Security appliance to monitor networked computing environment

US 10,432,669 B1
Filed: 11/28/2016
Issued: 10/01/2019
Est. Priority Date: 11/28/2016
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating a software defined infrastructure, comprising:

retrieving configuration and operational information associated with the software defined infrastructure by a security appliance;

extracting selective information from the retrieved configuration and operational information by the security appliance;

storing extracted selective information in a plurality of data store;

evaluating selectively stored information for compliance to a policy, by the security appliance; and

generating a report based on the evaluation,wherein, configuration and operational information includes information related to asset configuration, audit event and network communication associated with the software defined infrastructure; and

wherein the generated report includes a message component, a network query component and an event query component, wherein the message component includes a textual description of a violation, wherein the network query component is configured to submit a query to the security appliance to retrieve associated network flow information related to the violation, and wherein the event query component is configured to submit a query to the security appliance to retrieve associated audit events related to the violation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to evaluate a software defined infrastructure is disclosed. A security appliance is used to evaluate the software defined infrastructure. The security appliance includes a data ingestion and query engine. The data ingestion and query engine is configured to retrieve configuration and operational information associated with the software defined infrastructure, extract selective information from the retrieved configuration and operational information, and store extracted selective information in a plurality of data store. A policy compliance engine is configured to evaluate selectively stored information for compliance to a policy and generate a report based on the evaluation.

63 Citations

View as Search Results

16 Claims

1. A method for evaluating a software defined infrastructure, comprising:
- retrieving configuration and operational information associated with the software defined infrastructure by a security appliance;
  
  extracting selective information from the retrieved configuration and operational information by the security appliance;
  
  storing extracted selective information in a plurality of data store;
  
  evaluating selectively stored information for compliance to a policy, by the security appliance; and
  
  generating a report based on the evaluation,wherein, configuration and operational information includes information related to asset configuration, audit event and network communication associated with the software defined infrastructure; and
  
  wherein the generated report includes a message component, a network query component and an event query component, wherein the message component includes a textual description of a violation, wherein the network query component is configured to submit a query to the security appliance to retrieve associated network flow information related to the violation, and wherein the event query component is configured to submit a query to the security appliance to retrieve associated audit events related to the violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further including presenting network flow information based on the network flow query received by the security appliance.
  - 3. The method of claim 2, wherein the network flow information is presented as a nodes table and an edges table.
  - 4. The method of claim 2, wherein the network flow information is presented as a directed graph, with a node representing a host and an edge representing a directed flow of network data.
  - 5. The method of claim 1, further including generating an inferred relationship rules table indicative of a relationship between a plurality of events, based on evaluation of retrieved audit events indicative of initiation of a plurality of infrastructure related activity;
    - and generating a response to a query related to an asset based on the inferred relationship between the plurality of events.
  - 6. The method of claim 1, wherein an assigned permission to an asset is evaluated for its frequency of use and based on the evaluation, a dormant assigned permission to the asset is retired.
  - 7. The method of claim 1, further including:
    - generating a user baseline table based on evaluation of actions by a user over time;
      
      monitoring user activity for a deviation from the baseline; and
      
      generating a violation report based on the deviation from the baseline.
  - 8. The method of claim 7, further including:
    - providing a remediation configuration table, defining a remediation action based on a violation; and
      
      initiating remediation action based on the violation report.

9. A security appliance to evaluate a software defined infrastructure, comprising:
- a data ingestion and query engine configured toretrieve configuration and operational information associated with the software defined infrastructure;
  
  extract selective information from the retrieved configuration and operational information; and
  
  store extracted selective information in a plurality of data store; and
  
  a policy compliance engine configured toevaluate selectively stored information for compliance to a policy; and
  
  generate a report based on the evaluation,wherein, configuration and operational information includes information related to asset configuration, audit event and network communication associated with the software defined infrastructure; and
  
  wherein the generated report includes a message component, a network query component and an event query component, wherein the message component includes a textual description of a violation, wherein the network query component is configured to submit a query to the security appliance to retrieve associated network flow information related to the violation, andwherein the event query component is configured to submit a query to the security appliance to retrieve associated audit events related to the violation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The security appliance of claim 9, further including a visualization engine configured to present network flow information based on the network flow query received by the security appliance.
  - 11. The security appliance of claim 10, wherein the network flow information is presented as a nodes table and an edges table.
  - 12. The security appliance of claim 10, wherein the network flow information is presented on a display device as a directed graph, with a node representing a host and an edge representing a directed flow of network data.
  - 13. The security appliance of claim 9, further including a machine learning engine configured to generate an inferred relationship rules table indicative of a relationship between a plurality of events, based on evaluation of retrieved audit events indicative of initiation of a plurality of infrastructure related activity;
    - andthe data ingestion and query engine configured to generate a response to a query related to an asset based on the inferred relationship between the plurality of events.
  - 14. The security appliance of claim 9, wherein an assigned permission to an asset is evaluated by the data ingestion and query engine for its frequency of use and based on the evaluation, a dormant assigned permission to the asset is retired.
  - 15. The security appliance of claim 9, further including:
    - a machine learning engine configured togenerate a user baseline table based on evaluation of actions by a user over time;
      
      monitor user activity for a deviation from the baseline; and
      
      generate a violation report based on the deviation from the baseline.
  - 16. The security appliance of claim 15, further including:
    - a remediation engine with a remediation configuration table, remediation configuration table defining a remediation action based on a violation; and
      
      the remediation engine configured to receive the violation report and initiate remediation action based on the violation report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Badhwar, Varun, Kumar, Gaurav, Jensen, Wayne
Primary Examiner(s)
Zee, Edward

Application Number

US15/362,398
Time in Patent Office

1,037 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Security appliance to monitor networked computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security appliance to monitor networked computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links