Incident response bus for data security incidents

US 10,425,447 B2
Filed: 08/28/2015
Issued: 09/24/2019
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A system for responding to data security incidents in an enterprise network having devices responsible for security on the enterprise network, the system comprising:

an incident manager that stores information concerning the data security incidents; and

an incident response bus that communicates with the incident manager and the devices, wherein the incident response bus accesses and processes messages from the incident manager concerning the data security incidents;

wherein the incident response bus is protocol-agnostic and device-independent and has associated therewith a set of components, wherein a component in the set of components is associated with a particular device and defines device-specific interfacing and protocol support for enabling communication with the particular device associated with the component via the incident response bus;

wherein processing messages from the incident manager includes obtaining a message, taking a first incident response action at a first component using the message, generating a modified version of the message, the modified version being in a format suited for processing by a second component, and taking a second incident response action associated with the first incident response action at the second component using the modified version of the message;

the incident manager and the incident response bus implemented as software executable in one or more hardware processors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for responding to data security incidents in enterprise networks using an incident response bus (IR bus) within an incident management system is disclosed. An Incident Manager (IM) application of the system stores objects that include information concerning data security incidents that occur in enterprise networks managed by the incident management system. Users configure action conditions on the IM, the satisfaction of which cause the IM to send messages that include the information concerning the incidents to message queues, or destinations. Correspondingly, the IR bus includes plugins associated with the devices in each client'"'"'s enterprise network, where each plugin can access the message destinations for the messages. The plugins, in one embodiment, also configure one or more chains of plugins that process the messages. The plugins then execute the chains of plugins to specify actions for the devices to execute to provide a response to the incidents.

101 Citations

19 Claims

1. A system for responding to data security incidents in an enterprise network having devices responsible for security on the enterprise network, the system comprising:
- an incident manager that stores information concerning the data security incidents; and
  
  an incident response bus that communicates with the incident manager and the devices, wherein the incident response bus accesses and processes messages from the incident manager concerning the data security incidents;
  
  wherein the incident response bus is protocol-agnostic and device-independent and has associated therewith a set of components, wherein a component in the set of components is associated with a particular device and defines device-specific interfacing and protocol support for enabling communication with the particular device associated with the component via the incident response bus;
  
  wherein processing messages from the incident manager includes obtaining a message, taking a first incident response action at a first component using the message, generating a modified version of the message, the modified version being in a format suited for processing by a second component, and taking a second incident response action associated with the first incident response action at the second component using the modified version of the message;
  
  the incident manager and the incident response bus implemented as software executable in one or more hardware processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as claimed in claim 1, wherein each of the messages includes information associated with a specific data security incident.
  - 3. The system as claimed in claim 1, wherein the set of components associated with the incident response bus comprise plugin software components for the devices.
  - 4. The system as claimed in claim 3, wherein the plugin software components specify actions for the devices to execute.
  - 5. The system as claimed in claim 4, wherein the actions refer to information concerning data security incidents specified in the messages.
  - 6. The system as claimed in claim 3, wherein the plugin software components poll for the messages from the incident manager.
  - 7. The system as claimed in claim 3, wherein at least some of the plugin software components are configured to trigger actions on other devices via the plugin software components of those other devices.
  - 8. The system as claimed in claim 3, wherein at least first and second of the plugin software components are configured together in a chain to respond to a data security incident, wherein the first plugin software component executes first and generates the modified version of the message and configuration data for the second plugin software component, the second plugin component using the modified version of the message and configuration data generated by the first plugin software component.
  - 9. The system as claimed in claim 1, further comprising one or more information systems that include information useful in the diagnosis or remediation of the data security incidents.
  - 10. The system as claimed in claim 9, wherein the incident manager interacts with the one or more information systems via the incident response bus.

11. A method for responding to data security incidents in an enterprise network having devices responsible for security on the enterprise network, the method comprising:
- storing information concerning the data security incidents in an incident manager; and
  
  communicating with the incident manager and with the devices responsible for security on the enterprise network via an incident response bus, the incident response bus accessing and processing messages concerning the data security incidents from the incident manager for the devices;
  
  wherein the incident response bus is protocol-agnostic and device-independent and has associated therewith a set of components, wherein a component in the set of components is associated with a particular device and defines device-specific interfacing and protocol support for enabling communication with the particular device associated with the component via the incident response bus;
  
  wherein processing messages from the incident manager includes obtaining a message, taking a first incident response action at a first component using the message, generating a modified version of the message, the modified version being in a format suited for processing by a second component, and taking a second incident response action associated with the first incident response action at the second component using the modified version of the message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method as claimed in claim 11, wherein each of the messages includes information associated with a specific data security incident.
  - 13. The method as claimed in claim 11, further comprising configuring the set of components associated with the incident response bus as plugin software components that access the messages for the devices.
  - 14. The method as claimed in claim 13, wherein the plugin software components specify actions to be taken by the devices.
  - 15. The method as claimed in claim 14, wherein the actions refer to information concerning data security incidents specified in the messages.
  - 16. The method as claimed in claim 13, further comprising using the plugin software components to trigger actions on other devices via the plugin software components of those other devices.
  - 17. The method as claimed in claim 13, further comprising chaining at least some of the plugin software components together to process the messages concerning the data security incidents.
  - 18. The method as claimed in claim 13, further comprising configuring at least first and second of the plugin software components together in a chain to respond to a data security incident, wherein the first plugin software component executes first and generates the modified version of the message and configuration data for the second plugin software component, the second plugin component using the modified version of the message and configuration data generated by the first plugin software component.
  - 19. The method as claimed in claim 11, further comprising the incident manager accessing, via the incident response bus, one or more information systems that include information useful in the diagnosis or remediation of the data security incidents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Green Market Square Limited
Original Assignee
International Business Machines Corporation
Inventors
Rogers, Kenneth Allen, Hadden, Allen
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US14/839,304
Publication Number

US 20170063926A1
Time in Patent Office

1,488 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/60   Protecting data

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Incident response bus for data security incidents

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Incident response bus for data security incidents

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links