System and method thereof for identifying and responding to security incidents based on preemptive forensics
First Claim
Patent Images
1. A computerized method of managing data security comprising:
- continuously collecting forensic data related to a plurality of network-connected user devices by a mine component comprising a plurality of agents installed on the plurality of user devices and a main component installed on the computer, which communicates with the plurality of agents, wherein the forensic data comprises at least an event log indicating activities and events that occurred in the respective client;
determining, by the computer, at least one normal behavior pattern associated with at least one of the plurality of user devices based on the collected forensic data;
identifying, by the computer, at least one abnormal behavior in the forensic data based on the determined at least one normal behavior pattern wherein the identified abnormal behavior is a suspicious event;
in response to the identifying of the at least one abnormal behavior, by the computer, outputting a security incident notification, wherein, the security incident comprises contextual data associated with the security incident;
in response to the suspicious event, determining if a security incident has occurred based on a pre-stored criteria and the forensics data;
in response to the determining that the security incident occurred, outputting a graphical user interface showing at least two attributes of the security incident,in response to the determined that the security incident has not occurred, outputting a notification indicating that the security incident has not been identified, andgenerating, by the computer, a real-time damage assessment respective of the security incident based on the forensic data.
2 Assignments
0 Petitions
Accused Products
Abstract
A system is connected to a plurality of user devices coupled to an enterprise'"'"'s network. The system continuously collects, stores, and analyzes forensic data related to the enterprise'"'"'s network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise'"'"'s network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident'"'"'s attributions.
28 Citations
7 Claims
-
1. A computerized method of managing data security comprising:
-
continuously collecting forensic data related to a plurality of network-connected user devices by a mine component comprising a plurality of agents installed on the plurality of user devices and a main component installed on the computer, which communicates with the plurality of agents, wherein the forensic data comprises at least an event log indicating activities and events that occurred in the respective client; determining, by the computer, at least one normal behavior pattern associated with at least one of the plurality of user devices based on the collected forensic data; identifying, by the computer, at least one abnormal behavior in the forensic data based on the determined at least one normal behavior pattern wherein the identified abnormal behavior is a suspicious event;
in response to the identifying of the at least one abnormal behavior, by the computer, outputting a security incident notification, wherein, the security incident comprises contextual data associated with the security incident;in response to the suspicious event, determining if a security incident has occurred based on a pre-stored criteria and the forensics data; in response to the determining that the security incident occurred, outputting a graphical user interface showing at least two attributes of the security incident, in response to the determined that the security incident has not occurred, outputting a notification indicating that the security incident has not been identified, and generating, by the computer, a real-time damage assessment respective of the security incident based on the forensic data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer readable medium storing executable instructions the instructions comprising:
-
continuously collecting forensic data related to a plurality of network-connected user devices by a mine component comprising a plurality of agents installed on the plurality of user devices and a main component installed on the computer, which communicates with the plurality of agents, wherein the forensic data comprises at least an event log indicating activities and events that occurred in the respective client; determining, by the computer, at least one normal behavior pattern associated with at least one of the plurality of user devices based on the collected forensic data; identifying, by the computer, at least one abnormal behavior in the forensic data based on the determined at least one normal behavior pattern wherein the identified abnormal behavior is a suspicious event;
in response to the identifying of the at least one abnormal behavior, by the computer, outputting a security incident notification, wherein, the security incident comprises contextual data associated with the security incident;in response to the suspicious event, determining if a security incident has occurred based on a pre-stored criteria and the forensics data; in response to the determining that the security incident occurred, outputting a graphical user interface showing at least two attributes of the security incident, in response to the determined that the security incident has not occurred, outputting a notification indicating that the security incident has not been identified, and generating, by the computer, a real-time damage assessment respective of the security incident based on the forensic data.
-
-
7. An apparatus managing data security comprising:
-
a memory configured to store executable instructions; a processor configured to execute the instructions, which when executed cause the processor to; receive forensic data from a plurality of network-connected user devices, the forensic data is continuously collected by agents running on the plurality of network-connected user devices, wherein the forensic data comprises at least an event log indicating activities and events that occurred in the respective client; determine at least one of;
a normal behavior pattern associated with at least one of the plurality of user devices based on the collected forensic data and at least one suspicious event by applying preset rules to the received forensic data;in response to the determining the at least one normal behavior pattern, identify at least one abnormal behavior in the forensic data based on the determined at least one normal behavior pattern, and in response to the identifying of the at least one abnormal behavior, output a security incident notification wherein the identified abnormal behavior is a suspicious event, in response to the determining the at least one suspicious event, determining a context of the suspicious event based on the collected forensic data and storing the determined context in response to the suspicious event, determining if a security incident has occurred based on a pre-stored criteria and the forensics data; in response to the determining that the security incident occurred, outputting a graphical user interface showing at least two attributes of the security incident, in response to the determined that the security incident has not occurred, outputting a notification indicating that the security incident has not been identified, and generate, by the computer, a real-time damage assessment respective of the security incident based on the forensic data.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneePalo Alto Networks Incorporated
-
Original AssigneeCyber Secdo, Ltd.
-
InventorsBarak, Gil, Morag, Shai
-
Primary Examiner(s)Shayanfar, Ali
-
Application NumberUS15/838,802Publication NumberTime in Patent Office497 DaysField of SearchUS Class CurrentCPC Class CodesH04L 63/1416 Event detection, e.g. attac...H04L 63/145 the attack involving the pr...
