Systems and techniques for guiding a response to a cybersecurity incident
First Claim
1. A method for guiding a response to a security incident, comprising:
- identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes;
determining that the security events in the first group are associated with the security incident, anddetermining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event;
for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event;
pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and
guiding the response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident.
1 Assignment
0 Petitions
Accused Products
Abstract
A cybersecurity engine can guide a forensic investigation of a security incident by estimating the utility of investigating events associated with the security incident, selecting a subset of such events based on the estimated utilities, and presenting data associated with the selected events to the investigator. A method for guiding a response to a security incident may include estimating, for each of a plurality of security events associated with the security incident, a utility of investigating the security event. The method may further include selecting a subset of the security events based, at least in part, on the estimated utilities of investigating the security events. The method may further include guiding the response to the security incident by presenting, to a user, data corresponding to the selected security events.
41 Citations
32 Claims
-
1. A method for guiding a response to a security incident, comprising:
-
identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes; determining that the security events in the first group are associated with the security incident, and determining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event; for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event; pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and guiding the response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 28, 29, 30, 31, 32)
-
-
15. A system comprising:
-
data processing apparatus programmed to perform operations comprising; identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes; determining that the security events in the first group are associated with the security incident, and determining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event; for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event; pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and guiding a response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification