat and analyzes the threat using sources 140 to determine suggested actions against the security threat. Once the suggested actions are determined, the actions are transferred, via email, text message, or other similar format, to administration system 150 to be presented to administrator 160 .
- FIG. 2 illustrates a method 200 of operating advisement system 130 to provide action recommendations for a plurality of network assets.
- SIEM system 120 receives information from a plurality of network assets 110 - 116 and identifies security threats based on the information. Once a threat is identified, the threat is transferred to advisement system 130 .
- Advisement system 130 identifies the security threat or incident within computing environment 100 ( 201 ), and in response to identifying the incident, gathers enrichment information about the incident ( 202 ).
- advisement system 130 may identify properties or traits of the incident, such as internet protocol (IP) addresses associated with the incident, the firewall associated with the incident, the computing device for the incident, the host, the user, any uniform resource locators (URLs) associated with the incident, or any other information specific to the security incident.
- IP internet protocol
- URLs uniform resource locators
- advisement system 130 may identify information related to the threat using internal and external sources 140 . These sources may include databases or websites that keep track of malicious IP addresses or domain names, the type of threats presented from the particular domain names, identifies of malware, Trojans, and viruses, amongst a variety of other information.
- administration system 130 may determine a rule set based on the enrichment information ( 203 ). This rule set is related to the type of threat presented to the network and computing environment 100 . For example, as enrichment information is gathered related to a particular incident, administration system 130 may use predefined criteria to establish how likely the identified incident is a security threat to computing environment 100 . Based on this likelihood and a corresponding related rule set, one or more actions may be recommended to administrator 160 on administration system 150 ( 204 ).
- SIEM system 120 may identify that an application of applications 110 is receiving a large amount of inbound requests from a particular IP address and flag these requests as a possible incident. Once flagged, information or traits regarding the inbound requests and the application is transferred to advisement system 130 including the IP address, the type of data requested, or any other information related to the request. Upon identifying the flagged incident, advisement system 130 determines enrichment information for the incident via sources 140 . If advisement system 130 determines that the incident is likely a security threat based on the enrichment information, advisement system 130 may determine suggested actions based on an identified rule set, and provide the actions to an administrator responsible for the application via email, text message, or some other form of communication.
- These actions may include preventing the application from future execution, sand boxing the computing system executing the application, taking an image of the computing system executing the application, removing the security threat within the application, amongst a variety of other actions. For example, if the enrichment information identifies that the inbound requesting IP address is associated with malicious operations, advisement system 130 may recommend sand boxing the computing system, or implementing a firewall configuration that prevents generating a response to requests from the particular IP address. In contrast, if the IP address is unknown or sources 140 do not indicate that the IP address is malicious, advisement system 130 may select a different rule set and corresponding action recommendations that could allow further monitoring of the interactions between the asset and the unknown IP address.
- gathering information about the security incident may further include gathering information about related processes within the environment. For example, if an application is identified as exhibiting unusual behavior related to a possible security threat, the advisement system may identify other processes executing on one or more devices that are related to the application. Accordingly, if it is determined that the application is required by other processes, recommendations may be determined that allow the other processes to continue to use the application, but may limit or further monitor other interactions initiated by the flagged application. These recommendations may include taking a snapshot of the application or of the full computing system to identify any unusual process within the application, prevent the application from initiating communications with external systems and processes, or any other similar function that allows the required processes to continue to communicate with the required application.
- advisement system may have access to a database of known applications and executables within the computing environment, which can be compared to the application related to the incident. For example, an executable may be titled RESEARCH.EXE. Once an incident is identified that is related to RESEARCH.EXE, the advisement system may attempt to identify any other system or process that requires or acknowledges that executable. If no other system or process requires or acknowledges the executable, recommendations may be made that can remove that application, or otherwise prevent the operation of RESEARCH.EXE.
- the rule set for a particular security incident may identify a preconfigured action to take against the threat.
- the administrator may preapprove certain actions against particular security incidents.
- a user or administrator may define a security incident in the environment, which can then be identified by the advisement system. This user or administrator defined incident may allow the personnel to define various information about the incident, including the asset involved in the incident, a computing device identifier for the incident, the type of suspected threat, or any other similar characteristic from the incident.
- the advisement system may gather enrichment information related to the incident from internal and external sources. As the enrichment information is gathered, a rule set may be identified and action recommendations determined for the threat.
- advisement system 130 may be configured to generate a display of the action recommendations and provide the display to the administrator either locally on advisement system 130 , or externally on a console such as administration system 150 .
- This display may include the various action recommendations as well as other relevant security event characteristics. These characteristics may include a chat room that allows the administrator to chat with any other administrator associated with the particular threat, a summary window that displays information about the threat, such as an identifier for the asset, IP address information for the security incident, a URL associated with the security incident, or other similar information.
- FIG. 3 illustrates an overview 300 of generating action recommendations for a network asset.
- Overview 300 includes computing assets 310 - 316 , SIEM system 320 , advisement system 330 , sources 340 , and administration system 350 .
- Computing assets 310 - 316 include applications 310 , routers 311 , intrusion detection systems and intrusion prevention system (IDS/IDP) 312 , virtual private networks (VPNs) 313 , firewalls 314 , switches 315 , and operating systems 316 .
- Assets 310 - 316 may execute via any number of computing systems or devices. In addition to the routers and switches, these computing devices may include server computers, desktop computers, laptop computers, and the like.
- SIEM system 320 receives operational information from assets 310 - 316 .
- This operational information may include information about the devices connecting with the assets, the type of data be communicated over the assets, the number of times a device contacts an asset, and other similar operational information.
- SIEM system 320 identifies an incident with a router in routers 311 .
- This incident may include an unknown IP address, an improper number of requests over the router, or any other incident within the router.
- advisement system 330 Once identified, the incident is forwarded to advisement system 330 , wherein advisement system 330 will identify enrichment data for the incident.
- This enrichment information may include information about the IP address related to the incident, the URL address associated with the incident, or any other information related to the incident.
- SIEM system 320 may identify an incident corresponding to an unknown URL connection with the router in routers 311 . Once advisement system 330 is notified of the incident, advisement system 330 may query a database or external source to determine information about the URL, including whether the URL is malicious, the owner of the URL, the relation of the URL to the devices in the network, or any other enrichment information.
- advisement system 330 may determine a confidence level of whether the incident involves a security threat and a rule set based on the enrichment information. Referring again to the previous example, advisement system 330 may determine that the particular URL has been associated with a malicious virus. Accordingly, the confidence level and rule set may reflect that there is a security threat related to the URL on the router. In contrast, if no enrichment information is available, a lower confidence level may be defined for the incident and a separate rule set may be defined for the router.
- advisement system 330 may include action routing information that identifies personnel responsible for each of the assets within the computing network. For example, a first administrator may be responsible for particular applications, whereas second administrator may be responsible for the routers and the switches. Thus, once an action is identified, advisement system 330 may direct the action recommendations to the proper administration personnel. Further, in some instances, the administration personnel may be tiered to respond to each of the security threats. This use of tiers allows recommendations to be forwarded to a second personnel member if a first member has not responded to the recommendations.
- an administrator might preapprove particular actions as part of a rule set.
- predefined actions might be taken based on the confidence level and rule set.
- the actions that are provided to an administrator may be based on previous selections of the administrator. For example, a list of recommendations is provided to the administrator for a particular threat, and the user makes an initial action selection from the list. On the next occurrence of the same or similar threat, the recommendations that are provided to the user may include a new list of recommendations based on the user's previous selection for the identified threat.
- recommendations may improve based at least in part on previous recommendation selections.
- the action recommendations referred to administrator 360 may change in accordance with a change in the confidence level. For example, when an incident is first encountered, advisement system 330 may transfer a first set of recommended actions based on the unknown threat level of the incident. However, as further enrichment information is gathered about the incident, a second set of recommended actions may be transferred to the administrator. Thus, the action recommendations may be dynamic in accordance with the current confidence in the threat presented and the rule set corresponding to the confidence.
- the advisement system may generate action recommendations based on the cost of the asset or the cost of the action. This cost determination may be assigned by administrators of the computing environment, may be based on the type of information that is stored on the computing asset, may be determined based on the amount of disruption that an action may cause in the environment, or may be determined by any other method. For example, a financial officer's computing system in the computing environment may have a higher cost or priority than an intern's computing system due to the data that is accessible from the computing systems. Accordingly, action recommendations for the financial officer's computing asset may be different than the action recommendations that are generated for the intern's computing asset. Further, the action recommendations may also be allocated a cost rating that relates each of the actions to an effect that the actions will have on the environment.
- the cost of an action that places a computing asset into a virtual local area network may have a higher cost or be more disruptive to the computing environment than preventing the computing asset from communicating with particular IP addresses.
- recommendations may be provided to the administrator.
- a computing asset that requires high availability may be provided with actions that do not disrupt availability of the asset.
- actions may be more conservative to prevent the sensitive data from being inappropriately accessed.
- FIG. 4 illustrates an advisement computing system 400 to provide action recommendations for a plurality of network assets.
- Advisement computing system 400 is representative of a computing system that may be employed in any computing apparatus, system, or device, or collections thereof, to suitably implement the advisement systems described herein.
- Computing system 400 comprises communication interface 401 , user interface 402 , and processing system 403 .
- Processing system 403 is communicatively linked to communication interface 401 and user interface 402 .
- Processing system 403 includes processing circuitry 405 and memory device 406 that stores operating software 407 .
- Communication interface 401 comprises components that communicate over communication links, such as network cards, ports, RF transceivers, processing circuitry and software, or some other communication devices.
- Communication interface 401 may be configured to communicate over metallic, wireless, or optical links.
- Communication interface 401 may be configured to use TDM, IP, Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format—including combinations thereof.
- communication interface 401 communicates with a SIEMs system that gathers security incident information from a plurality of assets within a computing environment. Further, communication interface 401 may be configured to communicate with one or more administrations systems to provide the suggested course of action to administrators.
- User interface 402 comprises components that interact with a user.
- User interface 402 may include a keyboard, display screen, mouse, touch pad, or some other user input/output apparatus.
- User interface 402 may be omitted in some examples.
- Processing circuitry 405 comprises microprocessor and other circuitry that retrieves and executes operating software 407 from memory device 406 .
- Memory device 406 comprises a non-transitory storage medium, such as a disk drive, flash drive, data storage circuitry, or some other memory apparatus.
- Operating software 407 comprises computer programs, firmware, or some other form of machine-readable processing instructions. Operating software 407 includes identify module 408 , enrichment module 409 , likelihood module 410 , and suggest module 411 , although any number of software modules may provide the same operation. Operating software 407 may further include an operating system, utilities, drivers, network interfaces, applications, or some other type of software. When executed by circuitry 405 , operating software 407 directs processing system 403 to operate advisement computing system 400 as described herein.
- identify module 408 is configured to, when executed by advisement computing system 400 and processing system 403 , to identify a security incident for an asset within the computing environment.
- enrichment module 409 identifies enrichment information for the security incident. This enrichment information may be gathered from sources internal to the computing environment, as well as external sources, such as websites and databases. For example, if an asset within the computing environment was connecting in an abnormal way to a particular IP address, enrichment module 409 may contact one or more sources to determine information about the unknown IP address. These sources may include information about whether the address is malicious, whether the address belongs to a particular entity, or any other similar information regarding the IP address.
- likelihood module 410 may determine a threat confidence level and rule set for the security incident based on the enrichment information. This confidence level relates the security incident to the likelihood that the incident is related to a malicious activity. For instance, if an external source verified that an IP address corresponded to malicious software activity, the confidence level and rule set would be different than for an unknown IP address.
- suggest module 411 determines suggested security actions for an administrator based on the identified rule set. These suggestions may include suggestions to eliminate a malicious item related to the security incident, segregating the asset from other assets within the network, imaging computing system to provide further analysis on the incident, amongst a variety of other suggested security actions.
- FIG. 5 illustrates a computing environment 500 to identify rule sets and recommend security actions for security incidents.
- Computing environment 500 includes asset 510 , other devices and assets 520 , advisement system 530 , internal and external sources 540 , and administration system 550 .
- Asset 510 is further associated with incident 515 , and other devices and assets 520 execute processes 521 - 525 .
- Asset 510 and other devices and assets 520 may comprise routers, switches, operating systems, applications, processes, or any other similar asset within a computing environment.
- advisement system 530 identifies an incident 515 related to asset 510 .
- This incident report may include an identifier for the asset, an identifier for the computing device associated with the asset, a URL associated with the incident, an application, process, or executable for the incident, or any other similar information about the incident.
- the report to advisement system 530 may include the name, file path, and other related information to the executable.
- the report may be generated by a SIEM system to be provided to advisement system 530 .
- the report may be generated by other security devices including, but not limited to, the devices associated with the assets, or other security monitoring hardware.
- advisement system 530 may gather enrichment information from sources 540 to gather further data related to the particular incident. For example, if the incident were related to communications with a particular IP address, advisement system 530 may query a database, either internal or external to the computing environment, to determine if the IP address is related to malicious activity. Here, in addition to querying the internal and external sources, advisement system 530 identifies related processes to incident 515 .
- incident 515 may be related to a particular application within the network, such as a database application or some other application. Once an incident is identified with the application, advisement system 530 may determine other applications or processes that require access to the database application. The processes may include, but are not limited to, back-end processes and data processing processes. Based on the information gathered from asset 510 , enrichment information gathered from internal and external source 540 , and related processes identified from processes 521 - 525 , advisement system 530 identifies a rule set for the incident.
- advisement system 530 may determine one or more action suggestions to take against incident 515 based on the rule set and provide them to administrator 560 at administration system 550 .
- administration system 550 might reside wholly or partially on advisement system 530 .
- the action recommendations that are provided to administrator 560 might include actions that continue the operation of asset 510 .
- the action recommendations may include taking a snapshot of asset 510 , limiting the communications that can be made by asset 510 , limit the type of data that is communicated by asset 510 , or other similar operations that continue the operation of asset 510 .
- advisement system 530 may identify a report of a possible malicious application on a particular asset. Responsive to the report, advisement system 530 may determine if the application is a known application based on a known repository of applications within the environment. If advisement system 530 determines that the application is known for the environment, a rule set and actions may be provided to the administrator that may allow the application to continue operation with particular limitations or monitoring. In contrast, if advisement system 530 determines that the application is unknown within the environment, the rule set and action recommendations may prescribe removing the application and the related application data from the environment.
- FIG. 6 illustrates an overview 600 of providing a recommendation interface for an administrator of a computing environment.
- Overview 600 includes advisement system 620 and recommendation interface 640 .
- Recommendation interface 640 further includes recommendations 631 - 634 and miscellaneous user interface (U.I.) 650 .
- advisement system 620 is configured to identify reports of possible security incidents within a computing environment.
- This computing environment includes a plurality of computing systems and devices, including switches, computers, routers, or other similar computing hardware. These reports may include information about the type of security incident, an identifier for the asset with the incident, IP address information related to the incident, information about a process or executable related to the incident, or any other similar information.
- advisement system 620 may use the information about the incident to query internal and external sources for enrichment data related to the incident. For example, if advisement system 620 received a report regarding a particular executable within the computing environment, advisement system 620 may query one or more databases to determine whether the executable was malicious. In some implementations, advisement system 620 may identify whether the asset related to the issue is required or associated with any other asset within the environment. Thus, if the asset is required by one or more processes or systems, action recommendations may be identified that allow the required processes or systems to continue to access the asset in question.
- recommendations may be defined based on the rule set and provided to an administrator as recommendation interface 640 .
- Recommendation interface 640 may be displayed locally via a screen or other interface on advisement system 620 , or may be displayed at a user console, such as a desktop, laptop, tablet, or other similar computing device.
- recommendation interface 640 includes four recommendations 631 - 634 , although any number of recommendations may be provided to an administrator, and further includes miscellaneous user interface 650 .
- Miscellaneous user interface 650 may include a chat window, a programming interface allowing the user to program various actions for the assets within the computing environment, amongst a variety of other possible user interactions.
- the chat window may allow a plurality of administrators within the organization discuss the security incidents and possible actions or responses to the incidents.
- the chatroom that is provided to administrator 610 may include administrators that are approved to take action against a particular incident.
- an organization may permit four administrators to take action against a malware incident within a database computing system. Accordingly, when the incident is identified, the recommendation interface that is provided to each of the administrators may allow the four approved administrators to discuss the incident, and identify the appropriate action to take against the incident.
- advisement system 620 may initiate the activities necessary to implement the requested action.
- advisement system 620 may provide administrator 610 with the workflow or the procedural steps to implement the desired action. For example, if the action required the modification of a firewall within the computing environment, advisement system 620 may present the user with the necessary steps to implement the change to the firewall, including logging into the necessary device and making the necessary changes.
- advisement system 620 may be configured to automate the implementation of the actions.
- advisement system 620 may be configured with various connectors or translators that are used to configure each of the assets and computing systems within the environment. These connectors may be used to take a recommendation such as “block all communications from IP address X,” and convert the recommendation into a script to implement the recommendation in a firewall.
- a recommendation such as “block all communications from IP address X,” and convert the recommendation into a script to implement the recommendation in a firewall.
- advisement system 620 may implement the actions in a scripted format for each of the assets.
- the administrators of the computing environment may generate the configurations.
- the connector configurations may be gathered from a database that allows the connectors to be generated and shared across various computing environments and organizations. Accordingly, an administrator for one computing environment may generate a connector that can be used by other administrators in other computing environments to script the implementation of a particular action.
- advisement system 620 may communicate with the devices, computing systems, and software of the computing environment to implement the desired security actions of administrator 610 .
- a computing environment may include firewall software on one or more computing devices.
- an administrator of the environment may identify, via the connector database, a connector associated with the software, and configure advisement system 620 to implement the connector.
- the connector information may be used to implement the desired action in the firewall.
- This connector information may include the necessary commands and scripts to block a particular IP address, permit a particular IP address, block particular data requests, or any other similar configuration information.
Abstract
Systems, methods, and software described herein provide security action recommendations to administrators of a computing environment. In one example, a method of operating an advisement system to provide action recommendations in a computing environment includes identifying a security incident for an asset in the computing environment. The method further includes, in response to identifying the security incident, gathering enrichment information about the security incident, and determining a rule set for the security incident based on the enrichment information. The method also provides recommending one or more actions to an administrator based on the rule set.
Description
- This application is related to and claims priority to U.S. Provisional Patent Application No. 62/087,025, entitled “ACTION RECOMMENDATIONS FOR COMPUTING ASSETS BASED ON ENRICHMENT INFORMATION,” filed on Dec. 3, 2014, U.S. Provisional Patent Application No. 62/106,830, entitled “ACTION RECOMMENDATIONS FOR ADMINISTRATORS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, and U.S. Provisional Patent Application No. 62/106,837, entitled “SECURITY ACTIONS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, and which are hereby incorporated by reference in their entirety.
- Aspects of the disclosure are related to computing environment security, and in particular to providing action recommendations to administrators based on enrichment information.
- An increasing number of data security threats exist in the modern computerized society. These threats may include viruses or other malware that attacks the local computer of the end user, or sophisticated cyber attacks to gather data and other information from the cloud or server based infrastructure. This server based infrastructure includes real and virtual computing devices that are used to provide a variety of services, such as data storage, cloud processing, web sites and services, amongst other possible services. To protect applications and services, various antivirus, encryption, and firewall implementations may be used across an array of operating systems, such as Linux and Microsoft Windows.
- Further, computing environments may implement security information and event management (SIEM) systems to provide real-time analysis of security alerts generated by network hardware and applications. In particular SIEM systems allow for real-time monitoring, correlation of events, notifications, and console views for end users. Further, SIEM systems may provide log storage capable of managing historical information about various security events within the network. Although SIEMs generate security alerts within the network, administrators may be forced to translate each of these alerts into particular action. Thus, time and resources that could be used on other tasks may be used in researching and determining the course of action to handle the possible security threat.
- Provided herein are methods, systems, and software to provide action recommendations for a plurality of network assets in a computing environment. In one example, a method of operating an advisement system to provide action recommendations in a computing environment comprising a plurality of computing devices includes identifying a security incident for an asset in the computing environment. The method further includes, in response to identifying the security incident, identifying enrichment information about the security incident. The method also provides determining a rule set for the security incident based on the enrichment information, and identifying one or more action recommendations for an administrator based on the rule set.
- Many aspects of the disclosure can be better understood with reference to the following drawings. While several implementations are described in connection with these drawings, the disclosure is not limited to the implementations disclosed herein. On the contrary, the intent is to cover all alternatives, modifications, and equivalents.
-
FIG. 1 illustrates a computing environment to provide action recommendations for a plurality of network assets. -
FIG. 2 illustrates a method of operating an advisement system to provide action recommendations for a plurality of network assets. -
FIG. 3 illustrates an overview of generating action recommendations for a network asset. -
FIG. 4 illustrates an advisement computing system to provide action recommendations for a plurality of network assets. -
FIG. 5 illustrates a computing environment to identify rule sets and recommend security actions for security incidents. -
FIG. 6 illustrates an overview of providing a recommendation interface for an administrator of a computing environment. - Security information and event management (SIEM) systems provide analysis of security alerts generated by network hardware and processes. The network hardware and processes may include routers, firewalls, operating systems, applications executing on one or more computing devices, switches, or intrusion detection systems, amongst a variety of other network devices and processes. During the analysis of the particular network, a SIEM system may identify an issue and flag the issue as a possible security threat. Once flagged, the SIEM system may provide information to an administrator or store information about the threat to be analyzed for a possible solution.
- Here, in addition to the operations provided by the SIEM system or other security monitoring systems within a computing environment, an advisement system may be used to identify and recommend the appropriate course of action to the related administrator. For example, if a SIEM system identified a possible security threat within a router of the network, information about the threat could be transferred to the advisement system, supplementary information about the threat could be identified from internal and external sources, and a recommendation could be determined based on the gathered supplementary information and a preconfigured rule set. Once the action recommendations are determined, the recommendations may be provided to an administrator, allowing the administrator to select a desired action and implement the action within the computing environment. In some implementations, the advisement system may be configured to provide a workflow allowing the administrator to step through the necessary steps of implementing the action. In other implementations, the advisement system may include connector or translator software modules that may automate or script the process of implementing the desired modification to the asset or computing environment. Thus, for each different type of asset within the environment, a connector may be provided to implement actions, such as blocking a particular process, blocking a particular network address, taking a snapshot of a computing environment, or other possible actions.
- In some implementations, to manage the various rule sets for the advisement system, one or more data structures may be accessible by the advisement system that relate rule sets to assets, incidents, and enrichment information. For example, an incident may be reported for an unknown process executing on a virtual machine asset. Once enrichment information is gathered about the unknown process, the advisement system may identify a rule set that applies to virtual machines, unknown processes, and the enrichment information determined about the unknown process. Accordingly, an unknown process that is known to be malicious from the enrichment information may be associated with a different rule set than an unknown process that cannot be confirmed to be malicious.
- To further illustrate the operation of an advisement system within a computing network,
FIG. 1 is provided.FIG. 1 illustrates acomputing environment 100 to provide action recommendations for a plurality of network assets.Computing environment 100 includes computing assets 110-116,SIEM system 120,advisement system 130,sources 140, andadministration system 150. Computing assets 110-116 includeapplications 110,routers 111, intrusion detection systems and intrusion prevention system (IDS/IDP) 112, virtual private networks (VPNs) 113,firewalls 114,switches 115, andoperating systems 116, although other assets may exist. Assets 110-116 may execute via any number of computing systems or devices. In addition to the routers and switches, these computing devices may include server computers, desktop computers, laptop computers, and the like. Although not illustrated in the present example, in some implementations, assets may be defined at computing system level. Accordingly, assets may be defined as servers, end user computing systems, host computing systems, and the like that each include an operating system, applications, processes, and firewalls. -
SIEM system 120,advisement system 130,sources 140, andadministration system 150 may each include communication interfaces, network interfaces, processing systems, computer systems, microprocessors, storage systems, storage media, or some other processing devices or software systems, and can be distributed among multiple devices.SIEM system 120,advisement system 130, andsources 140 may comprise one or more server, desktop, laptop, or other similar computing devices.Administration system 150 may comprise an end user device, such as a desktop computer, laptop computer, smartphone, tablet, or any other similar computing device. -
Advisement system 130 communicates withSIEM system 120,sources 140, andadministration system 150 via communication links that may use Time Division Multiplex (TDM), asynchronous transfer mode (ATM), internet protocol (IP), Ethernet, synchronous optical networking (SONET), hybrid fiber-coax (HFC), circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. Similarly,SIEM system 120 may gather information from assets 110-116 via a plurality of communication links to the computing systems associated with the assets, wherein the links may use TDM, ATM, IP, Ethernet, SONET, HFC, circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. While not illustrated in the present example, it should be understood thatadvisement system 130 might communicate with the assets over various communication links and communication formats to implement desired security actions. - In operation,
SIEM system 120 receives data and performance information from assets 110-116 and performs inspections to identify possible security issues. OnceSIEM system 120 identifies a possible security threat, information about the security threat is transferred toadvisement system 130.Advisement system 130 identifies the security threat and analyzes thethreat using sources 140 to determine suggested actions against the security threat. Once the suggested actions are determined, the actions are transferred, via email, text message, or other similar format, toadministration system 150 to be presented toadministrator 160. - To further illustrate the operation of
computing environment 100,FIG. 2 is provided.FIG. 2 illustrates amethod 200 ofoperating advisement system 130 to provide action recommendations for a plurality of network assets. In particular, as described inFIG. 1 ,SIEM system 120 receives information from a plurality of network assets 110-116 and identifies security threats based on the information. Once a threat is identified, the threat is transferred toadvisement system 130.Advisement system 130 identifies the security threat or incident within computing environment 100 (201), and in response to identifying the incident, gathers enrichment information about the incident (202). Specifically,advisement system 130 may identify properties or traits of the incident, such as internet protocol (IP) addresses associated with the incident, the firewall associated with the incident, the computing device for the incident, the host, the user, any uniform resource locators (URLs) associated with the incident, or any other information specific to the security incident. Once the properties are identified,advisement system 130 may identify information related to the threat using internal andexternal sources 140. These sources may include databases or websites that keep track of malicious IP addresses or domain names, the type of threats presented from the particular domain names, identifies of malware, Trojans, and viruses, amongst a variety of other information. - Upon determining enrichment information related to a particular incident,
administration system 130 may determine a rule set based on the enrichment information (203). This rule set is related to the type of threat presented to the network andcomputing environment 100. For example, as enrichment information is gathered related to a particular incident,administration system 130 may use predefined criteria to establish how likely the identified incident is a security threat to computingenvironment 100. Based on this likelihood and a corresponding related rule set, one or more actions may be recommended toadministrator 160 on administration system 150 (204). - For instance,
SIEM system 120 may identify that an application ofapplications 110 is receiving a large amount of inbound requests from a particular IP address and flag these requests as a possible incident. Once flagged, information or traits regarding the inbound requests and the application is transferred toadvisement system 130 including the IP address, the type of data requested, or any other information related to the request. Upon identifying the flagged incident,advisement system 130 determines enrichment information for the incident viasources 140. Ifadvisement system 130 determines that the incident is likely a security threat based on the enrichment information,advisement system 130 may determine suggested actions based on an identified rule set, and provide the actions to an administrator responsible for the application via email, text message, or some other form of communication. These actions may include preventing the application from future execution, sand boxing the computing system executing the application, taking an image of the computing system executing the application, removing the security threat within the application, amongst a variety of other actions. For example, if the enrichment information identifies that the inbound requesting IP address is associated with malicious operations,advisement system 130 may recommend sand boxing the computing system, or implementing a firewall configuration that prevents generating a response to requests from the particular IP address. In contrast, if the IP address is unknown orsources 140 do not indicate that the IP address is malicious,advisement system 130 may select a different rule set and corresponding action recommendations that could allow further monitoring of the interactions between the asset and the unknown IP address. - In some implementations, gathering information about the security incident may further include gathering information about related processes within the environment. For example, if an application is identified as exhibiting unusual behavior related to a possible security threat, the advisement system may identify other processes executing on one or more devices that are related to the application. Accordingly, if it is determined that the application is required by other processes, recommendations may be determined that allow the other processes to continue to use the application, but may limit or further monitor other interactions initiated by the flagged application. These recommendations may include taking a snapshot of the application or of the full computing system to identify any unusual process within the application, prevent the application from initiating communications with external systems and processes, or any other similar function that allows the required processes to continue to communicate with the required application.
- In some instances, the advisement system may have access to a database of known applications and executables within the computing environment, which can be compared to the application related to the incident. For example, an executable may be titled RESEARCH.EXE. Once an incident is identified that is related to RESEARCH.EXE, the advisement system may attempt to identify any other system or process that requires or acknowledges that executable. If no other system or process requires or acknowledges the executable, recommendations may be made that can remove that application, or otherwise prevent the operation of RESEARCH.EXE.
- In some examples, the rule set for a particular security incident may identify a preconfigured action to take against the threat. Thus, in addition to or in place of recommending actions to an administrator, the administrator may preapprove certain actions against particular security incidents. Although illustrated in the present example as receiving information about an incident from a SIEM system, it should be understood that other security systems, such as security processes on the individual computing devices, might provide the security threat information to the advisement system. In some implementations, a user or administrator may define a security incident in the environment, which can then be identified by the advisement system. This user or administrator defined incident may allow the personnel to define various information about the incident, including the asset involved in the incident, a computing device identifier for the incident, the type of suspected threat, or any other similar characteristic from the incident. Once defined, the advisement system may gather enrichment information related to the incident from internal and external sources. As the enrichment information is gathered, a rule set may be identified and action recommendations determined for the threat.
- In some implementations,
advisement system 130 may be configured to generate a display of the action recommendations and provide the display to the administrator either locally onadvisement system 130, or externally on a console such asadministration system 150. This display may include the various action recommendations as well as other relevant security event characteristics. These characteristics may include a chat room that allows the administrator to chat with any other administrator associated with the particular threat, a summary window that displays information about the threat, such as an identifier for the asset, IP address information for the security incident, a URL associated with the security incident, or other similar information. - To further demonstrate the process of generating actions for an administrator,
FIG. 3 is included.FIG. 3 illustrates anoverview 300 of generating action recommendations for a network asset.Overview 300 includes computing assets 310-316,SIEM system 320,advisement system 330,sources 340, andadministration system 350. Computing assets 310-316 includeapplications 310,routers 311, intrusion detection systems and intrusion prevention system (IDS/IDP) 312, virtual private networks (VPNs) 313,firewalls 314, switches 315, andoperating systems 316. Assets 310-316 may execute via any number of computing systems or devices. In addition to the routers and switches, these computing devices may include server computers, desktop computers, laptop computers, and the like. - As depicted,
SIEM system 320 receives operational information from assets 310-316. This operational information may include information about the devices connecting with the assets, the type of data be communicated over the assets, the number of times a device contacts an asset, and other similar operational information. Based on the operational information,SIEM system 320 identifies an incident with a router inrouters 311. This incident may include an unknown IP address, an improper number of requests over the router, or any other incident within the router. Once identified, the incident is forwarded to advisementsystem 330, whereinadvisement system 330 will identify enrichment data for the incident. This enrichment information may include information about the IP address related to the incident, the URL address associated with the incident, or any other information related to the incident. For example,SIEM system 320 may identify an incident corresponding to an unknown URL connection with the router inrouters 311. Onceadvisement system 330 is notified of the incident,advisement system 330 may query a database or external source to determine information about the URL, including whether the URL is malicious, the owner of the URL, the relation of the URL to the devices in the network, or any other enrichment information. - Once enrichment information is gathered,
advisement system 330 may determine a confidence level of whether the incident involves a security threat and a rule set based on the enrichment information. Referring again to the previous example,advisement system 330 may determine that the particular URL has been associated with a malicious virus. Accordingly, the confidence level and rule set may reflect that there is a security threat related to the URL on the router. In contrast, if no enrichment information is available, a lower confidence level may be defined for the incident and a separate rule set may be defined for the router. - Upon determining the confidence level and rule set, one or more action recommendations may be transferred to
administration system 350 andadministrator 360 based on the enrichment information. In some examples,advisement system 330 may include action routing information that identifies personnel responsible for each of the assets within the computing network. For example, a first administrator may be responsible for particular applications, whereas second administrator may be responsible for the routers and the switches. Thus, once an action is identified,advisement system 330 may direct the action recommendations to the proper administration personnel. Further, in some instances, the administration personnel may be tiered to respond to each of the security threats. This use of tiers allows recommendations to be forwarded to a second personnel member if a first member has not responded to the recommendations. - Further, although illustrated as providing recommendations to an administrator in the present example, it should be understood that an administrator might preapprove particular actions as part of a rule set. Thus, if a particular threat is identified, predefined actions might be taken based on the confidence level and rule set. Additionally, the actions that are provided to an administrator may be based on previous selections of the administrator. For example, a list of recommendations is provided to the administrator for a particular threat, and the user makes an initial action selection from the list. On the next occurrence of the same or similar threat, the recommendations that are provided to the user may include a new list of recommendations based on the user's previous selection for the identified threat. Thus, as input is collected from each of the administrators within the computing environment, recommendations may improve based at least in part on previous recommendation selections.
- In some examples, the action recommendations referred to
administrator 360 may change in accordance with a change in the confidence level. For example, when an incident is first encountered,advisement system 330 may transfer a first set of recommended actions based on the unknown threat level of the incident. However, as further enrichment information is gathered about the incident, a second set of recommended actions may be transferred to the administrator. Thus, the action recommendations may be dynamic in accordance with the current confidence in the threat presented and the rule set corresponding to the confidence. - In some implementations, the advisement system may generate action recommendations based on the cost of the asset or the cost of the action. This cost determination may be assigned by administrators of the computing environment, may be based on the type of information that is stored on the computing asset, may be determined based on the amount of disruption that an action may cause in the environment, or may be determined by any other method. For example, a financial officer's computing system in the computing environment may have a higher cost or priority than an intern's computing system due to the data that is accessible from the computing systems. Accordingly, action recommendations for the financial officer's computing asset may be different than the action recommendations that are generated for the intern's computing asset. Further, the action recommendations may also be allocated a cost rating that relates each of the actions to an effect that the actions will have on the environment. For example, the cost of an action that places a computing asset into a virtual local area network (VLAN) may have a higher cost or be more disruptive to the computing environment than preventing the computing asset from communicating with particular IP addresses. Based on the importance or cost of the system and the cost of the actions, recommendations may be provided to the administrator. As an example, a computing asset that requires high availability may be provided with actions that do not disrupt availability of the asset. Likewise, if the system includes sensitive data, actions may be more conservative to prevent the sensitive data from being inappropriately accessed.
- Turning to
FIG. 4 ,FIG. 4 illustrates anadvisement computing system 400 to provide action recommendations for a plurality of network assets.Advisement computing system 400 is representative of a computing system that may be employed in any computing apparatus, system, or device, or collections thereof, to suitably implement the advisement systems described herein.Computing system 400 comprisescommunication interface 401,user interface 402, andprocessing system 403.Processing system 403 is communicatively linked tocommunication interface 401 anduser interface 402.Processing system 403 includesprocessing circuitry 405 andmemory device 406 thatstores operating software 407. -
Communication interface 401 comprises components that communicate over communication links, such as network cards, ports, RF transceivers, processing circuitry and software, or some other communication devices.Communication interface 401 may be configured to communicate over metallic, wireless, or optical links.Communication interface 401 may be configured to use TDM, IP, Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format—including combinations thereof. In particular,communication interface 401 communicates with a SIEMs system that gathers security incident information from a plurality of assets within a computing environment. Further,communication interface 401 may be configured to communicate with one or more administrations systems to provide the suggested course of action to administrators. -
User interface 402 comprises components that interact with a user.User interface 402 may include a keyboard, display screen, mouse, touch pad, or some other user input/output apparatus.User interface 402 may be omitted in some examples. -
Processing circuitry 405 comprises microprocessor and other circuitry that retrieves and executes operatingsoftware 407 frommemory device 406.Memory device 406 comprises a non-transitory storage medium, such as a disk drive, flash drive, data storage circuitry, or some other memory apparatus.Operating software 407 comprises computer programs, firmware, or some other form of machine-readable processing instructions.Operating software 407 includesidentify module 408,enrichment module 409,likelihood module 410, and suggestmodule 411, although any number of software modules may provide the same operation.Operating software 407 may further include an operating system, utilities, drivers, network interfaces, applications, or some other type of software. When executed bycircuitry 405,operating software 407 directsprocessing system 403 to operateadvisement computing system 400 as described herein. - In particular, identify
module 408 is configured to, when executed byadvisement computing system 400 andprocessing system 403, to identify a security incident for an asset within the computing environment. Once identified via a SIEM system or other security monitoring module,enrichment module 409 identifies enrichment information for the security incident. This enrichment information may be gathered from sources internal to the computing environment, as well as external sources, such as websites and databases. For example, if an asset within the computing environment was connecting in an abnormal way to a particular IP address,enrichment module 409 may contact one or more sources to determine information about the unknown IP address. These sources may include information about whether the address is malicious, whether the address belongs to a particular entity, or any other similar information regarding the IP address. - Once the enrichment information is determined,
likelihood module 410 may determine a threat confidence level and rule set for the security incident based on the enrichment information. This confidence level relates the security incident to the likelihood that the incident is related to a malicious activity. For instance, if an external source verified that an IP address corresponded to malicious software activity, the confidence level and rule set would be different than for an unknown IP address. Once the confidence level and rule set is determined, suggestmodule 411 determines suggested security actions for an administrator based on the identified rule set. These suggestions may include suggestions to eliminate a malicious item related to the security incident, segregating the asset from other assets within the network, imaging computing system to provide further analysis on the incident, amongst a variety of other suggested security actions. - Referring now to
FIG. 5 ,FIG. 5 illustrates acomputing environment 500 to identify rule sets and recommend security actions for security incidents.Computing environment 500 includesasset 510, other devices andassets 520,advisement system 530, internal andexternal sources 540, andadministration system 550.Asset 510 is further associated withincident 515, and other devices andassets 520 execute processes 521-525.Asset 510 and other devices andassets 520 may comprise routers, switches, operating systems, applications, processes, or any other similar asset within a computing environment. - As illustrated,
advisement system 530 identifies anincident 515 related toasset 510. This incident report may include an identifier for the asset, an identifier for the computing device associated with the asset, a URL associated with the incident, an application, process, or executable for the incident, or any other similar information about the incident. For example, ifincident 515 corresponded to an executable, the report to advisementsystem 530 may include the name, file path, and other related information to the executable. In some implementations, the report may be generated by a SIEM system to be provided toadvisement system 530. However, in other examples, the report may be generated by other security devices including, but not limited to, the devices associated with the assets, or other security monitoring hardware. - Once a report of
incident 515 is received,advisement system 530 may gather enrichment information fromsources 540 to gather further data related to the particular incident. For example, if the incident were related to communications with a particular IP address,advisement system 530 may query a database, either internal or external to the computing environment, to determine if the IP address is related to malicious activity. Here, in addition to querying the internal and external sources,advisement system 530 identifies related processes toincident 515. For example,incident 515 may be related to a particular application within the network, such as a database application or some other application. Once an incident is identified with the application,advisement system 530 may determine other applications or processes that require access to the database application. The processes may include, but are not limited to, back-end processes and data processing processes. Based on the information gathered fromasset 510, enrichment information gathered from internal andexternal source 540, and related processes identified from processes 521-525,advisement system 530 identifies a rule set for the incident. - For example, because
process 523 is identified as relating to or requiringasset 510 for operation, a particular rule set may be selected based on this determination to continue to provide services to process 523. Once the rule set is selected,advisement system 530 may determine one or more action suggestions to take againstincident 515 based on the rule set and provide them toadministrator 560 atadministration system 550. Although illustrated separately in the present example, it should be understood thatadministration system 550 might reside wholly or partially onadvisement system 530. - While illustrated in
FIG. 5 as inquiring other devices andassets 520 to determine the related processes toasset 510, it should be understood that in some examples a database might be maintained to relate the physical devices and processes to one another. Here, the action recommendations that are provided toadministrator 560 might include actions that continue the operation ofasset 510. For example, becauseprocess 523 requiresasset 510 for operation, the action recommendations may include taking a snapshot ofasset 510, limiting the communications that can be made byasset 510, limit the type of data that is communicated byasset 510, or other similar operations that continue the operation ofasset 510. - In some implementations,
advisement system 530 may identify a report of a possible malicious application on a particular asset. Responsive to the report,advisement system 530 may determine if the application is a known application based on a known repository of applications within the environment. Ifadvisement system 530 determines that the application is known for the environment, a rule set and actions may be provided to the administrator that may allow the application to continue operation with particular limitations or monitoring. In contrast, ifadvisement system 530 determines that the application is unknown within the environment, the rule set and action recommendations may prescribe removing the application and the related application data from the environment. -
FIG. 6 illustrates anoverview 600 of providing a recommendation interface for an administrator of a computing environment.Overview 600 includesadvisement system 620 andrecommendation interface 640.Recommendation interface 640 further includes recommendations 631-634 and miscellaneous user interface (U.I.) 650. As illustrated in the present example,advisement system 620 is configured to identify reports of possible security incidents within a computing environment. This computing environment includes a plurality of computing systems and devices, including switches, computers, routers, or other similar computing hardware. These reports may include information about the type of security incident, an identifier for the asset with the incident, IP address information related to the incident, information about a process or executable related to the incident, or any other similar information. - In response to receiving the report,
advisement system 620 may use the information about the incident to query internal and external sources for enrichment data related to the incident. For example, ifadvisement system 620 received a report regarding a particular executable within the computing environment,advisement system 620 may query one or more databases to determine whether the executable was malicious. In some implementations,advisement system 620 may identify whether the asset related to the issue is required or associated with any other asset within the environment. Thus, if the asset is required by one or more processes or systems, action recommendations may be identified that allow the required processes or systems to continue to access the asset in question. - In the present example, once the enrichment information is gathered and a rule set identified, recommendations may be defined based on the rule set and provided to an administrator as
recommendation interface 640.Recommendation interface 640 may be displayed locally via a screen or other interface onadvisement system 620, or may be displayed at a user console, such as a desktop, laptop, tablet, or other similar computing device. Here,recommendation interface 640 includes four recommendations 631-634, although any number of recommendations may be provided to an administrator, and further includesmiscellaneous user interface 650.Miscellaneous user interface 650 may include a chat window, a programming interface allowing the user to program various actions for the assets within the computing environment, amongst a variety of other possible user interactions. - For example, the chat window may allow a plurality of administrators within the organization discuss the security incidents and possible actions or responses to the incidents. In some implementations, the chatroom that is provided to
administrator 610 may include administrators that are approved to take action against a particular incident. For instance, an organization may permit four administrators to take action against a malware incident within a database computing system. Accordingly, when the incident is identified, the recommendation interface that is provided to each of the administrators may allow the four approved administrators to discuss the incident, and identify the appropriate action to take against the incident. - Once
administrator 610 selects a recommendation of recommendations 631-634 to be taken against the security incident,advisement system 620 may initiate the activities necessary to implement the requested action. In some implementations,advisement system 620 may provideadministrator 610 with the workflow or the procedural steps to implement the desired action. For example, if the action required the modification of a firewall within the computing environment,advisement system 620 may present the user with the necessary steps to implement the change to the firewall, including logging into the necessary device and making the necessary changes. - In other implementations, rather than requiring
administrator 610 to step through each phase necessary for a particular action,advisement system 620 may be configured to automate the implementation of the actions. To automate the action implementations, in some examples,advisement system 620 may be configured with various connectors or translators that are used to configure each of the assets and computing systems within the environment. These connectors may be used to take a recommendation such as “block all communications from IP address X,” and convert the recommendation into a script to implement the recommendation in a firewall. Thus, although each of the assets may require a different programming language or application program interface,advisement system 620 may implement the actions in a scripted format for each of the assets. In some implementations, the administrators of the computing environment may generate the configurations. In other examples, the connector configurations may be gathered from a database that allows the connectors to be generated and shared across various computing environments and organizations. Accordingly, an administrator for one computing environment may generate a connector that can be used by other administrators in other computing environments to script the implementation of a particular action. Once the connector information is configured withadvisement system 620,advisement system 620 may communicate with the devices, computing systems, and software of the computing environment to implement the desired security actions ofadministrator 610. - For example, a computing environment may include firewall software on one or more computing devices. To manage the firewall software, an administrator of the environment may identify, via the connector database, a connector associated with the software, and configure
advisement system 620 to implement the connector. Accordingly, when an action is required that relates to the particular firewall, the connector information may be used to implement the desired action in the firewall. This connector information may include the necessary commands and scripts to block a particular IP address, permit a particular IP address, block particular data requests, or any other similar configuration information. - The included descriptions and figures depict specific implementations to teach those skilled in the art how to make and use the best option. For the purpose of teaching inventive principles, some conventional aspects have been simplified or omitted. Those skilled in the art will appreciate variations from these implementations that fall within the scope of the invention. Those skilled in the art will also appreciate that the features described above can be combined in various ways to form multiple implementations. As a result, the invention is not limited to the specific implementations described above, but only by the claims and their equivalents.
Claims (20)
1. A method of operating an advisement system to provide action recommendations in a computing environment comprising a plurality of computing devices, the method comprising:
identifying a security incident for an asset in the computing environment;
in response to identifying the security incident, identifying enrichment information about the security incident;
determining a rule set for the security incident based on the enrichment information; and
identifying one or more action recommendations for an administrator based on the rule set.
2. The method of claim 1 wherein identifying the enrichment information about the security incident comprises identifying the enrichment information in an external database related to the security incident.
3. The method of claim 1 wherein identifying the security incident for an asset comprises one of receiving the security incident from a security information and event management (SIEM) system or identifying a user defined security incident.
4. The method of claim 1 wherein the asset comprises one of a router, a switch, a firewall, an operating system, a virtual private network, or an application.
5. The method of claim 1 wherein identifying the enrichment information about the security incident comprises determining whether one or more approved processes in the computing environment relate to the security incident, and wherein determining the rule set for the security incident based on the enrichment information comprises, if one or more approved processes in the computing environment relate to the security incident, determining the rule set for the security incident based on an effect of the rule set on the one or more approved processes.
6. The method of claim 1 wherein identifying the security incident for the asset in the computing environment comprises identifying traits related to the security incident, wherein the traits comprise an identifier for the asset, and at least one of an internet protocol (IP) address related to the incident, Uniform Resource Locator (URL) related to the incident, a user name related to the incident, a computing system identifier for the asset, a file name related to the incident, or a service name related to the incident.
7. The method of claim 1 further comprising generating a display of the one or more recommendations for the administrator.
8. A computer readable storage medium having instructions stored thereon, that when executed by advisement computing system, direct the advisement computing system to perform a method of providing action recommendations in a computing environment comprising a plurality of computing devices, the method comprising:
identifying a security incident for an asset in the computing environment;
in response to identifying the security incident, identifying enrichment information about the security incident;
determining a rule set for the security incident based on the enrichment information; and
identifying one or more action recommendations for an administrator based on the rule set.
9. The computer readable storage medium of claim 8 wherein identifying the enrichment information about the security incident comprises identifying the enrichment information in an external database related to the security incident.
10. The computer readable storage medium of claim 8 , wherein identifying the security incident for an asset comprises one of receiving the security incident from a security information and event management (SIEM) system or identifying a user defined security incident.
11. The computer readable storage medium of claim 8 , wherein the asset comprises one of a router, a switch, a firewall, an operating system, a virtual private network, or an application.
12. The computer readable storage medium of claim 8 , wherein identifying the enrichment information about the security incident comprises determining whether one or more approved processes in the computing environment relate to the security incident, and wherein determining the rule set for the security incident based on the enrichment information comprises, if one or more approved processes in the computing environment relate to the security incident, determining the rule set for the security incident based on an effect of the rule set on the one or more approved processes.
13. The computer readable storage medium of claim 8 , wherein identifying the security incident for the asset in the computing environment comprises identifying traits related to the security incident, wherein the traits comprise an identifier for the asset, and at least one of an internet protocol (IP) address related to the incident, Uniform Resource Locator (URL) related to the incident, a user name related to the incident, a computing system identifier for the asset, a file name related to the incident, or a service name related to the incident.
14. The computer readable storage medium of claim 8 , wherein the method further comprises generating a display of the one or more recommendations for the administrator.
15. The computer readable storage medium of claim 9 , wherein the security incident comprises a process, and wherein identifying the enrichment information about the security incident comprises at least determining whether the process is known in the computing environment.
16. An advisement system to provide security action recommendations in a computing environment, the advisement system comprising:
a communication interface configured to:
receive a security incident for an asset in the computing environment;
a processing system, communicatively coupled to the communication interface, configured to:
in response to receiving the security incident, identify enrichment information about the security incident;
determine a rule set for the security incident based on the enrichment information; and
identify one or more action recommendations for an administrator based on the rule set.
17. The advisement system of claim 16 wherein the processing system configured to identify the enrichment information about the security incident is configured to identifying the enrichment information in an external database related to the security incident.
18. The advisement system of claim 16 wherein the asset comprises one of a router, a switch, a firewall, an operating system, a virtual private network, or an application.
19. The advisement system of claim 16 wherein the security incident comprises a process, and wherein the processing system configured to identify the enrichment information about the security incident is configured to at least determine whether the process is known in the computing environment.
20. The advisement system of claim 16 wherein the processing system is further configured to generate a display of the one or more recommendations for the administrator.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/675,075 US20160164917A1 (en) | 2014-12-03 | 2015-03-31 | Action recommendations for computing assets based on enrichment information |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462087025P | 2014-12-03 | 2014-12-03 | |
US201562106830P | 2015-01-23 | 2015-01-23 | |
US201562106837P | 2015-01-23 | 2015-01-23 | |
US14/675,075 US20160164917A1 (en) | 2014-12-03 | 2015-03-31 | Action recommendations for computing assets based on enrichment information |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160164917A1 true US20160164917A1 (en) | 2016-06-09 |
Family
ID=56095367
Family Applications (35)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/675,075 Abandoned US20160164917A1 (en) | 2014-12-03 | 2015-03-31 | Action recommendations for computing assets based on enrichment information |
US14/675,176 Active 2035-11-23 US11165812B2 (en) | 2014-12-03 | 2015-03-31 | Containment of security threats within a computing environment |
US14/674,679 Active US9712555B2 (en) | 2014-12-03 | 2015-03-31 | Automated responses to security threats |
US14/677,493 Active US11019092B2 (en) | 2014-12-03 | 2015-04-02 | Learning based security threat containment |
US14/689,926 Active 2035-12-27 US9871818B2 (en) | 2014-12-03 | 2015-04-17 | Managing workflows upon a security incident |
US14/689,973 Active 2035-10-08 US9762607B2 (en) | 2014-12-03 | 2015-04-17 | Incident response automation engine |
US14/824,262 Active US9888029B2 (en) | 2014-12-03 | 2015-08-12 | Classifying kill-chains for security incidents |
US14/868,553 Active US10834120B2 (en) | 2014-12-03 | 2015-09-29 | Identifying related communication interactions to a security threat in a computing environment |
US14/956,615 Active 2036-03-23 US9954888B2 (en) | 2014-12-03 | 2015-12-02 | Security actions for computing assets based on enrichment information |
US14/956,589 Active US10063587B2 (en) | 2014-12-03 | 2015-12-02 | Management of security actions based on computing asset classification |
US15/699,454 Active US10158663B2 (en) | 2014-12-03 | 2017-09-08 | Incident response using asset configuration data |
US15/845,963 Active US10116687B2 (en) | 2014-12-03 | 2017-12-18 | Management of administrative incident response based on environmental characteristics associated with a security incident |
US15/886,183 Active US10193920B2 (en) | 2014-12-03 | 2018-02-01 | Managing security actions in a computing environment based on communication activity of a security threat |
US15/924,759 Active US10476905B2 (en) | 2014-12-03 | 2018-03-19 | Security actions for computing assets based on enrichment information |
US16/042,283 Active 2035-12-21 US10855718B2 (en) | 2014-12-03 | 2018-07-23 | Management of actions in a computing environment based on asset classification |
US16/107,975 Active US10425441B2 (en) | 2014-12-03 | 2018-08-21 | Translating security actions to action procedures in an advisement system |
US16/107,979 Active US10567424B2 (en) | 2014-12-03 | 2018-08-21 | Determining security actions for security threats using enrichment information |
US16/107,972 Active US10425440B2 (en) | 2014-12-03 | 2018-08-21 | Implementing security actions in an advisement system based on obtained software characteristics |
US16/142,913 Active US10554687B1 (en) | 2014-12-03 | 2018-09-26 | Incident response management based on environmental characteristics |
US16/182,914 Active US10616264B1 (en) | 2014-12-03 | 2018-11-07 | Incident response management based on asset configurations in a computing environment |
US16/539,918 Active US11019093B2 (en) | 2014-12-03 | 2019-08-13 | Graphical interface for incident response automation |
US16/568,949 Active US10986120B2 (en) | 2014-12-03 | 2019-09-12 | Selecting actions responsive to computing environment incidents based on action impact information |
US16/699,299 Active 2035-07-02 US11190539B2 (en) | 2014-12-03 | 2019-11-29 | Modifying incident response time periods based on containment action effectiveness |
US16/736,120 Active US11025664B2 (en) | 2014-12-03 | 2020-01-07 | Identifying security actions for responding to security threats based on threat state information |
US16/863,557 Active 2035-07-09 US11647043B2 (en) | 2014-12-03 | 2020-04-30 | Identifying security actions based on computing asset relationship data |
US17/033,146 Active 2035-11-06 US11323472B2 (en) | 2014-12-03 | 2020-09-25 | Identifying automated responses to security threats based on obtained communication interactions |
US17/104,537 Active 2036-02-24 US11677780B2 (en) | 2014-12-03 | 2020-11-25 | Identifying automated response actions based on asset classification |
US17/185,612 Active 2036-03-07 US11765198B2 (en) | 2014-12-03 | 2021-02-25 | Selecting actions responsive to computing environment incidents based on severity rating |
US17/242,165 Active 2036-03-11 US11757925B2 (en) | 2014-12-03 | 2021-04-27 | Managing security actions in a computing environment based on information gathering activity of a security threat |
US17/306,703 Active US11658998B2 (en) | 2014-12-03 | 2021-05-03 | Translating security actions into computing asset-specific action procedures |
US17/326,070 Active US11895143B2 (en) | 2014-12-03 | 2021-05-20 | Providing action recommendations based on action effectiveness across information technology environments |
US17/513,595 Active US11805148B2 (en) | 2014-12-03 | 2021-10-28 | Modifying incident response time periods based on incident volume |
US17/710,523 Active US11870802B1 (en) | 2014-12-03 | 2022-03-31 | Identifying automated responses to security threats based on communication interactions content |
US18/228,982 Pending US20230388338A1 (en) | 2014-12-03 | 2023-08-01 | Managing security actions in a computing environment based on movement of a security threat |
US18/231,715 Pending US20240031397A1 (en) | 2014-12-03 | 2023-08-08 | Selecting actions responsive to computing environment incidents based on severity rating |
Family Applications After (34)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/675,176 Active 2035-11-23 US11165812B2 (en) | 2014-12-03 | 2015-03-31 | Containment of security threats within a computing environment |
US14/674,679 Active US9712555B2 (en) | 2014-12-03 | 2015-03-31 | Automated responses to security threats |
US14/677,493 Active US11019092B2 (en) | 2014-12-03 | 2015-04-02 | Learning based security threat containment |
US14/689,926 Active 2035-12-27 US9871818B2 (en) | 2014-12-03 | 2015-04-17 | Managing workflows upon a security incident |
US14/689,973 Active 2035-10-08 US9762607B2 (en) | 2014-12-03 | 2015-04-17 | Incident response automation engine |
US14/824,262 Active US9888029B2 (en) | 2014-12-03 | 2015-08-12 | Classifying kill-chains for security incidents |
US14/868,553 Active US10834120B2 (en) | 2014-12-03 | 2015-09-29 | Identifying related communication interactions to a security threat in a computing environment |
US14/956,615 Active 2036-03-23 US9954888B2 (en) | 2014-12-03 | 2015-12-02 | Security actions for computing assets based on enrichment information |
US14/956,589 Active US10063587B2 (en) | 2014-12-03 | 2015-12-02 | Management of security actions based on computing asset classification |
US15/699,454 Active US10158663B2 (en) | 2014-12-03 | 2017-09-08 | Incident response using asset configuration data |
US15/845,963 Active US10116687B2 (en) | 2014-12-03 | 2017-12-18 | Management of administrative incident response based on environmental characteristics associated with a security incident |
US15/886,183 Active US10193920B2 (en) | 2014-12-03 | 2018-02-01 | Managing security actions in a computing environment based on communication activity of a security threat |
US15/924,759 Active US10476905B2 (en) | 2014-12-03 | 2018-03-19 | Security actions for computing assets based on enrichment information |
US16/042,283 Active 2035-12-21 US10855718B2 (en) | 2014-12-03 | 2018-07-23 | Management of actions in a computing environment based on asset classification |
US16/107,975 Active US10425441B2 (en) | 2014-12-03 | 2018-08-21 | Translating security actions to action procedures in an advisement system |
US16/107,979 Active US10567424B2 (en) | 2014-12-03 | 2018-08-21 | Determining security actions for security threats using enrichment information |
US16/107,972 Active US10425440B2 (en) | 2014-12-03 | 2018-08-21 | Implementing security actions in an advisement system based on obtained software characteristics |
US16/142,913 Active US10554687B1 (en) | 2014-12-03 | 2018-09-26 | Incident response management based on environmental characteristics |
US16/182,914 Active US10616264B1 (en) | 2014-12-03 | 2018-11-07 | Incident response management based on asset configurations in a computing environment |
US16/539,918 Active US11019093B2 (en) | 2014-12-03 | 2019-08-13 | Graphical interface for incident response automation |
US16/568,949 Active US10986120B2 (en) | 2014-12-03 | 2019-09-12 | Selecting actions responsive to computing environment incidents based on action impact information |
US16/699,299 Active 2035-07-02 US11190539B2 (en) | 2014-12-03 | 2019-11-29 | Modifying incident response time periods based on containment action effectiveness |
US16/736,120 Active US11025664B2 (en) | 2014-12-03 | 2020-01-07 | Identifying security actions for responding to security threats based on threat state information |
US16/863,557 Active 2035-07-09 US11647043B2 (en) | 2014-12-03 | 2020-04-30 | Identifying security actions based on computing asset relationship data |
US17/033,146 Active 2035-11-06 US11323472B2 (en) | 2014-12-03 | 2020-09-25 | Identifying automated responses to security threats based on obtained communication interactions |
US17/104,537 Active 2036-02-24 US11677780B2 (en) | 2014-12-03 | 2020-11-25 | Identifying automated response actions based on asset classification |
US17/185,612 Active 2036-03-07 US11765198B2 (en) | 2014-12-03 | 2021-02-25 | Selecting actions responsive to computing environment incidents based on severity rating |
US17/242,165 Active 2036-03-11 US11757925B2 (en) | 2014-12-03 | 2021-04-27 | Managing security actions in a computing environment based on information gathering activity of a security threat |
US17/306,703 Active US11658998B2 (en) | 2014-12-03 | 2021-05-03 | Translating security actions into computing asset-specific action procedures |
US17/326,070 Active US11895143B2 (en) | 2014-12-03 | 2021-05-20 | Providing action recommendations based on action effectiveness across information technology environments |
US17/513,595 Active US11805148B2 (en) | 2014-12-03 | 2021-10-28 | Modifying incident response time periods based on incident volume |
US17/710,523 Active US11870802B1 (en) | 2014-12-03 | 2022-03-31 | Identifying automated responses to security threats based on communication interactions content |
US18/228,982 Pending US20230388338A1 (en) | 2014-12-03 | 2023-08-01 | Managing security actions in a computing environment based on movement of a security threat |
US18/231,715 Pending US20240031397A1 (en) | 2014-12-03 | 2023-08-08 | Selecting actions responsive to computing environment incidents based on severity rating |
Country Status (1)
Country | Link |
---|---|
US (35) | US20160164917A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210314347A1 (en) * | 2014-12-03 | 2021-10-07 | Splunk Inc. | Selecting actions responsive to computing environment incidents based on severity rating |
US20220164440A1 (en) * | 2020-11-23 | 2022-05-26 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11843622B1 (en) * | 2020-10-16 | 2023-12-12 | Splunk Inc. | Providing machine learning models for classifying domain names for malware detection |
Families Citing this family (111)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9729667B2 (en) | 2014-12-09 | 2017-08-08 | Facebook, Inc. | Generating user notifications using beacons on online social networks |
US9692838B2 (en) | 2014-12-09 | 2017-06-27 | Facebook, Inc. | Generating business insights using beacons on online social networks |
US20160234240A1 (en) * | 2015-02-06 | 2016-08-11 | Honeywell International Inc. | Rules engine for converting system-related characteristics and events into cyber-security risk assessment values |
US10021125B2 (en) * | 2015-02-06 | 2018-07-10 | Honeywell International Inc. | Infrastructure monitoring tool for collecting industrial process control and automation system risk data |
US10075475B2 (en) | 2015-02-06 | 2018-09-11 | Honeywell International Inc. | Apparatus and method for dynamic customization of cyber-security risk item rules |
US10021119B2 (en) | 2015-02-06 | 2018-07-10 | Honeywell International Inc. | Apparatus and method for automatic handling of cyber-security risk events |
US10075474B2 (en) | 2015-02-06 | 2018-09-11 | Honeywell International Inc. | Notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications |
US10298608B2 (en) | 2015-02-11 | 2019-05-21 | Honeywell International Inc. | Apparatus and method for tying cyber-security risk analysis to common risk methodologies and risk levels |
US9800604B2 (en) | 2015-05-06 | 2017-10-24 | Honeywell International Inc. | Apparatus and method for assigning cyber-security risk consequences in industrial process control environments |
US9934475B2 (en) * | 2015-05-13 | 2018-04-03 | Bank Of America Corporation | Managing enterprise data movement using a heuristic data movement detection engine |
JP6497268B2 (en) * | 2015-08-17 | 2019-04-10 | 富士通株式会社 | Management program, management apparatus and management method |
US10425447B2 (en) * | 2015-08-28 | 2019-09-24 | International Business Machines Corporation | Incident response bus for data security incidents |
US9930070B2 (en) | 2015-11-11 | 2018-03-27 | International Business Machines Corporation | Modifying security policies of related resources |
US9943116B2 (en) | 2015-11-17 | 2018-04-17 | Lunatech, Llc | Electronic vapor device warning system |
WO2017157996A1 (en) * | 2016-03-18 | 2017-09-21 | Abb Schweiz Ag | Context-aware security self-assessment |
US9743272B1 (en) | 2016-03-28 | 2017-08-22 | Bank Of America Corporation | Security implementation for resource distribution |
US10039113B2 (en) | 2016-03-28 | 2018-07-31 | Bank Of America Corporation | Intelligent resource procurement system based on physical proximity to related resources |
US10135817B2 (en) | 2016-03-28 | 2018-11-20 | Bank Of America Corporation | Enhancing authentication and source of proof through a dynamically updatable biometrics database |
US10080132B2 (en) | 2016-03-28 | 2018-09-18 | Bank Of America Corporation | System for adaptation of multiple digital signatures in a distributed network |
US10148675B1 (en) | 2016-03-30 | 2018-12-04 | Amazon Technologies, Inc. | Block-level forensics for distributed computing systems |
US10142290B1 (en) * | 2016-03-30 | 2018-11-27 | Amazon Technologies, Inc. | Host-based firewall for distributed computer systems |
US10333962B1 (en) | 2016-03-30 | 2019-06-25 | Amazon Technologies, Inc. | Correlating threat information across sources of distributed computing systems |
US10178119B1 (en) | 2016-03-30 | 2019-01-08 | Amazon Technologies, Inc. | Correlating threat information across multiple levels of distributed computing systems |
US10812420B2 (en) * | 2016-04-07 | 2020-10-20 | Vizsafe, Inc. | Method and system for multi-media messaging and communications from mobile enabled networked devices directed to proximate organizations based on geolocated parameters |
US10127741B2 (en) | 2016-04-25 | 2018-11-13 | Lunatech, Llc | Electronic vaporizing device with vehicle monitoring functionality |
US10498711B1 (en) | 2016-05-20 | 2019-12-03 | Palantir Technologies Inc. | Providing a booting key to a remote system |
US20170364222A1 (en) * | 2016-06-17 | 2017-12-21 | Bank Of America Corporation | System for internetworked monitoring and communication triggering |
US10038607B2 (en) | 2016-06-17 | 2018-07-31 | Bank Of America Corporation | System for aggregated machine-initiated resource distribution |
US10796253B2 (en) | 2016-06-17 | 2020-10-06 | Bank Of America Corporation | System for resource use allocation and distribution |
US10103936B2 (en) | 2016-06-21 | 2018-10-16 | Bank Of America Corporation | Computerized resource reallocation system for transferring resource blocks based on custodian event |
US10334462B2 (en) | 2016-06-23 | 2019-06-25 | Bank Of America Corporation | Predictive analytics for resource development based on information communicated from inter-related communication devices |
US10439913B2 (en) | 2016-07-01 | 2019-10-08 | Bank Of America Corporation | Dynamic replacement and upgrade of existing resources based on resource utilization |
US10542016B2 (en) * | 2016-08-31 | 2020-01-21 | Sap Se | Location enrichment in enterprise threat detection |
US9578066B1 (en) * | 2016-09-14 | 2017-02-21 | Hytrust, Inc. | Systems and method for assuring security governance in managed computer systems |
US10630705B2 (en) | 2016-09-23 | 2020-04-21 | Sap Se | Real-time push API for log events in enterprise threat detection |
US10127400B2 (en) | 2016-09-26 | 2018-11-13 | Bank Of America Corporation | Control device for aggregation and distribution of machine-initiated resource distribution |
US10534910B1 (en) * | 2016-10-04 | 2020-01-14 | Hewlett-Packard Development Company, L.P. | Using threat model to monitor host execution |
WO2018071355A1 (en) * | 2016-10-13 | 2018-04-19 | Nec Laboratories America, Inc. | Constructing graph models of event correlation in enterprise security systems |
US10681062B2 (en) | 2016-11-02 | 2020-06-09 | Accenture Global Solutions Limited | Incident triage scoring engine |
US10298605B2 (en) * | 2016-11-16 | 2019-05-21 | Red Hat, Inc. | Multi-tenant cloud security threat detection |
EP3545418A4 (en) | 2016-11-22 | 2020-08-12 | AON Global Operations PLC, Singapore Branch | Systems and methods for cybersecurity risk assessment |
US10574678B2 (en) * | 2016-12-13 | 2020-02-25 | Forescout Technologies, Inc. | Name translation monitoring |
US10530792B2 (en) | 2016-12-15 | 2020-01-07 | Sap Se | Using frequency analysis in enterprise threat detection to detect intrusions in a computer system |
US10735468B1 (en) * | 2017-02-14 | 2020-08-04 | Ca, Inc. | Systems and methods for evaluating security services |
WO2019004928A1 (en) * | 2017-06-29 | 2019-01-03 | Certis Cisco Security Pte Ltd | Autonomic incident triage prioritization by performance modifier and temporal decay parameters |
US10530794B2 (en) | 2017-06-30 | 2020-01-07 | Sap Se | Pattern creation in enterprise threat detection |
US10715545B2 (en) * | 2017-09-22 | 2020-07-14 | Microsoft Technology Licensing, Llc | Detection and identification of targeted attacks on a computing system |
US11588739B2 (en) * | 2017-11-21 | 2023-02-21 | Nicira, Inc. | Enhanced management of communication rules over multiple computing networks |
US11271960B2 (en) | 2017-12-06 | 2022-03-08 | Ribbon Communications Operating Company, Inc. | Communications methods and apparatus for dynamic detection and/or mitigation of anomalies |
US10931696B2 (en) * | 2018-07-13 | 2021-02-23 | Ribbon Communications Operating Company, Inc. | Communications methods and apparatus for dynamic detection and/or mitigation of threats and/or anomalies |
US10681064B2 (en) | 2017-12-19 | 2020-06-09 | Sap Se | Analysis of complex relationships among information technology security-relevant entities using a network graph |
US10986111B2 (en) | 2017-12-19 | 2021-04-20 | Sap Se | Displaying a series of events along a time axis in enterprise threat detection |
JP6824151B2 (en) * | 2017-12-26 | 2021-02-03 | 三菱電機株式会社 | Incident response support device |
US11010233B1 (en) | 2018-01-18 | 2021-05-18 | Pure Storage, Inc | Hardware-based system monitoring |
US11327826B1 (en) | 2018-02-01 | 2022-05-10 | Amdocs Development Limited | System, method, and computer program for automated resolution of free-text incidents, based on machine learning |
US10848512B2 (en) | 2018-06-06 | 2020-11-24 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11709946B2 (en) | 2018-06-06 | 2023-07-25 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11038915B1 (en) * | 2018-07-31 | 2021-06-15 | Splunk Inc. | Dynamic generation of courses of action for incident response in an information technology environment |
US11403393B1 (en) * | 2018-07-31 | 2022-08-02 | Splunk Inc. | Utilizing predicted resolution times to allocate incident response resources in an information technology environment |
US10742484B1 (en) | 2018-07-31 | 2020-08-11 | Splunk Inc. | Generating action suggestions based on anonymized data from multiple information technology environments |
US11290479B2 (en) * | 2018-08-11 | 2022-03-29 | Rapid7, Inc. | Determining insights in an electronic environment |
US10757093B1 (en) * | 2018-08-31 | 2020-08-25 | Splunk Inc. | Identification of runtime credential requirements |
US10853478B1 (en) | 2018-08-31 | 2020-12-01 | Splunk Inc. | Encrypted storage and provision of authentication information for use when responding to an information technology incident |
GB201816809D0 (en) * | 2018-10-16 | 2018-11-28 | Palantir Technologies Inc | Establishing access systems |
EP3647980B1 (en) * | 2018-10-30 | 2022-01-19 | Hewlett-Packard Development Company, L.P. | Response to an intrusion against a service of an operating system |
US11374958B2 (en) * | 2018-10-31 | 2022-06-28 | International Business Machines Corporation | Security protection rule prediction and enforcement |
US11036867B2 (en) | 2019-02-27 | 2021-06-15 | International Business Machines Corporation | Advanced rule analyzer to identify similarities in security rules, deduplicate rules, and generate new rules |
US11063897B2 (en) | 2019-03-01 | 2021-07-13 | Cdw Llc | Method and system for analyzing electronic communications and customer information to recognize and mitigate message-based attacks |
US11343263B2 (en) | 2019-04-15 | 2022-05-24 | Qualys, Inc. | Asset remediation trend map generation and utilization for threat mitigation |
USD926810S1 (en) | 2019-06-05 | 2021-08-03 | Reliaquest Holdings, Llc | Display screen or portion thereof with a graphical user interface |
USD926809S1 (en) | 2019-06-05 | 2021-08-03 | Reliaquest Holdings, Llc | Display screen or portion thereof with a graphical user interface |
USD926200S1 (en) | 2019-06-06 | 2021-07-27 | Reliaquest Holdings, Llc | Display screen or portion thereof with a graphical user interface |
USD926782S1 (en) | 2019-06-06 | 2021-08-03 | Reliaquest Holdings, Llc | Display screen or portion thereof with a graphical user interface |
USD926811S1 (en) | 2019-06-06 | 2021-08-03 | Reliaquest Holdings, Llc | Display screen or portion thereof with a graphical user interface |
US10728383B1 (en) * | 2019-07-01 | 2020-07-28 | Securus Technologies, Inc. | Controlled-environment facility resident pattern electronic communication detection and controlled-environment facility action |
RU2739864C1 (en) * | 2019-07-17 | 2020-12-29 | Акционерное общество "Лаборатория Касперского" | System and method of correlating events for detecting information security incident |
WO2021021728A1 (en) * | 2019-07-26 | 2021-02-04 | Reliaquest Holdings, Llc | Threat mitigation system and method |
TWI742799B (en) * | 2019-10-18 | 2021-10-11 | 臺灣銀行股份有限公司 | Network attack analysis method |
US11677783B2 (en) * | 2019-10-25 | 2023-06-13 | Target Brands, Inc. | Analysis of potentially malicious emails |
US11165815B2 (en) * | 2019-10-28 | 2021-11-02 | Capital One Services, Llc | Systems and methods for cyber security alert triage |
US11657155B2 (en) * | 2019-11-22 | 2023-05-23 | Pure Storage, Inc | Snapshot delta metric based determination of a possible ransomware attack against data maintained by a storage system |
US11645162B2 (en) * | 2019-11-22 | 2023-05-09 | Pure Storage, Inc. | Recovery point determination for data restoration in a storage system |
US11941116B2 (en) * | 2019-11-22 | 2024-03-26 | Pure Storage, Inc. | Ransomware-based data protection parameter modification |
US11625481B2 (en) * | 2019-11-22 | 2023-04-11 | Pure Storage, Inc. | Selective throttling of operations potentially related to a security threat to a storage system |
US11687418B2 (en) | 2019-11-22 | 2023-06-27 | Pure Storage, Inc. | Automatic generation of recovery plans specific to individual storage elements |
US20210382992A1 (en) * | 2019-11-22 | 2021-12-09 | Pure Storage, Inc. | Remote Analysis of Potentially Corrupt Data Written to a Storage System |
US11341236B2 (en) * | 2019-11-22 | 2022-05-24 | Pure Storage, Inc. | Traffic-based detection of a security threat to a storage system |
US11720692B2 (en) * | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Hardware token based management of recovery datasets for a storage system |
US11615185B2 (en) * | 2019-11-22 | 2023-03-28 | Pure Storage, Inc. | Multi-layer security threat detection for a storage system |
US11755751B2 (en) * | 2019-11-22 | 2023-09-12 | Pure Storage, Inc. | Modify access restrictions in response to a possible attack against data stored by a storage system |
US11720714B2 (en) * | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Inter-I/O relationship based detection of a security threat to a storage system |
US11651075B2 (en) * | 2019-11-22 | 2023-05-16 | Pure Storage, Inc. | Extensible attack monitoring by a storage system |
US11675898B2 (en) * | 2019-11-22 | 2023-06-13 | Pure Storage, Inc. | Recovery dataset management for security threat monitoring |
US11520907B1 (en) * | 2019-11-22 | 2022-12-06 | Pure Storage, Inc. | Storage system snapshot retention based on encrypted data |
RU2738334C1 (en) * | 2020-03-25 | 2020-12-11 | Общество с ограниченной ответственностью «Группа АйБи ТДС» | Method and system for making decision on need for automated response to incident |
US11363041B2 (en) | 2020-05-15 | 2022-06-14 | International Business Machines Corporation | Protecting computer assets from malicious attacks |
CN111835592B (en) * | 2020-07-14 | 2022-09-27 | 北京百度网讯科技有限公司 | Method, apparatus, electronic device and readable storage medium for determining robustness |
US20220021697A1 (en) * | 2020-07-20 | 2022-01-20 | FireScope, Inc. | Network asset risk analysis |
EP4205004A1 (en) | 2020-08-27 | 2023-07-05 | Virsec Systems, Inc. | Automated application vulnerability and risk assessment |
US11882128B2 (en) * | 2020-09-17 | 2024-01-23 | Fortinet, Inc. | Improving incident classification and enrichment by leveraging context from multiple security agents |
AU2021352426A1 (en) * | 2020-10-02 | 2023-05-18 | Acentium Inc | Systems and methods for threat response |
US11811520B2 (en) | 2020-12-10 | 2023-11-07 | International Business Machines Corporation | Making security recommendations |
EP4278288A1 (en) * | 2021-01-18 | 2023-11-22 | Virsec Systems, Inc. | Workload configuration extractor |
RU2758974C1 (en) * | 2021-03-10 | 2021-11-03 | Федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное орденов Жукова и Октябрьской Революции Краснознаменное училище имени генерала армии С.М. Штеменко" Министерство обороны Российской Федерации | Method for combined control of the state of the process of functioning of automated systems |
CN112688971B (en) * | 2021-03-18 | 2021-07-27 | 国家信息中心 | Function-damaged network security threat identification device and information system |
US11882148B1 (en) * | 2021-03-23 | 2024-01-23 | Trend Micro Incorporated | Automated mitigation of cyber threats using a semantic cybersecurity database |
US11785025B2 (en) * | 2021-04-15 | 2023-10-10 | Bank Of America Corporation | Threat detection within information systems |
US11874933B2 (en) | 2021-12-29 | 2024-01-16 | Qualys, Inc. | Security event modeling and threat detection using behavioral, analytical, and threat intelligence attributes |
US20230224275A1 (en) * | 2022-01-12 | 2023-07-13 | Bank Of America Corporation | Preemptive threat detection for an information system |
US11843530B2 (en) * | 2022-03-08 | 2023-12-12 | Amdocs Development Limited | System, method, and computer program for unobtrusive propagation of solutions for detected incidents in computer applications |
US11870799B1 (en) * | 2022-10-11 | 2024-01-09 | Second Sight Data Discovery, Inc. | Apparatus and method for implementing a recommended cyber-attack security action |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040003286A1 (en) * | 2002-07-01 | 2004-01-01 | Microsoft Corporation | Distributed threat management |
US20060048209A1 (en) * | 2004-08-31 | 2006-03-02 | Microsoft Corporation | Method and system for customizing a security policy |
US20130081141A1 (en) * | 2010-05-25 | 2013-03-28 | Hewlett-Packard Development Company, L.P. | Security threat detection associated with security events and an actor category model |
US20130291106A1 (en) * | 2011-11-23 | 2013-10-31 | United States Government, As Represented By The Secretary Of The Navy | Enterprise level information alert system |
US8627466B2 (en) * | 2003-03-13 | 2014-01-07 | Mcafee, Inc. | Alert message control of security mechanisms in data processing systems |
US20140259170A1 (en) * | 2012-08-23 | 2014-09-11 | Foreground Security | Internet Security Cyber Threat Reporting System and Method |
US20140344926A1 (en) * | 2013-03-15 | 2014-11-20 | Sean Cunningham | System and method employing structured intelligence to verify and contain threats at endpoints |
US9049226B1 (en) * | 2013-03-12 | 2015-06-02 | Emc Corporation | Defending against a cyber attack via asset overlay mapping |
US20150215325A1 (en) * | 2014-01-30 | 2015-07-30 | Marketwired L.P. | Systems and Methods for Continuous Active Data Security |
US9166995B1 (en) * | 2013-09-23 | 2015-10-20 | Symantec Corporation | Systems and methods for using user-input information to identify computer security threats |
US20150365438A1 (en) * | 2014-06-11 | 2015-12-17 | Accenture Global Services Limited | Method and System for Automated Incident Response |
US9256739B1 (en) * | 2014-03-21 | 2016-02-09 | Symantec Corporation | Systems and methods for using event-correlation graphs to generate remediation procedures |
US20160072836A1 (en) * | 2014-09-05 | 2016-03-10 | Resilient Systems, Inc. | System for Tracking Data Security Threats and Method for Same |
US20160103992A1 (en) * | 2014-10-14 | 2016-04-14 | Symantec Corporation | Systems and methods for classifying security events as targeted attacks |
US9325733B1 (en) * | 2014-10-31 | 2016-04-26 | Emc Corporation | Unsupervised aggregation of security rules |
Family Cites Families (134)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6405318B1 (en) | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
US6990591B1 (en) | 1999-11-18 | 2006-01-24 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
US7127743B1 (en) | 2000-06-23 | 2006-10-24 | Netforensics, Inc. | Comprehensive security structure platform for network managers |
GB0016835D0 (en) | 2000-07-07 | 2000-08-30 | Messagelabs Limited | Method of, and system for, processing email |
US20070192863A1 (en) | 2005-07-01 | 2007-08-16 | Harsh Kapoor | Systems and methods for processing data flows |
US9009824B1 (en) | 2013-03-14 | 2015-04-14 | Trend Micro Incorporated | Methods and apparatus for detecting phishing attacks |
US8868659B2 (en) | 2001-05-15 | 2014-10-21 | Avaya Inc. | Method and apparatus for automatic notification and response |
US7624444B2 (en) | 2001-06-13 | 2009-11-24 | Mcafee, Inc. | Method and apparatus for detecting intrusions on a computer system |
AU2001286374A1 (en) * | 2001-09-04 | 2003-03-18 | E-Cop.Net Pte Ltd | Computer security event management system |
US7076803B2 (en) | 2002-01-28 | 2006-07-11 | International Business Machines Corporation | Integrated intrusion detection services |
US7174566B2 (en) | 2002-02-01 | 2007-02-06 | Intel Corporation | Integrated network intrusion detection |
US7509675B2 (en) | 2002-05-29 | 2009-03-24 | At&T Intellectual Property I, L.P. | Non-invasive monitoring of the effectiveness of electronic security services |
US7035942B2 (en) | 2002-09-17 | 2006-04-25 | Bellsouth Intellectual Property Corp. | Server-based message protocol translation |
US7941854B2 (en) * | 2002-12-05 | 2011-05-10 | International Business Machines Corporation | Method and system for responding to a computer intrusion |
US7526800B2 (en) * | 2003-02-28 | 2009-04-28 | Novell, Inc. | Administration of protection of data accessible by a mobile device |
US9503470B2 (en) | 2002-12-24 | 2016-11-22 | Fred Herz Patents, LLC | Distributed agent based model for security monitoring and response |
US20040143749A1 (en) | 2003-01-16 | 2004-07-22 | Platformlogic, Inc. | Behavior-based host-based intrusion prevention system |
US7281270B2 (en) * | 2003-04-01 | 2007-10-09 | Lockheed Martin Corporation | Attack impact prediction system |
US7827602B2 (en) | 2003-06-30 | 2010-11-02 | At&T Intellectual Property I, L.P. | Network firewall host application identification and authentication |
US8146160B2 (en) * | 2004-03-24 | 2012-03-27 | Arbor Networks, Inc. | Method and system for authentication event security policy generation |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8375444B2 (en) | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US20070180490A1 (en) | 2004-05-20 | 2007-08-02 | Renzi Silvio J | System and method for policy management |
US8074277B2 (en) | 2004-06-07 | 2011-12-06 | Check Point Software Technologies, Inc. | System and methodology for intrusion detection and prevention |
US8255532B2 (en) * | 2004-09-13 | 2012-08-28 | Cisco Technology, Inc. | Metric-based monitoring and control of a limited resource |
US7716727B2 (en) * | 2004-10-29 | 2010-05-11 | Microsoft Corporation | Network security device and method for protecting a computing device in a networked environment |
US7594270B2 (en) * | 2004-12-29 | 2009-09-22 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
US7617533B1 (en) * | 2005-01-31 | 2009-11-10 | Symantec Corporation | Self-quarantining network |
US7676841B2 (en) * | 2005-02-01 | 2010-03-09 | Fmr Llc | Network intrusion mitigation |
US7930681B2 (en) | 2005-12-30 | 2011-04-19 | Sap Ag | Service and application management in information technology systems |
US8966630B2 (en) * | 2006-04-27 | 2015-02-24 | The Invention Science Fund I, Llc | Generating and distributing a malware countermeasure |
US20080082662A1 (en) | 2006-05-19 | 2008-04-03 | Richard Dandliker | Method and apparatus for controlling access to network resources based on reputation |
US7950056B1 (en) | 2006-06-30 | 2011-05-24 | Symantec Corporation | Behavior based processing of a new version or variant of a previously characterized program |
US7877022B2 (en) * | 2006-07-07 | 2011-01-25 | Walid Kamali | Circuits and methods of thermal gain compensation |
US8185953B2 (en) | 2007-03-08 | 2012-05-22 | Extrahop Networks, Inc. | Detecting anomalous network application behavior |
US7900259B2 (en) | 2007-03-16 | 2011-03-01 | Prevari | Predictive assessment of network risks |
US8310923B1 (en) * | 2007-03-27 | 2012-11-13 | Amazon Technologies, Inc. | Monitoring a network site to detect adverse network conditions |
US8875272B2 (en) * | 2007-05-15 | 2014-10-28 | International Business Machines Corporation | Firewall for controlling connections between a client machine and a network |
US8103875B1 (en) | 2007-05-30 | 2012-01-24 | Symantec Corporation | Detecting email fraud through fingerprinting |
WO2008151321A2 (en) | 2007-06-08 | 2008-12-11 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for enforcing a security policy in a network including a plurality of components |
US8291495B1 (en) | 2007-08-08 | 2012-10-16 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
US8271642B1 (en) * | 2007-08-29 | 2012-09-18 | Mcafee, Inc. | System, method, and computer program product for isolating a device associated with at least potential data leakage activity, based on user input |
WO2009047113A1 (en) | 2007-10-10 | 2009-04-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Apparatus for reconfiguration of a technical system based on security analysis and a corresponding technical decision support system and computer program product |
US20090165132A1 (en) * | 2007-12-21 | 2009-06-25 | Fiberlink Communications Corporation | System and method for security agent monitoring and protection |
US9336385B1 (en) * | 2008-02-11 | 2016-05-10 | Adaptive Cyber Security Instruments, Inc. | System for real-time threat detection and management |
US8336094B2 (en) | 2008-03-27 | 2012-12-18 | Juniper Networks, Inc. | Hierarchical firewalls |
US8924469B2 (en) | 2008-06-05 | 2014-12-30 | Headwater Partners I Llc | Enterprise access control and accounting allocation for access networks |
US8955107B2 (en) | 2008-09-12 | 2015-02-10 | Juniper Networks, Inc. | Hierarchical application of security services within a computer network |
US8484338B2 (en) | 2008-10-02 | 2013-07-09 | Actiance, Inc. | Application detection architecture and techniques |
US8069471B2 (en) * | 2008-10-21 | 2011-11-29 | Lockheed Martin Corporation | Internet security dynamics assessment system, program product, and related methods |
US8613040B2 (en) | 2008-12-22 | 2013-12-17 | Symantec Corporation | Adaptive data loss prevention policies |
KR20100078081A (en) | 2008-12-30 | 2010-07-08 | (주) 세인트 시큐리티 | System and method for detecting unknown malicious codes by analyzing kernel based system events |
US8374080B2 (en) * | 2009-01-14 | 2013-02-12 | Stmicroelectronics, Inc. | High throughput features in 11S mesh networks |
EP2415207B1 (en) | 2009-03-31 | 2014-12-03 | Coach Wei | System and method for access management and security protection for network accessible computer services |
US9231964B2 (en) | 2009-04-14 | 2016-01-05 | Microsoft Corporation | Vulnerability detection based on aggregated primitives |
US8914878B2 (en) | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
WO2010144796A2 (en) * | 2009-06-12 | 2010-12-16 | QinetiQ North America, Inc. | Integrated cyber network security system and method |
US20100319004A1 (en) | 2009-06-16 | 2010-12-16 | Microsoft Corporation | Policy Management for the Cloud |
US20100325685A1 (en) | 2009-06-17 | 2010-12-23 | Jamie Sanbower | Security Integration System and Device |
US10027711B2 (en) | 2009-11-20 | 2018-07-17 | Alert Enterprise, Inc. | Situational intelligence |
US20110161452A1 (en) * | 2009-12-24 | 2011-06-30 | Rajesh Poornachandran | Collaborative malware detection and prevention on mobile devices |
US8380828B1 (en) * | 2010-01-21 | 2013-02-19 | Adtran, Inc. | System and method for locating offending network device and maintaining network integrity |
JP5488094B2 (en) | 2010-03-19 | 2014-05-14 | 富士通株式会社 | COMMUNICATION DEVICE, NETWORK ACCESS METHOD, AND COMPUTER PROGRAM |
US9485218B2 (en) * | 2010-03-23 | 2016-11-01 | Adventium Enterprises, Llc | Device for preventing, detecting and responding to security threats |
US8676970B2 (en) | 2010-12-18 | 2014-03-18 | Qualcomm Incorporated | Methods and systems for managing device specific content |
US8499348B1 (en) * | 2010-12-28 | 2013-07-30 | Amazon Technologies, Inc. | Detection of and responses to network attacks |
WO2012109633A2 (en) | 2011-02-11 | 2012-08-16 | Achilles Guard, Inc. D/B/A Critical Watch | Security countermeasure management platform |
US8756697B2 (en) | 2011-03-30 | 2014-06-17 | Trustwave Holdings, Inc. | Systems and methods for determining vulnerability to session stealing |
US9373267B2 (en) | 2011-04-08 | 2016-06-21 | Wombat Security Technologies, Inc. | Method and system for controlling context-aware cybersecurity training |
US9712592B2 (en) * | 2011-04-21 | 2017-07-18 | Arris Enterprises, Inc. | Classification of HTTP multimedia traffic per session |
US20130007882A1 (en) | 2011-06-28 | 2013-01-03 | The Go Daddy Group, Inc. | Methods of detecting and removing bidirectional network traffic malware |
US9009814B1 (en) | 2011-07-21 | 2015-04-14 | Symantec Corporation | Systems and methods for generating secure passwords |
US20140165207A1 (en) | 2011-07-26 | 2014-06-12 | Light Cyber Ltd. | Method for detecting anomaly action within a computer network |
WO2013019198A1 (en) | 2011-07-29 | 2013-02-07 | Hewlett-Packard Development Company, L. P. | Systems and methods for distributed rule-based correlation of events |
US8856910B1 (en) * | 2011-08-31 | 2014-10-07 | Palo Alto Networks, Inc. | Detecting encrypted tunneling traffic |
US8713704B2 (en) * | 2011-09-24 | 2014-04-29 | Elwha Llc | Behavioral fingerprint based authentication |
US8955113B2 (en) * | 2011-09-28 | 2015-02-10 | Verizon Patent And Licensing Inc. | Responding to impermissible behavior of user devices |
US8726385B2 (en) * | 2011-10-05 | 2014-05-13 | Mcafee, Inc. | Distributed system and method for tracking and blocking malicious internet hosts |
US9529996B2 (en) | 2011-10-11 | 2016-12-27 | Citrix Systems, Inc. | Controlling mobile device access to enterprise resources |
US8832840B2 (en) * | 2011-10-26 | 2014-09-09 | Verizon Patent And Licensing Inc. | Mobile application security and management service |
US9129108B2 (en) * | 2012-01-31 | 2015-09-08 | International Business Machines Corporation | Systems, methods and computer programs providing impact mitigation of cyber-security failures |
US9137258B2 (en) | 2012-02-01 | 2015-09-15 | Brightpoint Security, Inc. | Techniques for sharing network security event information |
US9710644B2 (en) | 2012-02-01 | 2017-07-18 | Servicenow, Inc. | Techniques for sharing network security event information |
US8789181B2 (en) | 2012-04-11 | 2014-07-22 | Ca, Inc. | Flow data for security data loss prevention |
US9313211B1 (en) * | 2012-04-18 | 2016-04-12 | Symantec Corporation | Systems and methods to protect against a vulnerability event |
US9092616B2 (en) * | 2012-05-01 | 2015-07-28 | Taasera, Inc. | Systems and methods for threat identification and remediation |
US8949931B2 (en) | 2012-05-02 | 2015-02-03 | Cisco Technology, Inc. | System and method for monitoring application security in a network environment |
US9661003B2 (en) | 2012-05-11 | 2017-05-23 | Thomas W. Parker | System and method for forensic cyber adversary profiling, attribution and attack identification |
US9055090B2 (en) * | 2012-06-12 | 2015-06-09 | Verizon Patent And Licensing Inc. | Network based device security and controls |
US8918638B2 (en) * | 2012-07-03 | 2014-12-23 | Facebook, Inc. | Mobile-device-based trust computing |
US9183385B2 (en) * | 2012-08-22 | 2015-11-10 | International Business Machines Corporation | Automated feedback for proposed security rules |
US20140089039A1 (en) * | 2012-09-12 | 2014-03-27 | Co3 Systems, Inc. | Incident management system |
US9143476B2 (en) | 2012-09-14 | 2015-09-22 | Return Path, Inc. | Real-time classification of email message traffic |
US20140137257A1 (en) | 2012-11-12 | 2014-05-15 | Board Of Regents, The University Of Texas System | System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure |
US9401932B2 (en) | 2012-12-04 | 2016-07-26 | Cyber Adapt, Inc. | Device and method for detection of anomalous behavior in a computer network |
WO2014094875A1 (en) | 2012-12-21 | 2014-06-26 | Telefonaktiebolaget L M Ericsson (Publ) | Security information for updating an authorization database in managed networks |
CA2895522A1 (en) | 2012-12-21 | 2014-06-26 | Seccuris Inc. | System and method for monitoring data in a client environment |
US9378361B1 (en) | 2012-12-31 | 2016-06-28 | Emc Corporation | Anomaly sensor framework for detecting advanced persistent threat attacks |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US8973140B2 (en) * | 2013-03-14 | 2015-03-03 | Bank Of America Corporation | Handling information security incidents |
GB201306628D0 (en) * | 2013-04-11 | 2013-05-29 | F Secure Oyj | Detecting and marking client devices |
US9270694B2 (en) | 2013-05-21 | 2016-02-23 | Rapid7, Llc | Systems and methods for assessing security for a network of assets and providing recommendations |
US20140351441A1 (en) | 2013-05-26 | 2014-11-27 | Connectloud, Inc. | Method and Apparatus for SLA-aware System to Recommend Best Match for Cloud Resource Provisioning |
WO2015009296A1 (en) | 2013-07-17 | 2015-01-22 | Hewlett-Packard Development Company, L.P. | Event management system |
US9288219B2 (en) | 2013-08-02 | 2016-03-15 | Globalfoundries Inc. | Data protection in a networked computing environment |
US9396592B2 (en) | 2013-08-05 | 2016-07-19 | The Boeing Company | Maintenance systems and methods for use in analyzing maintenance data |
WO2015051181A1 (en) * | 2013-10-03 | 2015-04-09 | Csg Cyber Solutions, Inc. | Dynamic adaptive defense for cyber-security threats |
US9338183B2 (en) * | 2013-11-18 | 2016-05-10 | Harris Corporation | Session hopping |
US9325726B2 (en) * | 2014-02-03 | 2016-04-26 | Intuit Inc. | Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment |
US9338181B1 (en) | 2014-03-05 | 2016-05-10 | Netflix, Inc. | Network security system with remediation based on value of attacked assets |
US9832217B2 (en) * | 2014-03-13 | 2017-11-28 | International Business Machines Corporation | Computer implemented techniques for detecting, investigating and remediating security violations to IT infrastructure |
US9749344B2 (en) | 2014-04-03 | 2017-08-29 | Fireeye, Inc. | System and method of cyber threat intensity determination and application to cyber threat mitigation |
US9749343B2 (en) | 2014-04-03 | 2017-08-29 | Fireeye, Inc. | System and method of cyber threat structure mapping and application to cyber threat mitigation |
US9336399B2 (en) | 2014-04-21 | 2016-05-10 | International Business Machines Corporation | Information asset placer |
US9661015B2 (en) * | 2014-05-23 | 2017-05-23 | Nxp B.V. | Randomizing countermeasures for fault attacks |
US20150347949A1 (en) | 2014-05-27 | 2015-12-03 | International Business Machines Corporation | Measuring proficiency and efficiency of a security operations center |
US20150381641A1 (en) | 2014-06-30 | 2015-12-31 | Intuit Inc. | Method and system for efficient management of security threats in a distributed computing environment |
US9680855B2 (en) | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
US9202249B1 (en) | 2014-07-03 | 2015-12-01 | Palantir Technologies Inc. | Data item clustering and analysis |
US9489516B1 (en) * | 2014-07-14 | 2016-11-08 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9669738B2 (en) * | 2014-07-16 | 2017-06-06 | Adapt Solutions | Vehicle access system |
US10412117B2 (en) * | 2014-08-05 | 2019-09-10 | Dflabs S.P.A. | Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams |
US20160044058A1 (en) * | 2014-08-08 | 2016-02-11 | Jeffrey Craig Schlauder | Managing security of endpoints of a network |
US10257227B1 (en) | 2014-08-14 | 2019-04-09 | Amazon Technologies, Inc. | Computer security threat correlation |
US9407655B2 (en) | 2014-08-27 | 2016-08-02 | Bank Of America Corporation | Monitoring security risks to enterprise corresponding to access rights and access risk calculation |
CA2934311C (en) * | 2014-10-21 | 2017-06-13 | Robert L. Grossman | Cybersecurity system |
US9807118B2 (en) | 2014-10-26 | 2017-10-31 | Mcafee, Inc. | Security orchestration framework |
US20160164917A1 (en) | 2014-12-03 | 2016-06-09 | Phantom Cyber Corporation | Action recommendations for computing assets based on enrichment information |
US9729572B1 (en) | 2015-03-31 | 2017-08-08 | Juniper Networks, Inc. | Remote remediation of malicious files |
US11070592B2 (en) * | 2015-10-28 | 2021-07-20 | Qomplx, Inc. | System and method for self-adjusting cybersecurity analysis and score generation |
US10419458B2 (en) | 2016-01-21 | 2019-09-17 | Cyiot Ltd | Distributed techniques for detecting atypical or malicious wireless communications activity |
US10440051B2 (en) * | 2017-03-03 | 2019-10-08 | Bank Of America Corporation | Enhanced detection of polymorphic malicious content within an entity |
US10862905B2 (en) * | 2018-02-27 | 2020-12-08 | Servicenow, Inc. | Incident response techniques |
-
2015
- 2015-03-31 US US14/675,075 patent/US20160164917A1/en not_active Abandoned
- 2015-03-31 US US14/675,176 patent/US11165812B2/en active Active
- 2015-03-31 US US14/674,679 patent/US9712555B2/en active Active
- 2015-04-02 US US14/677,493 patent/US11019092B2/en active Active
- 2015-04-17 US US14/689,926 patent/US9871818B2/en active Active
- 2015-04-17 US US14/689,973 patent/US9762607B2/en active Active
- 2015-08-12 US US14/824,262 patent/US9888029B2/en active Active
- 2015-09-29 US US14/868,553 patent/US10834120B2/en active Active
- 2015-12-02 US US14/956,615 patent/US9954888B2/en active Active
- 2015-12-02 US US14/956,589 patent/US10063587B2/en active Active
-
2017
- 2017-09-08 US US15/699,454 patent/US10158663B2/en active Active
- 2017-12-18 US US15/845,963 patent/US10116687B2/en active Active
-
2018
- 2018-02-01 US US15/886,183 patent/US10193920B2/en active Active
- 2018-03-19 US US15/924,759 patent/US10476905B2/en active Active
- 2018-07-23 US US16/042,283 patent/US10855718B2/en active Active
- 2018-08-21 US US16/107,975 patent/US10425441B2/en active Active
- 2018-08-21 US US16/107,979 patent/US10567424B2/en active Active
- 2018-08-21 US US16/107,972 patent/US10425440B2/en active Active
- 2018-09-26 US US16/142,913 patent/US10554687B1/en active Active
- 2018-11-07 US US16/182,914 patent/US10616264B1/en active Active
-
2019
- 2019-08-13 US US16/539,918 patent/US11019093B2/en active Active
- 2019-09-12 US US16/568,949 patent/US10986120B2/en active Active
- 2019-11-29 US US16/699,299 patent/US11190539B2/en active Active
-
2020
- 2020-01-07 US US16/736,120 patent/US11025664B2/en active Active
- 2020-04-30 US US16/863,557 patent/US11647043B2/en active Active
- 2020-09-25 US US17/033,146 patent/US11323472B2/en active Active
- 2020-11-25 US US17/104,537 patent/US11677780B2/en active Active
-
2021
- 2021-02-25 US US17/185,612 patent/US11765198B2/en active Active
- 2021-04-27 US US17/242,165 patent/US11757925B2/en active Active
- 2021-05-03 US US17/306,703 patent/US11658998B2/en active Active
- 2021-05-20 US US17/326,070 patent/US11895143B2/en active Active
- 2021-10-28 US US17/513,595 patent/US11805148B2/en active Active
-
2022
- 2022-03-31 US US17/710,523 patent/US11870802B1/en active Active
-
2023
- 2023-08-01 US US18/228,982 patent/US20230388338A1/en active Pending
- 2023-08-08 US US18/231,715 patent/US20240031397A1/en active Pending
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040003286A1 (en) * | 2002-07-01 | 2004-01-01 | Microsoft Corporation | Distributed threat management |
US8627466B2 (en) * | 2003-03-13 | 2014-01-07 | Mcafee, Inc. | Alert message control of security mechanisms in data processing systems |
US20060048209A1 (en) * | 2004-08-31 | 2006-03-02 | Microsoft Corporation | Method and system for customizing a security policy |
US20130081141A1 (en) * | 2010-05-25 | 2013-03-28 | Hewlett-Packard Development Company, L.P. | Security threat detection associated with security events and an actor category model |
US20130291106A1 (en) * | 2011-11-23 | 2013-10-31 | United States Government, As Represented By The Secretary Of The Navy | Enterprise level information alert system |
US20140259170A1 (en) * | 2012-08-23 | 2014-09-11 | Foreground Security | Internet Security Cyber Threat Reporting System and Method |
US9049226B1 (en) * | 2013-03-12 | 2015-06-02 | Emc Corporation | Defending against a cyber attack via asset overlay mapping |
US20140344926A1 (en) * | 2013-03-15 | 2014-11-20 | Sean Cunningham | System and method employing structured intelligence to verify and contain threats at endpoints |
US9166995B1 (en) * | 2013-09-23 | 2015-10-20 | Symantec Corporation | Systems and methods for using user-input information to identify computer security threats |
US20150215325A1 (en) * | 2014-01-30 | 2015-07-30 | Marketwired L.P. | Systems and Methods for Continuous Active Data Security |
US9256739B1 (en) * | 2014-03-21 | 2016-02-09 | Symantec Corporation | Systems and methods for using event-correlation graphs to generate remediation procedures |
US20150365438A1 (en) * | 2014-06-11 | 2015-12-17 | Accenture Global Services Limited | Method and System for Automated Incident Response |
US20160072836A1 (en) * | 2014-09-05 | 2016-03-10 | Resilient Systems, Inc. | System for Tracking Data Security Threats and Method for Same |
US20160103992A1 (en) * | 2014-10-14 | 2016-04-14 | Symantec Corporation | Systems and methods for classifying security events as targeted attacks |
US9325733B1 (en) * | 2014-10-31 | 2016-04-26 | Emc Corporation | Unsupervised aggregation of security rules |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210314347A1 (en) * | 2014-12-03 | 2021-10-07 | Splunk Inc. | Selecting actions responsive to computing environment incidents based on severity rating |
US11647043B2 (en) | 2014-12-03 | 2023-05-09 | Splunk Inc. | Identifying security actions based on computing asset relationship data |
US11658998B2 (en) | 2014-12-03 | 2023-05-23 | Splunk Inc. | Translating security actions into computing asset-specific action procedures |
US11677780B2 (en) | 2014-12-03 | 2023-06-13 | Splunk Inc. | Identifying automated response actions based on asset classification |
US11757925B2 (en) | 2014-12-03 | 2023-09-12 | Splunk Inc. | Managing security actions in a computing environment based on information gathering activity of a security threat |
US11765198B2 (en) * | 2014-12-03 | 2023-09-19 | Splunk Inc. | Selecting actions responsive to computing environment incidents based on severity rating |
US11805148B2 (en) | 2014-12-03 | 2023-10-31 | Splunk Inc. | Modifying incident response time periods based on incident volume |
US11870802B1 (en) | 2014-12-03 | 2024-01-09 | Splunk Inc. | Identifying automated responses to security threats based on communication interactions content |
US11895143B2 (en) | 2014-12-03 | 2024-02-06 | Splunk Inc. | Providing action recommendations based on action effectiveness across information technology environments |
US11843622B1 (en) * | 2020-10-16 | 2023-12-12 | Splunk Inc. | Providing machine learning models for classifying domain names for malware detection |
US20220164440A1 (en) * | 2020-11-23 | 2022-05-26 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11861001B2 (en) * | 2020-11-23 | 2024-01-02 | Reliaquest Holdings, Llc | Threat mitigation system and method |
Also Published As
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11765198B2 (en) | Selecting actions responsive to computing environment incidents based on severity rating |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: PHANTOM CYBER CORP., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FRIEDRICHS, OLIVER;SATISH, SOURABH;MAHADIK, ATIF;AND OTHERS;REEL/FRAME:035303/0340 Effective date: 20150331 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: SPLUNK INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PHANTOM CYBER CORPORATION;REEL/FRAME:045686/0215 Effective date: 20180427 |