System and method for threat risk scoring of security threats
First Claim
Patent Images
1. A system comprising:
- a device to;
inspect one or more network activities on a network;
generate metadata associated with malware activity based on inspecting the one or more network activities;
extract one or more threat events on the network based on the metadata;
detect one or more incidents based on a correlation between a first threat event, of the one or more threat events, and a second threat event of the one or more threat events,the correlation being determined based on the metadata and a kill chain progression of the one or more threat events;
generate risk scores for the one or more incidents based on the kill chain progression,the risk scores being based on one or more asset values for one or more targeted devices, anda first score, associated with a first stage of the kill chain progression, of the risk scores being lower than a second score, associated with a second stage of the kill chain progression, of the risk scores; and
mitigate the one or more incidents based on the risk scores,the mitigation including quarantining data associated with the one or more network activities.
1 Assignment
0 Petitions
Accused Products
Abstract
A system configured to generate a risk score for a threat activity including a digital device. The digital device configured to extract one or more threat events on a network based on metadata for one or more targeted digital devices on the network. Further, the digital device is configured to detect one or more incidents based on a correlation between at least a first threat event of the one or more threat events and a second threat event of the one or more threat events. And, the digital device is configured to generate a risk score for each of said one or more incidents.
104 Citations
20 Claims
-
1. A system comprising:
a device to; inspect one or more network activities on a network; generate metadata associated with malware activity based on inspecting the one or more network activities; extract one or more threat events on the network based on the metadata; detect one or more incidents based on a correlation between a first threat event, of the one or more threat events, and a second threat event of the one or more threat events, the correlation being determined based on the metadata and a kill chain progression of the one or more threat events; generate risk scores for the one or more incidents based on the kill chain progression, the risk scores being based on one or more asset values for one or more targeted devices, and a first score, associated with a first stage of the kill chain progression, of the risk scores being lower than a second score, associated with a second stage of the kill chain progression, of the risk scores; and mitigate the one or more incidents based on the risk scores, the mitigation including quarantining data associated with the one or more network activities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; inspect one or more network activities on a network; generate metadata associated with malware activity based on inspecting the one or more network activities; extract one or more threat events on the network from the metadata; detect one or more incidents based on a correlation between a first threat event of the one or more threat events, and a second threat event of the one or more threat events, the correlation being determined based on the metadata and a kill chain progression of the one or more threat events; generate a risk score for each incident of the one or more incidents based on the kill chain progression, the risk score being based on an asset value for a targeted device, and a first score, associated with a first stage of the kill chain progression, being lower than a second score associated with a second stage of the kill chain progression; and mitigate the one or more incidents based on the risk score, the mitigation including quarantining data associated with the one or more network activities. - View Dependent Claims (13, 14, 15, 16)
-
17. A method, comprising:
-
inspecting, by a device, one or more network activities on a network; generating, by the device, metadata associated with malware activity based on inspecting the one or more network activities; extracting, by the device, one or more threat events on the network from the metadata; detecting, by the device, one or more incidents based on a correlation between a first threat event of the one or more threat events and a second threat event of the one or more threat events, the correlation being determined based on a kill chain progression of the one or more threat events; and generating, by the device, a risk score for each incident of the one or more incidents based on the kill chain progression, the risk score being based on an asset value of a targeted device; and mitigating, by the device, the one or more incidents based on the risk score, the mitigating including quarantining data associated with the one or more network activities. - View Dependent Claims (18, 19, 20)
-
Specification