Management of security actions based on computing asset classification

US 10,063,587 B2
Filed: 12/02/2015
Issued: 08/28/2018
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to respond to security threats in a computing environment, the method comprising:

identifying a security threat for an asset in the computing environment, wherein the asset comprises one of a virtual or physical computing element;

obtaining supplemental information related to the security threat from one or more websites and/or databases;

in response to identifying the security threat, identifying one or more classifications for the asset in relation to other assets within the computing environment, wherein a classification of the one or more classifications comprising one of a consumer classification or a provider classification based on incoming and outgoing connections of the asset prior to the identification of the security threat is determined by;

determining a ratio of incoming connections to outgoing connections for the asset at a time prior to the security threat;

when the ratio indicates a greater number of incoming connections in comparison to outgoing connections, classifying the asset as a consumer classification; and

when the ratio indicates a lesser number of incoming connections in comparison to outgoing connections, classifying the asset as a provider classification;

identifying a criticality rating for the asset;

determining a rule set for the security threat based on the one or more classifications for the asset, the criticality rating for the asset, and the supplemental information, wherein the rule set defines a response to the security threat, the response comprising an automated action for implementation in the asset; and

initiating the response to the security threat based on the rule set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Citations

14 Claims

1. A method of operating an advisement system to respond to security threats in a computing environment, the method comprising:
- identifying a security threat for an asset in the computing environment, wherein the asset comprises one of a virtual or physical computing element;
  
  obtaining supplemental information related to the security threat from one or more websites and/or databases;
  
  in response to identifying the security threat, identifying one or more classifications for the asset in relation to other assets within the computing environment, wherein a classification of the one or more classifications comprising one of a consumer classification or a provider classification based on incoming and outgoing connections of the asset prior to the identification of the security threat is determined by;
  
  determining a ratio of incoming connections to outgoing connections for the asset at a time prior to the security threat;
  
  when the ratio indicates a greater number of incoming connections in comparison to outgoing connections, classifying the asset as a consumer classification; and
  
  when the ratio indicates a lesser number of incoming connections in comparison to outgoing connections, classifying the asset as a provider classification;
  
  identifying a criticality rating for the asset;
  
  determining a rule set for the security threat based on the one or more classifications for the asset, the criticality rating for the asset, and the supplemental information, wherein the rule set defines a response to the security threat, the response comprising an automated action for implementation in the asset; and
  
  initiating the response to the security threat based on the rule set.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein a second classification of the one or more classifications for the asset in relation to other assets within the computing environment comprises one of a target asset, a source asset, or an infrastructure asset.
  - 3. The method of claim 1 wherein the criticality rating for the asset comprises a user defined criticality rating or a rating based on data accessible to the asset.
  - 4. The method of claim 1 wherein initiating the response to the security threat based on the rule set comprises:
    - providing one or more action recommendations to an administrator of the computing environment based on the rule set; and
      
      identifying a user selection of at least one action from the administrator; and
      
      initiating implementation of the user selection in the computing environment.
  - 5. The method of claim 1 wherein identifying the security threat for the asset in the computing environment comprises identifying the security threat for the asset in the computing environment based on a report from a security information and event management (SIEM) system.

6. An apparatus to respond to security threats in a computing environment, the apparatus comprising:
- a processing system;
  
  one or more non-transitory computer readable media; and
  
  processing instructions stored on the one or more non-transitory computer readable media that, when executed by the processing system, direct the processing system to;
  
  identify a security threat for an asset in the computing environment, wherein the asset comprises one of a virtual or physical computing asset;
  
  obtaining supplemental information related to the security threat from one or more websites and/or databases;
  
  in response to identifying the security threat, identify one or more classifications for the asset in relation to other assets within the computing environment, wherein a classification of the one or more classifications comprising one of a consumer classification or a provider classification based on incoming and outgoing connections of the asset prior to the identification of the security threat is determined by;
  
  determining a ratio of incoming connections to outgoing connections for the asset at a time prior to the security threat;
  
  when the ratio indicates a greater number of incoming connections in comparison to outgoing connections, classifying the asset as a consumer classification; and
  
  when the ratio indicates a lesser number of incoming connections in comparison to outgoing connections, classifying the asset as a provider classification;
  
  identify a criticality rating for the asset;
  
  determine a rule set for the security threat based on the one or more classifications for the asset, the criticality rating for the asset, and the supplemental information, wherein the rule set defines a response to the security threat, the response comprising an automated action for implementation in the asset; and
  
  initiate the response to the security threat based on the rule set.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6 wherein a second classification of the one or more second classifications for the asset in relation to other assets within the computing environment comprises one of a target asset, a source asset, or an infrastructure asset.
  - 8. The apparatus of claim 6 wherein the criticality rating for the asset comprises a user defined criticality rating or a rating based on data accessible to the asset.
  - 9. The apparatus of claim 6 wherein the processing instructions to initiate the response to the security threat based on the rule set direct the processing system to:
    - provide one or more action recommendations to an administrator of the computing environment based on the rule set;
      
      identify a user selection of at least one action from the administrator; and
      
      initiate implementation of the user selection in the computing environment.
  - 10. The apparatus of claim 6 wherein the processing instructions to identify the security threat for the asset in the computing environment direct the processing system to identify the security threat for the asset in the computing environment based on a report from a security information and event management (SIEM) system.

11. A system comprising:
- a plurality of assets;
  
  an advisement system configured to;
  
  receive a notification of a security threat for an asset of the plurality of assets, wherein the asset comprises one of a virtual or physical computing element;
  
  obtain supplemental information related to the security threat from one or more websites and/or databases;
  
  identify one or more classifications of the asset in relation to the security threat, wherein a classification of the one or more classifications comprising one of a consumer classification or a provider classification based on incoming and outgoing connections of the asset prior to the identification of the security threat is determined by;
  
  determining a ratio of incoming connections to outgoing connections for the asset at a time prior to the security threat;
  
  when the ratio indicates a greater number of incoming connections in comparison to outgoing connections, classifying the asset as a consumer classification; and
  
  when the ratio indicates a lesser number of incoming connections in comparison to outgoing connections, classifying the asset as a provider classification;
  
  identify a criticality rating for the asset;
  
  determine a rule set for the security threat based on the one or more classifications of the asset, the criticality rating for the asset, and the supplemental information related to the security threat, wherein the rule set defines a response to the security threat, the response comprising an automated action for implementation in the asset; and
  
  initiate the response to the security threat based on the rule set.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11 wherein the criticality rating for the asset comprises a user defined criticality rating or a rating based on data accessible to the asset.
  - 13. The system of claim 11 wherein a second classification of the one or more classifications for the asset in relation to the threat comprises one of a target asset, a source asset, or an infrastructure asset.
  - 14. The system of claim 11 wherein the advisement system configured to initiate the response to the security threat based on the rule set is configured to:
    - provide one or more action recommendations to an administrator based on the rule set; and
      
      identify a user selection of at least one action from the administrator; and
      
      initiate implementation of the user selection in at least one asset of the plurality of assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US14/956,589
Publication Number

US 20160164895A1
Time in Patent Office

1,000 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Management of security actions based on computing asset classification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Management of security actions based on computing asset classification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links