System and method of protecting client computers
First Claim
1. A method of providing security for a plurality of client computers, the method comprising:
- receiving, by a threat response computer, an event report identifying possible malware on a first client computer;
receiving, by the threat response computer, a first set of data from a detection program running on the first client computer, said data reflecting the state of the first client computer by including at least one of registry entries, files, mutexes, open connections, or processes running on the first client computer;
automatically analyzing the first set of data based on a set of known actual indications of compromise (IOCs) related to the possible malware, said actual IOCs containing data that identify changes to a computer that has been infected with malware comprising changed or added files, changed or added registry entries, mutexes, processes, or open connections;
receiving a second set of data from a second client computer;
updating the set of known actual IOCs with information that may be used to identify when malware has been executed on the first client computer, wherein updating the set of known actual IOCs comprises analyzing the second set of data and re-weighting the known actual IOCs found in both the first set of data and the second set of data;
automatically re-analyzing the first set of data based on the update;
performing at least one of presenting the re-analysis to a user; and
configuring a firewall in response to the re-analysis indicating that the first client has been infected with malware.
5 Assignments
0 Petitions
Accused Products
Abstract
A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.
47 Citations
18 Claims
-
1. A method of providing security for a plurality of client computers, the method comprising:
-
receiving, by a threat response computer, an event report identifying possible malware on a first client computer; receiving, by the threat response computer, a first set of data from a detection program running on the first client computer, said data reflecting the state of the first client computer by including at least one of registry entries, files, mutexes, open connections, or processes running on the first client computer; automatically analyzing the first set of data based on a set of known actual indications of compromise (IOCs) related to the possible malware, said actual IOCs containing data that identify changes to a computer that has been infected with malware comprising changed or added files, changed or added registry entries, mutexes, processes, or open connections; receiving a second set of data from a second client computer; updating the set of known actual IOCs with information that may be used to identify when malware has been executed on the first client computer, wherein updating the set of known actual IOCs comprises analyzing the second set of data and re-weighting the known actual IOCs found in both the first set of data and the second set of data; automatically re-analyzing the first set of data based on the update; performing at least one of presenting the re-analysis to a user; and configuring a firewall in response to the re-analysis indicating that the first client has been infected with malware. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory machine readable medium storing a program which when executed by at least one processing unit provides security for a plurality of client computers, the program comprising sets of instructions for:
-
receiving an event report identifying a possible infection of a first client computer; receiving a first set of data from a detection program running on the first client computer, said data reflecting the state of the first client computer by including at least one of registry entries, files, mutexes, open connections, or processes running on the first client computer; automatically analyzing the first set of data based on a set of known actual indications of compromise (IOCs) where the actual IOCs are client computer behaviors comprising filenames of recently added or changed files, mutexes, recently changed or added registry keys, open connections, or processes; receiving a second set of data from a second client computer; updating the set of known actual IOCs, wherein updating the set of know actual IOCs comprises analyzing the second set of data and re-weighting the set of known actual IOCs found in both the first set of data and the second set of data; automatically re-analyzing the first set of data based on the update to the set of known actual IOCs; performing at least one of presenting the re-analysis to a user; and configuring a firewall in response to the re-analysis indicating that the first client computer has been infected with malware. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A device comprising at least one processing unit and a memory storing a program which when executed by the processing unit provides security for a plurality of client computers, the program comprising sets of instructions for:
-
receiving, at the device, an event report identifying a possible infection of a first client computer; receiving, at the device, a first set of data from the first client computer, said data reflecting the state of the first client computer by including at least one of registry entries, files, mutexes, or processes running on the first client computer; automatically analyzing the first set of data based on a set of known actual indications of compromise (IOCs), said actual IOCs containing data that identify changes to a computer that has been infected with malware comprising changed or added files, changed or added registry entries, mutexes, open connections, or processes; receiving, at the device, a second set of data from a second client computer; updating the set of known actual IOCs with information that may be used to identify when malware has been executed on the client computer, wherein updating the set of know actual IOCs comprises analyzing the second set of data and re-weighting the set of known actual IOCs found in both the first set of data and the second set of data; automatically re-analyzing the first set of data based on the update to the set of known actual IOCs; performing at least one of presenting the re-analysis to a user; and configuring a firewall in response to the re-analysis indicating that the first client computer has been infected with malware. - View Dependent Claims (15, 16, 17, 18)
-
Specification