Techniques for sharing network security event information
First Claim
1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
- access one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, an adjustment of data provided in the possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment to a computer-implemented threat remediation action, or any combination thereof;
determine when the one or more conditions are satisfied;
perform the computer-implemented actions associated with a first network device when the one or more conditions are satisfied;
receive the possible threat notification from the first network device;
determine whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device;
determine a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile, wherein when commonality between the first network device and the alternative network device has reached a first threshold, perform a first computer-implemented action of the one or more computer-implemented actions,and wherein when the commonality has reached a second threshold, perform a second computer-implemented action of the one or more computer-implemented actions different from the first computer-implemented action;
when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generate and provide electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and
identify at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.
-
Citations
13 Claims
-
1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
-
access one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, an adjustment of data provided in the possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment to a computer-implemented threat remediation action, or any combination thereof; determine when the one or more conditions are satisfied; perform the computer-implemented actions associated with a first network device when the one or more conditions are satisfied; receive the possible threat notification from the first network device; determine whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device; determine a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile, wherein when commonality between the first network device and the alternative network device has reached a first threshold, perform a first computer-implemented action of the one or more computer-implemented actions, and wherein when the commonality has reached a second threshold, perform a second computer-implemented action of the one or more computer-implemented actions different from the first computer-implemented action; when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generate and provide electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and identify at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
one or more computer processors configured to execute a central aggregating service, by; accessing one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment of data provided in the possible threat notification, an adjustment to a computer-implemented threat remediation action, or any combination thereof; determining when the one or more conditions are satisfied; performing the computer-implemented actions associated with a first network device when the one or more conditions are satisfied; receiving the possible threat notification from the first network device; determining whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device; determining a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile; when commonality between the first network device and the alternative network device has reached a first threshold, performing a first computer-implemented action; when the commonality has reached a second threshold, performing a second computer-implemented action different from the first computer-implemented action; when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generating and providing electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and identifying at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics. - View Dependent Claims (10, 11, 12)
-
13. A computer-processor implemented method, comprising:
-
accessing one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment of data provided in the possible threat notification, an adjustment to a computer-implemented threat remediation action, or any combination thereof; determining when the one or more conditions are satisfied; performing the computer-implemented actions associated with a first network device when the one or more conditions are satisfied; receiving the possible threat notification from the first network device; determining whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device; determining a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile; when commonality between the first network device and the alternative network device has reached a first threshold, performing a first computer-implemented action; when the commonality has reached a second threshold, performing a second computer-implemented action different from the first computer-implemented action; when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generating and providing electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and identifying at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.
-
Specification