Connected security system

US 10,148,679 B2
Filed: 02/23/2016
Issued: 12/04/2018
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an event management device adapted to;

receive, for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;

identify malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;

determine whether the malicious activity indicates a new attack pattern that is not identified by data in a pattern database by comparing the malicious activity with attack patterns identified by data in the pattern database; and

in response to determining that the malicious activity indicates a new attack pattern that is not identified by data in the pattern database;

generate one or more first data constructs of a predefined data structure that each include data that identifies the malicious activity; and

store the one or more first data constructs in the pattern database;

a threat intelligence device connected to the event management device and adapted to;

receive, from the event management device, the one or more first data constructs of the predefined data structure that identify the malicious activity;

in response to receiving the one or more first data constructs of the predefined data structure that identify the malicious activity;

determine, using the one or more first data constructs that identify the malicious activity, whether additional data related to the identified malicious activity is available from one or more third party sources; and

in response to determining that additional data related to the identified malicious activity is available from the one or more third party sources, generate, using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include data describing (i) a campaign of related malicious activity in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the campaign of related malicious activity, wherein each of the one or more second data constructs are different data constructs from and comprise different data than each of the one or more first data constructs, and the campaign of related malicious activity is a) by a common malicious actor as an actor for the malicious activity, b) with common tactics, techniques, and procedures as those of the malicious activity, c) with common observables as those of the malicious activity, or d) with common security incidents to those of the malicious activity; and

a course of action device connected to the threat intelligence device and adapted to;

receive the one or more second data constructs from the threat intelligence device; and

implement, for the network for the organization and using the one or more second data constructs, a given course of action of the one or more courses of action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Citations

17 Claims

1. A system comprising:
- an event management device adapted to;
  
  receive, for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;
  
  identify malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  determine whether the malicious activity indicates a new attack pattern that is not identified by data in a pattern database by comparing the malicious activity with attack patterns identified by data in the pattern database; and
  
  in response to determining that the malicious activity indicates a new attack pattern that is not identified by data in the pattern database;
  
  generate one or more first data constructs of a predefined data structure that each include data that identifies the malicious activity; and
  
  store the one or more first data constructs in the pattern database;
  
  a threat intelligence device connected to the event management device and adapted to;
  
  receive, from the event management device, the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  in response to receiving the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  determine, using the one or more first data constructs that identify the malicious activity, whether additional data related to the identified malicious activity is available from one or more third party sources; and
  
  in response to determining that additional data related to the identified malicious activity is available from the one or more third party sources, generate, using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include data describing (i) a campaign of related malicious activity in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the campaign of related malicious activity, wherein each of the one or more second data constructs are different data constructs from and comprise different data than each of the one or more first data constructs, and the campaign of related malicious activity is a) by a common malicious actor as an actor for the malicious activity, b) with common tactics, techniques, and procedures as those of the malicious activity, c) with common observables as those of the malicious activity, or d) with common security incidents to those of the malicious activity; and
  
  a course of action device connected to the threat intelligence device and adapted to;
  
  receive the one or more second data constructs from the threat intelligence device; and
  
  implement, for the network for the organization and using the one or more second data constructs, a given course of action of the one or more courses of action.
- View Dependent Claims (2, 3, 4, 13, 14, 15, 16, 17)
- - 2. The system of claim 1 further comprising a connection processor configured to coordinate processing functions between the event management device, the threat intelligence device, and the course of action device, and configured to communicate messages between the event management device, the threat intelligence device, and the course of action device using the first and second data constructs of the predefined data structure.
  - 3. The system of claim 1, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      (ii) an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 4. The system of claim 1, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.
  - 13. The system of claim 1, wherein:
    - the one or more first data constructs of the predefined data structure includes at least one of;
      
      (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      (ii) an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity; and
      
      the one or more second data constructs of the predefined data structure include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
      
      (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.
  - 14. The system of claim 1 wherein the course of action device is adapted to implement the given course of action of the one or more courses of action automatically, without user input.
  - 15. The system of claim 14 wherein the course of action device is adapted to automatically implement the given course of action without user input by:
    - generating instructions that, upon receipt by a device, cause the device to automatically implement the course of action; and
      
      providing, to a device on the network of the organization, the instructions.
  - 16. The system of claim 15, wherein:
    - generating the instructions comprises generating instructions to cause a gateway to turn off; and
      
      providing the instructions comprises providing the instructions to a gateway on the network of the organization to cause the gateway to turn off.
  - 17. The system of claim 15, wherein:
    - generating the instructions comprises generating instructions to cause a gateway to update security software executing on the gateway; and
      
      providing the instructions comprises providing the instructions to a gateway on the network of the organization to cause the gateway to update security software executing on the gateway.

5. A computer-implemented method comprising:
- receiving, by an event management device and for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;
  
  identifying, by the event management device, malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  determining whether the malicious activity indicates a new attack pattern that is not identified by data in a pattern database by comparing the malicious activity with attack patterns identified by data in the pattern database;
  
  in response to determining that the malicious activity indicates a new attack pattern that is not identified by data in the pattern database;
  
  generating, by the event management device, one or more first data constructs of a predefined data structure that each include data that identifies the malicious activity; and
  
  storing, by the event management device, the one or more first data constructs in the pattern database;
  
  receiving, by a threat intelligence device and from the event management device, the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  in response to receiving the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  determining, by the threat intelligence device and using the one or more first data constructs that identify the malicious activity, whether additional data related to the identified malicious activity is available from one or more third party sources; and
  
  in response to determining that additional data related to the identified malicious activity is available from the one or more third party sources, generating, by the threat intelligence device and using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include data describing (i) a campaign of related malicious activity in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the campaign of related malicious activity, wherein each of the one or more second data constructs are different data constructs from and comprise different data than each of the one or more first data constructs, and the campaign of related malicious activity is a) by a common malicious actor as an actor for the malicious activity, b) with common tactics, techniques, and procedures as those of the malicious activity, c) with common observables as those of the malicious activity, or d) with common security incidents to those of the malicious activity;
  
  receiving, by a course of action device, the one or more second data constructs from the threat intelligence device; and
  
  implementing, by the course of action device for the network for the organization and using the one or more second data constructs, a given course of action of the one or more courses of action.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the predefined data structure comprises a Structured Threat Information Expression STIX data structure.
  - 7. The method of claim 5, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      (ii) an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 8. The method of claim 5, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.

9. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- receiving, by an event management device and for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;
  
  identifying, by the event management device, malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  determining whether the malicious activity indicates a new attack pattern that is not identified by data in a pattern database by comparing the malicious activity with attack patterns identified by data in the pattern database;
  
  in response to determining that the malicious activity indicates a new attack pattern that is not identified by data in the pattern database;
  
  generating, by the event management device, one or more first data constructs of a predefined data structure that each include data that identifies the malicious activity; and
  
  storing, by the event management device, the one or more first data constructs in the pattern database;
  
  receiving, by a threat intelligence device and from the event management device, the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  in response to receiving the one or more first data constructs of the predefined data structure that identify the malicious activity;
  
  determining, by the threat intelligence device and using the one or more first data constructs that identify the malicious activity, whether additional data related to the identified malicious activity is available from one or more third party sources; and
  
  in response to determining that additional data related to the identified malicious activity is available from the one or more third party sources, generating, by the threat intelligence device and using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include data describing (i) a campaign of related malicious activity in which at least a portion of the campaign of related malicious activity is involved and (ii) one or more courses of action for mitigating the malicious activity, wherein the one or more second data constructs are different data constructs from and comprise different data than each of the one or more first data constructs, and the campaign of related malicious activity is a) by a common malicious actor as an actor for the malicious activity, b) with common tactics, techniques, and procedures as those of the malicious activity, c) with common observables as those of the malicious activity, or d) with common security incidents to those of the malicious activity;
  
  receiving, by a course of action device, the one or more second data constructs from the threat intelligence device; and
  
  implementing, by the course of action device for the network for the organization and using the one or more second data constructs, a given course of action of the one or more courses of action.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein the predefined data structure comprises a Structured Threat Information Expression STIX data structure.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      (ii) an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Mulchandani, Shaan, Hassanzadeh, Amin, Hovor, Elvis, Modi, Shimon, Negm, Walid
Primary Examiner(s)
Lipman, Jacob

Application Number

US15/051,528
Publication Number

US 20170171235A1
Time in Patent Office

1,015 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Connected security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Connected security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links