System and method employing structured intelligence to verify and contain threats at endpoints
First Claim
1. A computerized method to identify potentially malicious code at an endpoint device in a network, the method comprising:
- analyzing a portion of the network data received over the network to identify one or more threats represented by the network data;
generating a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data;
analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;
gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and
sending a notification including a portion of the verification information to identify the verified threat.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically. The system further generates a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data; analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and sending a notification including a portion of the verification information to identify the verified threat.
185 Citations
20 Claims
-
1. A computerized method to identify potentially malicious code at an endpoint device in a network, the method comprising:
-
analyzing a portion of the network data received over the network to identify one or more threats represented by the network data; generating a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data; analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination; gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and sending a notification including a portion of the verification information to identify the verified threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system operable to identify potentially malicious code on an endpoint device in a network, the system comprising:
-
a threat monitor operable to (i) receive network data including an executable, (ii) conduct an analysis of the executable to identify one or more threats detected from the analysis of the executable, and (iii) generate a report including information on the one or more threats resulting from the analysis of the executable; and a verifier operable to (i) analyze the information within the report to yield intelligence that includes instructions or indicators related to the identified one or more threats, (ii) determine, based on the intelligence yielded from the information within the report, the endpoint device including an endpoint agent that is to (a) receive at least one of the instructions or the indicators, (b) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, (iii) obtain results of the examination, (iv) correlate verification information received from the endpoint agent, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device, and (v) send a notification including a portion of the verification information upon determining that the verification information represents a verified threat. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A system operable to identify potentially malicious code on an endpoint device in a network, the system comprising:
-
a processor; and a memory including software that, when executed by the processor, operates to identify potentially malicious code within received network data that includes at least one executable, the software comprises a threat monitor operable to (i) conduct an analysis of the executable to identify one or more threats, and (ii) generate a report including information on the one or more threats resulting from the analysis of the executable, and a verifier operable to (i) analyze the information within the report to yield intelligence that includes instructions or indicators related to the identified one or more threats, (ii) determine, based on the intelligence yielded from the information within the report, the endpoint device including an endpoint agent that is to (a) receive at least one of the instructions or the indicators, and (b) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, (iii) obtain results of the examination, (iv) correlate verification information received from the endpoint agent, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device, and (v) send a notification including a portion of the verification information upon determining that the verification information represents a verified threat. - View Dependent Claims (17, 18, 19, 20)
-
Specification