Translating security actions to action procedures in an advisement system

US 10,425,441 B2
Filed: 08/21/2018
Issued: 09/24/2019
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating a processing system of an advisement system to implement security actions for a computing environment comprising a plurality of computing assets, the method comprising:

providing security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;

in response to providing the security incident information, identifying a user generated security action in a command language for the computing environment;

obtaining enrichment information from one or more internal or external sources;

translating the security action in the command language to one or more action procedures based on the enrichment information; and

initiating implementation of the one or more action procedures in the one or more computing assets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Citations

30 Claims

1. A method of operating a processing system of an advisement system to implement security actions for a computing environment comprising a plurality of computing assets, the method comprising:
- providing security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identifying a user generated security action in a command language for the computing environment;
  
  obtaining enrichment information from one or more internal or external sources;
  
  translating the security action in the command language to one or more action procedures based on the enrichment information; and
  
  initiating implementation of the one or more action procedures in the one or more computing assets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the plurality of computing assets comprise host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 3. The method of claim 1, wherein identifying the user generated security action in the command language comprises receiving input identifying the security action from an administration console.
  - 4. The method of claim 1, wherein the security action comprises blocking at least one interne protocol (IP) address, ending a process on the one or more computing assets, or adding the one or more computing assets into a virtual local area network (VLAN).
  - 5. The method of claim 1, wherein the command language comprises a visual programming language.
  - 6. The method of claim 1, wherein the security incident is identified based on information generated by a security detection system that monitors the plurality of computing assets.
  - 7. The method of claim 1, wherein the security incident information further comprises one or more of:
    - information about a computing asset affected by the security incident, an IP address related to a source of the security incident, a process related to the security incident, and a severity level of the security incident.
  - 8. The method of claim 1, wherein the enrichment information is obtained from a plurality of internal or external sources, and wherein the security action is translated into at least one first action procedure based on a first internal or external source and into at least one second action procedure based on a second internal or external source.
  - 9. The method of claim 1, wherein the security incident information further comprises at least one suggested security action.
  - 10. The method of claim 1, wherein initiating implementation of the one or more action procedures comprises initiating implementation of the one or more action procedures in a relative order.

11. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
- providing security incident information to an administrator associated with a computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identifying a user generated security action in a command language for the computing environment;
  
  obtaining enrichment information from one or more internal or external sources;
  
  translating the security action in the command language to one or more action procedures based on the enrichment information; and
  
  initiating implementation of the one or more action procedures in one or more computing assets.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the plurality of computing assets comprise host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein identifying the user generated security action in the command language comprises receiving input identifying the security action from an administration console.
  - 14. The non-transitory computer-readable storage medium of claim 11, wherein the security action comprises blocking at least one internet protocol (IP) address, ending a process on the one or more computing assets, or adding the one or more computing assets into a virtual local area network (VLAN).
  - 15. The non-transitory computer-readable storage medium of claim 11, wherein the command language comprises a visual programming language.
  - 16. The non-transitory computer-readable storage medium of claim 11, wherein the security incident is identified based on information generated by a security detection system that monitors the plurality of computing assets.
  - 17. The non-transitory computer-readable storage medium of claim 11, wherein the security incident information further comprises one or more of:
    - information about a computing asset affected by the security incident, an IP address related to a source of the security incident, a process related to the security incident, and a severity level of the security incident.
  - 18. The non-transitory computer-readable storage medium of claim 11, wherein the enrichment information is obtained from a plurality of internal or external sources, and wherein the security action is translated into at least one first action procedure based on a first internal or external source and into at least one second action procedure based on a second internal or external source.
  - 19. The non-transitory computer-readable storage medium of claim 11, wherein the security incident information further comprises at least one suggested security action.
  - 20. The non-transitory computer-readable storage medium of claim 11, wherein initiating implementation of the one or more action procedures comprises initiating implementation of the one or more action procedures in a relative order.

21. An apparatus, comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to;
  
  provide security incident information to an administrator associated with a computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identify a user generated security action in a command language for the computing environment;
  
  obtain enrichment information from one or more internal or external sources;
  
  translate the security action in the command language to one or more action procedures based on the enrichment information; and
  
  initiate implementation of the one or more action procedures in one or more computing assets.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein the plurality of computing assets comprise host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 23. The apparatus of claim 21, wherein identifying the user generated security action in the command language comprises receiving input identifying the security action from an administration console.
  - 24. The apparatus of claim 21, wherein the security action comprises blocking at least one interne protocol (IP) address, ending a process on the one or more computing assets, or adding the one or more computing assets into a virtual local area network (VLAN).
  - 25. The apparatus of claim 21, wherein the command language comprises a visual programming language.
  - 26. The apparatus of claim 21, wherein the security incident is identified based on information generated by a security detection system that monitors the plurality of computing assets.
  - 27. The apparatus of claim 21, wherein the security incident information further comprises one or more of:
    - information about a computing asset affected by the security incident, an IP address related to a source of the security incident, a process related to the security incident, and a severity level of the security incident.
  - 28. The apparatus of claim 21, wherein the enrichment information is obtained from a plurality of internal or external sources, and wherein the security action is translated into at least one first action procedure based on a first internal or external source and into at least one second action procedure based on a second internal or external source.
  - 29. The apparatus of claim 21, wherein the security incident information further comprises at least one suggested security action.
  - 30. The apparatus of claim 21, wherein initiating implementation of the one or more action procedures comprises initiating implementation of the one or more action procedures in a relative order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Song, Hosuk

Application Number

US16/107,975
Publication Number

US 20190014144A1
Time in Patent Office

399 Days
Field of Search

726 1, 726 11- 15, 726 22- 23, 726 26, 713153-154, 709223-225, 709229
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Translating security actions to action procedures in an advisement system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Translating security actions to action procedures in an advisement system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links