Security-connected framework

US 10,142,373 B2
Filed: 09/28/2014
Issued: 11/27/2018
Est. Priority Date: 09/28/2013
Status: Active Grant

First Claim

Patent Images

1. A security controller apparatus for providing messaging services on a data exchange layer (DXL), comprising:

a memory communicatively coupled to one or more processors;

a network interface;

a DXL services engine operable for providing an application programming interface (API) for connecting to a DXL enterprise service bus (ESB) via the network interface, wherein the DXL is configured to provide a context-aware producer-consumer framework on a service-oriented architecture; and

a domain security engine operable for consuming security events via the DXL, and configured for;

subscribing to a DXL security topic as a DXL consumer;

consuming a security event related to the DXL security topic via the DXL ESB;

as a DXL producer, publishing a DXL security message via the DXL ESB, wherein the DXL security message is configured to enable a DXL consumer to act on the security message;

consolidating a plurality of DXL messages;

building a context-sensitive security policy, comprising assigning a location-independent security policy to a DXL endpoint, and publishing the assignment via a DXL message;

publishing the context-sensitive security policy via a DXL message; and

providing security information and event management (SIEM) services according to the DXL security message, comprising pooling data from a plurality of dissimilar resources and normalizing the data for consumption via the DXL.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a security-connected platform is provided on a data exchange layer (DXL), which provides messaging on a publish-subscribe model. The DXL provides a plurality of DXL endpoints connected via DXL brokers. In one case, DXL endpoints designated as producers are authorized to produce certain types of messages, including security-related messages such as object reputations. Other DXL endpoints are designated as consumers of those messages. A domain master may also be provided, and may be configured to provide physical and logical location services via an asset management engine.

40 Citations

View as Search Results

19 Claims

1. A security controller apparatus for providing messaging services on a data exchange layer (DXL), comprising:
- a memory communicatively coupled to one or more processors;
  
  a network interface;
  
  a DXL services engine operable for providing an application programming interface (API) for connecting to a DXL enterprise service bus (ESB) via the network interface, wherein the DXL is configured to provide a context-aware producer-consumer framework on a service-oriented architecture; and
  
  a domain security engine operable for consuming security events via the DXL, and configured for;
  
  subscribing to a DXL security topic as a DXL consumer;
  
  consuming a security event related to the DXL security topic via the DXL ESB;
  
  as a DXL producer, publishing a DXL security message via the DXL ESB, wherein the DXL security message is configured to enable a DXL consumer to act on the security message;
  
  consolidating a plurality of DXL messages;
  
  building a context-sensitive security policy, comprising assigning a location-independent security policy to a DXL endpoint, and publishing the assignment via a DXL message;
  
  publishing the context-sensitive security policy via a DXL message; and
  
  providing security information and event management (SIEM) services according to the DXL security message, comprising pooling data from a plurality of dissimilar resources and normalizing the data for consumption via the DXL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the domain security engine is further operable to subscribe to a SIEM topic via the DXL ESB.
  - 3. The apparatus of claim 2, wherein the domain security engine is further operable to act as a SIEM topic producer via the DXL ESB.
  - 4. The apparatus of claim 1, wherein building a context-sensitive security policy comprises:
    - determining a device type for a DXL endpoint; and
      
      reporting via a DXL message available network services for automatically attaching an intrusion prevention system policy to the device.
  - 5. The apparatus of claim 1, wherein building a context-sensitive security policy comprises assigning a DXL endpoint a location-sensitive security policy, wherein location is a basis for assigning the DXL endpoint a trust level, and reporting the assignment via a DXL message.
  - 6. The apparatus of claim 1, wherein building a context-sensitive security policy comprises assigning a criticality score to a DXL endpoint, and reporting the assignment via a DXL message.
  - 7. The apparatus of claim 1, wherein the domain security engine is further operable for:
    - detecting an intrusion attempt; and
      
      publishing characteristics of the intrusion attempt via a DXL message.
  - 8. The apparatus of claim 1, wherein the domain security engine is further operable for providing application sandboxing, and reporting results of application sandboxing via a DXL message.
  - 9. The apparatus of claim 1, wherein the domain security engine is further operable for:
    - detecting malicious command and control traffic from a DXL endpoint; and
      
      providing a DXL push notification to the DXL endpoint configured to notify the DXL endpoint that it is infected.
  - 10. The apparatus of claim 1, wherein the domain security engine is further operable for interoperating in real-time or near-real-time with a security information and event manager (SIEM).

11. One or more non-transitory computer-readable storage mediums having stored thereon executable instructions operable for providing a data exchange layer (DXL) domain security engine operable for consuming security events via the DXL, and configured for:
- communicatively coupling to a DXL enterprise security bus (ESB), wherein the DXL is configured to provide a context-aware producer-consumer framework on a service-oriented architecture;
  
  subscribing to a DXL security topic as a DXL consumer;
  
  consuming a security event related to the DXL security topic via the DXL ESB;
  
  as a DXL producer, publishing a DXL security message via the DXL ESB, wherein the DXL security message is configured to enable a DXL consumer to act on the security message;
  
  consolidating a plurality of DXL messages;
  
  building a context-sensitive security policy, comprising assigning a location-independent security policy to a DXL endpoint, and publishing the assignment via a DXL message;
  
  publishing the context-sensitive security policy via a DXL message; and
  
  providing security information and event management (SIEM) services according to the DXL security message, comprising pooling data from a plurality of dissimilar resources and normalizing the data for consumption via the DXL.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The one or more non-transitory computer-readable mediums of claim 11, wherein building a context-sensitive security policy comprises:
    - determining a device type for a DXL endpoint; and
      
      reporting via a DXL message available network services for automatically attaching an intrusion prevention system policy to the device.
  - 13. The one or more non-transitory computer-readable mediums of claim 11, wherein building a context-sensitive security policy comprises assigning a DXL endpoint a location-sensitive security policy, wherein location is a basis for assigning the DXL endpoint a trust level, and reporting the assignment via a DXL message.
  - 14. The one or more non-transitory computer-readable mediums of claim 11, wherein building a context-sensitive security policy comprises assigning a criticality score to a DXL endpoint, and reporting the assignment via a DXL message.
  - 15. The one or more non-transitory computer-readable mediums of claim 11, wherein the domain security engine is further operable for:
    - detecting an intrusion attempt; and
      
      publishing characteristics of the intrusion attempt via a DXL message.
  - 16. The one or more non-transitory computer-readable mediums of claim 11, wherein the domain security engine is further operable for providing application sandboxing, and reporting results of application sandboxing via a DXL message.
  - 17. The one or more non-transitory computer-readable mediums of claim 11, wherein the domain security engine is further operable for:
    - detecting malicious command and control traffic from a DXL endpoint; and
      
      providing a DXL push notification to the DXL endpoint configured to notify the DXL endpoint that it is infected.
  - 18. The one or more non-transitory computer-readable mediums of claim 11, wherein the domain security engine is further operable for interoperating in real-time or near-real-time with a security information and event manager (SIEM).

19. A computer-implemented method for providing domain security on a data exchange layer (DXL), comprising:
- communicatively coupling to a DXL enterprise security bus (ESB), wherein the DXL is configured to provide a context-aware producer-consumer framework on a service-oriented architecture;
  
  subscribing to a DXL security topic as a DXL consumer;
  
  consuming a security event related to the DXL security topic via the DXL ESB;
  
  as a DXL producer, publishing a DXL security message via the DXL ESB, wherein the DXL security message is configured to enable a DXL consumer to act on the security message;
  
  consolidating a plurality of DXL messages;
  
  building a context-sensitive security policy, comprising assigning a location-independent security policy to a DXL endpoint, and publishing the assignment via a DXL message;
  
  publishing the context-sensitive security policy via a DXL message; and
  
  providing security information and event management (SIEM) services according to the DXL security message, comprising pooling data from a plurality of dissimilar resources and normalizing the data for consumption via the DXL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Arkin, Ofir
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Champakesan, Badri

Application Number

US14/912,540
Publication Number

US 20160205142A1
Time in Patent Office

1,521 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 13/4265   on a point to point bus G06...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/51   Discovery or management the...

H04L 67/52   specially adapted for the l...

Security-connected framework

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security-connected framework

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links