Data security incident correlation and dissemination system and method

US 10,348,754 B2
Filed: 12/28/2015
Issued: 07/09/2019
Est. Priority Date: 12/28/2015
Status: Active Grant

First Claim

Patent Images

1. A data security incident correlation and dissemination system, the system comprising:

a server system that creates aggregated data from incident information received from a set of incident managers at least two of which are operated by different organizations, the server system including an analysis engine that analyzes the aggregated data to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and that provides threat intelligence data to the organizations based on the correlated incident records;

wherein upon detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, the server system is further operative to notify the different organizations that have been affected by the given incident to facilitate a mitigation effort.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data security incident correlation and dissemination system and method is disclosed. In an exemplary implementation of the system, a service provider of a managed security service receives incident information regarding data security incidents at different business organizations of the security service. One or more incident managers operated by different organizations send incident information, and a server system within the service provider'"'"'s network creates aggregated data from the incident information received from the incident managers. The server system analyzes the aggregated data to create correlated incident records that include incident information from related data security incidents at the different organizations, and provides threat intelligence data based on the correlated incident records for the organizations. In embodiments, the server system can “push” threat intelligence data to the organizations, or the organizations can request the threat intelligence data from the server system.

30 Citations

20 Claims

1. A data security incident correlation and dissemination system, the system comprising:
- a server system that creates aggregated data from incident information received from a set of incident managers at least two of which are operated by different organizations, the server system including an analysis engine that analyzes the aggregated data to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and that provides threat intelligence data to the organizations based on the correlated incident records;
  
  wherein upon detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, the server system is further operative to notify the different organizations that have been affected by the given incident to facilitate a mitigation effort.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the server system determines trends among the incident information within the aggregated data, and includes the trends as trends data within the threat intelligence data that the server system sends to the organizations.
  - 3. The system of claim 1, wherein the server system anonymizes the threat intelligence data to remove information that identifies the organizations.
  - 4. The system of claim 1, wherein the incident information received from the incident managers of the organizations includes the incident information from the data security incidents at the organizations.
  - 5. The system of claim 1, wherein the incident information received from the incident managers includes incident response data that includes recommendations and remediation techniques created by the organizations in response to the data security incidents at the organizations.
  - 6. The system of claim 1, wherein the server system provides threat intelligence data to the organizations based on the correlated incident records by sending the threat intelligence data to the incident managers upon request by the incident managers.
  - 7. The system of claim 1, wherein the incident information received from the incident managers of the organizations is pushed from the incident managers of the organizations.
  - 8. The system of claim 1, wherein the server system receives sharing and usage information sent from the incident managers of the organizations that specifies rules for sharing the incident information with other organizations.
  - 9. The system of claim 8, wherein the correlated incident records include metadata that includes the sharing and usage information sent from the incident managers of the organizations.
  - 10. The system of claim 1, wherein the server system includes predetermined rules and the analysis engine compares the threat intelligence data to the predetermined rules, and wherein in response to events within the threat intelligence data matching the predetermined rules, the analysis engine sends the threat intelligence data associated with the matching events to the incident managers of the organizations.

11. A data security dissemination method, the method comprising:
- receiving incident information from a set of incident managers at least two of which are operated by different organizations; and
  
  creating aggregated data from the incident information received from the incident managers, analyzing the aggregated data using an analysis engine to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and providing threat intelligence data based on the correlated incident records to the organizations; and
  
  responsive to detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, notifying the different organizations that have been affected by the given incident to facilitate a mitigation effort.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising determining trends among the incident information within the aggregated data, and including the trends as trends data within the threat intelligence data sent to the organizations.
  - 13. The method of claim 11, further comprising anonymizing contents of the threat intelligence data to remove information that identifies the organizations.
  - 14. The method of claim 11, wherein the incident information is generated from data security incidents at the organizations.
  - 15. The method of claim 11, further comprising maintaining incident response data that includes recommendations and remediation techniques created by the organizations in response to the data security incidents at the organizations.
  - 16. The method of claim 11, wherein providing threat intelligence data based on the correlated incident records to the organizations comprises sending the threat intelligence data to the incident managers upon request by the incident managers.
  - 17. The method of claim 11, further comprising receiving sharing and usage information sent from the incident managers of the organizations that specifies rules for sharing the incident information with other organizations.
  - 18. The method of claim 17, further comprising including the sharing and usage information sent within metadata of the correlated incident records.
  - 19. The method of claim 11, wherein in response to events within the threat intelligence data matching predetermined rules, sending the threat intelligence data associated with the matching events to the incident managers of the organizations for providing threat intelligence data based on the correlated incident records to the organizations.
  - 20. The method of claim 19, further comprising sending the threat intelligence data associated with the matching events to the incident managers of the organizations in accordance with sharing and usage information associated with the threat intelligence data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Green Market Square Limited
Original Assignee
International Business Machines Corporation
Inventors
Rogers, Kenneth Allen, Hadden, Allen
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US14/981,266
Publication Number

US 20170187742A1
Time in Patent Office

1,289 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Data security incident correlation and dissemination system and method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data security incident correlation and dissemination system and method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links