System and methods thereof for monitoring and preventing security incidents in a computerized environment
First Claim
1. A method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:
- detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices;
generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent;
sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected;
configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation;
receiving, from the at least one terminable agent, the metadata;
determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata;
configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and
terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared.
2 Assignments
0 Petitions
Accused Products
Abstract
A system detects and handles security incidents in a computerized environment. The system collects metadata respective of one or more user devices communicatively coupled in the computerized environment. Respective of the collected metadata, the system generates expected behavior patterns of the user devices within the computerized environment. The system continuously monitors the actual behavior of the user devices. Upon detection of deviations from the expected behavior patterns, the system sends a terminable agent to the user device in which the deviation was detected. The system then receives from the terminable agent metadata respective of the deviation. Upon determination that the deviation is a security incident respective of the metadata, the system configures the terminable agent to initiate actions respective thereto. The type of actions required is determined respective of the metadata received from the terminable agent. Upon removal of the security incident, the agent may be terminated.
33 Citations
20 Claims
-
1. A method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:
-
detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices; generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent; sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected; configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation; receiving, from the at least one terminable agent, the metadata; determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata; configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus for generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the apparatus comprising:
-
one or more processors; and memory storing executable instructions that, when executed by the one or more processors, causes the one or more processors to; detect at least one deviation from an expected behavior of at least one of the one or more user devices; generate, in response to the apparatus detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent; send the at least one terminable agent to the at least one user device in which the at least one deviation is detected; configure the at least one terminable agent to send metadata respective of the at least one deviation; receive, from the at least one terminable agent, the metadata; determine whether the at least one deviation is a security incident respective of the metadata; configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined respective of a type of the security incident; and terminate the terminable agent upon determination that the security incident is cleared. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. One or more computer readable storage media devices storing a program for executing a method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:
-
detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices; generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent; sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected; configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation; receiving, from the at least one terminable agent, the metadata; determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata; configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared. - View Dependent Claims (20)
-
Specification