Systems and techniques for guiding a response to a cybersecurity incident

US 10,320,820 B2
Filed: 03/24/2017
Issued: 06/11/2019
Est. Priority Date: 03/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for guiding a response to a security incident, comprising:

identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes;

determining that the security events in the first group are associated with the security incident, anddetermining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event;

for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event;

pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and

guiding the response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cybersecurity engine can guide a forensic investigation of a security incident by estimating the utility of investigating events associated with the security incident, selecting a subset of such events based on the estimated utilities, and presenting data associated with the selected events to the investigator. A method for guiding a response to a security incident may include estimating, for each of a plurality of security events associated with the security incident, a utility of investigating the security event. The method may further include selecting a subset of the security events based, at least in part, on the estimated utilities of investigating the security events. The method may further include guiding the response to the security incident by presenting, to a user, data corresponding to the selected security events.

41 Citations

View as Search Results

32 Claims

1. A method for guiding a response to a security incident, comprising:
- identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes;
  
  determining that the security events in the first group are associated with the security incident, anddetermining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event;
  
  for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event;
  
  pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and
  
  guiding the response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, wherein the two or more individual security events include the first security event, and wherein the utility of investigating the first security event is estimated based, at least in part, on one or more objective and/or subjective indicators thereof.
  - 3. The method of claim 2, wherein the one or more objective indicators of the utility of investigating the first security event include reputational data indicating a reputation of an entity associated with the first security event, frequency data indicating a frequency of the first security event, and/or adjacency data indicating an adjacency of the first security event to one or more other security events.
  - 4. The method of claim 3, wherein the reputational data indicate a reputation of a file associated with the first security event, a reputation of a software provider that provided or certified the file, a reputation of a process associated with the first security event, and/or a reputation of an entity corresponding to communications associated with the first security event.
  - 5. The method of claim 3, further comprising selecting the one or more other security events from a set of security events previously investigated in connection with the response to the security incident, from a set of security events previously presented in connection with the response to the security incident, and/or from a set of security events previously presented in connection with a response to another security incident.
  - 6. The method of claim 3, further comprising determining the adjacency of the first security event to the one or more other security events based, at least in part, on one or more relevance values indicating extents of relevance of the first security event to the one or more other security events, respectively.
  - 7. The method of claim 2, wherein the one or more subjective indicators of the utility of investigating the first security event include interest data indicating an investigator'"'"'s level of interest in investigating security events.
  - 8. The method of claim 7, wherein the interest data are obtained based, at least in part, on a machine-executable predictive model of one or more forensic investigators'"'"' level of interest in performing investigations of security events.
  - 9. The method of claim 8, wherein the predictive model includes a classifier trained to classify security events based on types and/or attributes of the security events.
  - 10. The method of claim 1, further comprising assigning respective rankings to the individual security events in the remaining subset, wherein the data corresponding to the individual security events in the remaining subset are presented in accordance with the assigned rankings.
  - 11. The method of claim 10, wherein the rankings are assigned to the individual security events in the remaining subset based, at least in part, on one or more objective and/or subjective indicators of respective utilities of investigating the individual security events in the remaining subset.
  - 12. The method of claim 11, wherein the one or more subjective indicators of the utilities of investigating the individual security events in the remaining subset include interest data indicating an investigator'"'"'s level of interest in investigating security events, and wherein the interest data are obtained based, at least in part, on a machine-executable predictive model of one or more forensic investigators'"'"' level of interest in performing investigations of security events.
  - 13. The method of claim 12, wherein the predictive model includes a classifier trained to classify security events based on types and/or attributes of the security events.
  - 14. The method of claim 1, further comprising prompting the user to investigate one or more of the individual security events in the remaining subset and/or to eliminate one or more of the individual security events in the remaining subset from consideration for investigation.
  - 28. The method of claim 1, wherein the activities or attributes of the first entity associated with the first security event directly influence the activities or attributes of the second entity associated with the second security event as a result of the first entity performing an operation on the second entity, communicating with the second entity, accessing resources of the second entity, and/or being derived from the second entity.
  - 29. The method of claim 28, wherein the activities or attributes of the first entity associated with the first security event indirectly influence the activities or attributes of the second entity associated with the second security event as a result of the first entity directly influencing a third entity and the third entity directly and/or indirectly influencing the second entity.
  - 30. The method of claim 1, wherein estimating the respective utility of investigating each individual security event comprises:
    - assigning a respective value to each security event in the first group of security events, the assigned value representing the utility of investigating the respective security event; and
      
      propagating the assigned values from the security events in the first group to the security events in the second group.
  - 31. The method of claim 30, wherein the values are propagated based on the relevance of the security events in the plurality of security events to each other.
  - 32. The method of claim 1, wherein:
    - the first group of security events includes one or more first events associated with a first file instantiating a first process, the first process creating a second file, and the first process registering the second file to run as a service;
      
      the second group of security events includes one or more second events associated with an operating system initiating the service; and
      
      the second events are determined to be relevant to the first events.

15. A system comprising:
- data processing apparatus programmed to perform operations comprising;
  
  identifying a plurality of security events associated with the security incident, wherein the plurality of security events include a first group of security events and a second group of security events, and wherein identifying the plurality of security events includes;
  
  determining that the security events in the first group are associated with the security incident, anddetermining that each security event in the second group is relevant to a respective event in the first group, wherein relevance of a first security event to a second security event is determined based on an extent to which activities or attributes of a first entity associated with the first security event influence activities or attributes of a second entity associated with the second security event;
  
  for two or more individual security events in the plurality of security events associated with the security incident, estimating a respective utility of investigating each individual security event;
  
  pruning a first, non-empty subset of the individual security events associated with the security incident based, at least in part, on the estimated utilities of investigating the pruned security events, wherein a second non-empty subset of the individual security events associated with the security incident remain after the pruning; and
  
  guiding a response to the security incident by presenting, to a user, data corresponding to the remaining subset of individual security events associated with the security incident.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15, wherein the two or more individual security events include the first security event, and wherein the utility of investigating the first security event is estimated based, at least in part, on one or more objective and/or subjective indicators thereof.
  - 17. The system of claim 16, wherein the one or more objective indicators of the utility of investigating the first security event include reputational data indicating a reputation of an entity associated with the first security event, frequency data indicating a frequency of the first security event, and/or adjacency data indicating an adjacency of the first security event to one or more other security events.
  - 18. The system of claim 17, wherein the reputational data indicate a reputation of a file associated with the first security event, a reputation of a software provider that provided or certified the file, a reputation of a process associated with the first security event, and/or a reputation of an entity corresponding to communications associated with the first security event.
  - 19. The system of claim 17, wherein the operations further comprise selecting the one or more other security events from a set of security events previously investigated in connection with the response to the security incident, from a set of security events previously presented in connection with the response to the security incident, and/or from a set of security events previously presented in connection with a response to another security incident.
  - 20. The system of claim 17, wherein the operations further comprise determining the adjacency of the first security event to the one or more other security events based, at least in part, on one or more relevance values indicating extents of relevance of the first security event to the one or more other security events, respectively.
  - 21. The system of claim 16, wherein the one or more subjective indicators of the utility of investigating the first security event include interest data indicating an investigator'"'"'s level of interest in investigating security events.
  - 22. The system of claim 21, wherein the interest data are obtained based, at least in part, on a machine-executable predictive model of one or more forensic investigators'"'"' level of interest in performing investigations of security events.
  - 23. The system of claim 22, wherein the predictive model includes a classifier trained to classify security events based on types and/or attributes of the security events.
  - 24. The system of claim 15, wherein the operations further comprise assigning respective rankings to the individual security events in the remaining subset, and wherein the data corresponding to the individual security events in the remaining subset are presented in accordance with the assigned rankings.
  - 25. The system of claim 23, wherein the rankings are assigned to the individual security events in the remaining subset based, at least in part, on one or more objective and/or subjective indicators of respective utilities of investigating the individual security events in the remaining subset.
  - 26. The system of claim 25, wherein the one or more subjective indicators of the utilities of investigating the individual security events in the remaining subset include interest data indicating an investigator'"'"'s level of interest in investigating security events, and wherein the interest data are obtained based, at least in part, on a machine-executable predictive model of one or more forensic investigators'"'"' level of interest in performing investigations of security events.
  - 27. The system of claim 26, wherein the predictive model includes a classifier trained to classify security events based on types and/or attributes of the security events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Inventors
Lord, Christopher, Johnson, Benjamin, Smestad, Doran, Hartley, Joshua
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/468,942
Publication Number

US 20170279822A1
Time in Patent Office

809 Days
Field of Search
US Class Current
CPC Class Codes

G06N 5/04   Inference or reasoning models

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Systems and techniques for guiding a response to a cybersecurity incident

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and techniques for guiding a response to a cybersecurity incident

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links