×

Connected security system

  • US 10,148,679 B2
  • Filed: 02/23/2016
  • Issued: 12/04/2018
  • Est. Priority Date: 12/09/2015
  • Status: Active Grant
First Claim
Patent Images

1. A system comprising:

  • an event management device adapted to;

    receive, for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;

    identify malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;

    determine whether the malicious activity indicates a new attack pattern that is not identified by data in a pattern database by comparing the malicious activity with attack patterns identified by data in the pattern database; and

    in response to determining that the malicious activity indicates a new attack pattern that is not identified by data in the pattern database;

    generate one or more first data constructs of a predefined data structure that each include data that identifies the malicious activity; and

    store the one or more first data constructs in the pattern database;

    a threat intelligence device connected to the event management device and adapted to;

    receive, from the event management device, the one or more first data constructs of the predefined data structure that identify the malicious activity;

    in response to receiving the one or more first data constructs of the predefined data structure that identify the malicious activity;

    determine, using the one or more first data constructs that identify the malicious activity, whether additional data related to the identified malicious activity is available from one or more third party sources; and

    in response to determining that additional data related to the identified malicious activity is available from the one or more third party sources, generate, using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include data describing (i) a campaign of related malicious activity in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the campaign of related malicious activity, wherein each of the one or more second data constructs are different data constructs from and comprise different data than each of the one or more first data constructs, and the campaign of related malicious activity is a) by a common malicious actor as an actor for the malicious activity, b) with common tactics, techniques, and procedures as those of the malicious activity, c) with common observables as those of the malicious activity, or d) with common security incidents to those of the malicious activity; and

    a course of action device connected to the threat intelligence device and adapted to;

    receive the one or more second data constructs from the threat intelligence device; and

    implement, for the network for the organization and using the one or more second data constructs, a given course of action of the one or more courses of action.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×