Systems and methods for implementing intrusion prevention
First Claim
1. A computer system comprising:
- one or more processing units;
memory storing one or more programs for execution by the one or more processors, the one more programs comprising;
instructions for receiving data collected at one or more remote computing assets;
instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; and
instructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a specific trigger definition of a corresponding specific workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise;
(A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises;
(a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and(b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact,(c) pushing the alert to a plurality of authorization contacts, wherein the plurality of authorization contacts consists of three of more authorization contacts and includes the first and the second authorization contacts,(B) responsive to satisfactory completion of authorization protocol, wherein satisfaction of the authorization protocol requires receiving an indication to proceed from more than a predetermined number of authorization contacts in the plurality of authorization contacts, including the first and the second indication to proceed, wherein the predetermined number of authorization contacts is less than the number of authorization contacts in the plurality of authorization contacts, executing the enumerated countermeasure of the corresponding workflow template, and(C) originating or maintaining the established first trust channel by;
receiving a request from a security control module running within an operating system on the first remote device, wherein the request includes a policy identifier that identifies a security policy,generating a unique agent identity token, which includes a cryptographic key,transmitting the unique agent identity token to the security control module,selecting a set of commands according to the identified security policy, based on (i) a current state of the operating system, (ii) a current state of the security control module, and, optionally (iii) a current state of one or more applications running in the operating system on the first remote device,placing the set of commands in a command queue for retrieval and execution by the first remote device,receiving data from the first remote device responsive to execution of the set of commands on the first remote device, andusing the data to originate or maintain the first established trust channel with the first remote device.
4 Assignments
0 Petitions
Accused Products
Abstract
System and methods are provided for implementing an intrusion prevention system in which data collected at one or more remote computing assets is analyzed against a plurality of workflow templates. Each template corresponding to a different threat vector and comprises: (i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector. When a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified. When this occurs the authorization token of the corresponding workflow template is enacted by obtaining authorization from at least two authorization contacts across established trust channels for the at least two authorization contacts. Responsive to obtaining this authorization, the enumerated countermeasure of the corresponding workflow template is executed.
24 Citations
30 Claims
-
1. A computer system comprising:
-
one or more processing units; memory storing one or more programs for execution by the one or more processors, the one more programs comprising; instructions for receiving data collected at one or more remote computing assets; instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; andinstructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a specific trigger definition of a corresponding specific workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise; (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises; (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and (b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, (c) pushing the alert to a plurality of authorization contacts, wherein the plurality of authorization contacts consists of three of more authorization contacts and includes the first and the second authorization contacts, (B) responsive to satisfactory completion of authorization protocol, wherein satisfaction of the authorization protocol requires receiving an indication to proceed from more than a predetermined number of authorization contacts in the plurality of authorization contacts, including the first and the second indication to proceed, wherein the predetermined number of authorization contacts is less than the number of authorization contacts in the plurality of authorization contacts, executing the enumerated countermeasure of the corresponding workflow template, and (C) originating or maintaining the established first trust channel by; receiving a request from a security control module running within an operating system on the first remote device, wherein the request includes a policy identifier that identifies a security policy, generating a unique agent identity token, which includes a cryptographic key, transmitting the unique agent identity token to the security control module, selecting a set of commands according to the identified security policy, based on (i) a current state of the operating system, (ii) a current state of the security control module, and, optionally (iii) a current state of one or more applications running in the operating system on the first remote device, placing the set of commands in a command queue for retrieval and execution by the first remote device, receiving data from the first remote device responsive to execution of the set of commands on the first remote device, and using the data to originate or maintain the first established trust channel with the first remote device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory computer readable storage medium storing one or more programs configured for execution by a computing device having one or more processors and memory, the one or more programs comprising:
-
instructions for receiving data collected at one or more remote computing assets; instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; andinstructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise; (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises; (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and (b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, (c) pushing the alert to a plurality of authorization contacts, wherein the plurality of authorization contacts consists of three of more authorization contacts and includes the first and second authorization contacts, (B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving an indication to proceed from more than a predetermined number of authorization contacts in the plurality of authorization contacts, including the first and second indication to proceed, wherein the predetermined number of authorization contacts is less than the number of authorization contacts in the plurality of authorization contacts, executing the enumerated countermeasure of the corresponding workflow template, and (C) originating or maintaining the established first trust channel by; receiving a request from a security control module running within an operating system on a first remote device, wherein the request includes a policy identifier that identifies a security policy, generating a unique agent identity token, which includes a cryptographic key, transmitting the agent identity token to the security control module, selecting a set of commands according to the identified security policy, based on (i) a current state of the operating system, (ii) a current state of the security control module, and, optionally (iii) a current state of one or more applications running in the operating system on the first remote device, placing the set of commands in a command queue for retrieval and execution by the first remote device, receiving data from the first remote device responsive to execution of the set of commands on the first remote device, and using the data to originate or maintain the first established trust channel with the first remote device. - View Dependent Claims (30)
-
Specification