System for tracking data security threats and method for same
First Claim
1. A method for tracking data security incidents in an enterprise network, comprising:
- creating one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact;
looking up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein at least one external threat intelligence source is accessible via a software interface, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data;
augmenting the incident artifact with the knowledge information; and
executing one or more rules associated with the known threats to provide an incident response to the data security incident.
5 Assignments
0 Petitions
Accused Products
Abstract
An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.
-
Citations
20 Claims
-
1. A method for tracking data security incidents in an enterprise network, comprising:
-
creating one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact; looking up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein at least one external threat intelligence source is accessible via a software interface, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data; augmenting the incident artifact with the knowledge information; and executing one or more rules associated with the known threats to provide an incident response to the data security incident. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus, comprising:
-
a hardware processor; computer memory holding computer program instructions executed by the processor to track data security incidents in an enterprise network, the computer program instructions comprising program code configured to; create one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact; look up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein at least one external threat intelligence source is accessible via a software interface, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data; augment the incident artifact with the knowledge information; and execute one or more rules associated with the known threats to provide an incident response to the data security incident. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to track data security incidents in an enterprise network, the computer program instructions comprising program code configured to:
-
create one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact; look up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein at least one external threat intelligence source is accessible via a software interface, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data; augment the incident artifact with the knowledge information; and execute one or more rules associated with the known threats to provide an incident response to the data security incident. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification