Techniques for sharing network security event information
First Claim
1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
- receive a possible threat notification from a network of a first client;
translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification;
store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients;
identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client;
after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and
upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.
51 Citations
16 Claims
-
1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
-
receive a possible threat notification from a network of a first client; translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification; store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients; identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client; after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer, comprising:
- one or more processors, configured to;
receive a possible threat notification from a network of a first client;translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification; store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients; identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client; after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both. - View Dependent Claims (14)
- one or more processors, configured to;
-
15. A computer-implemented method, comprising:
-
receive a possible threat notification from a network of a first client; translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification; store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients; identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client; after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both. - View Dependent Claims (16)
-
Specification