Security actions for computing assets based on enrichment information

US 10,476,905 B2
Filed: 03/19/2018
Issued: 11/12/2019
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying an incident associated with an asset in a computing environment, the computing environment comprising a plurality of assets;

identifying properties associated with the incident;

obtaining, using the properties, enrichment information associated with the incident from one or more internal or external sources;

identifying a criticality rating associated with the asset, wherein the criticality rating is based on an operation provided by the asset for the computing environment;

determining one or more actions to respond to the incident based at least on the enrichment information and the criticality rating; and

initiating implementation of at least one action in the computing environment from the one or more actions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

100 Citations

View as Search Results

30 Claims

1. A method comprising:
- identifying an incident associated with an asset in a computing environment, the computing environment comprising a plurality of assets;
  
  identifying properties associated with the incident;
  
  obtaining, using the properties, enrichment information associated with the incident from one or more internal or external sources;
  
  identifying a criticality rating associated with the asset, wherein the criticality rating is based on an operation provided by the asset for the computing environment;
  
  determining one or more actions to respond to the incident based at least on the enrichment information and the criticality rating; and
  
  initiating implementation of at least one action in the computing environment from the one or more actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset.
  - 3. The method of claim 1, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset, wherein the characteristics comprise indications of data accessible by the asset.
  - 4. The method of claim 1, wherein the one or more internal or external sources comprise one or more databases or websites.
  - 5. The method of claim 1, wherein identifying the incident in the computing environment comprises:
    - receiving a user indication of the incident;
      
      orreceiving an indication of the incident from a security information and event management (SIEM) system.
  - 6. The method of claim 1 further comprisingcausing display of the one or more actions;
    - andreceiving input indicative of a request to implement the at least one action in the computing environment.
  - 7. The method of claim 1 further comprising:
    - ranking the one or more actions based on the criticality rating;
      
      causing display of the ranked one or more actions; and
      
      receiving input indicative of a request to implement the at least one action in the computing environment.
  - 8. The method of claim 1 further comprising determining a severity rating for the incident based at least on the enrichment information obtained from the one or more internal or external sources, and wherein determining the one or more actions to respond to the incident is further based on the enrichment information, the criticality rating, and the severity rating.
  - 9. The method of claim 1, wherein the properties associated with the incident comprise one or more internet protocol addresses associated with the incident, a file name associated with the incident, a service name associated with the incident, or a uniform resource locator associated with the incident.
  - 10. The method of claim 1, wherein the asset comprises one of a router, a switch, or a computer.

11. An apparatus comprising:
- one or more non-transitory computer readable storage media;
  
  a processing system operatively coupled to the one or more non-transitory computer readable storage media; and
  
  processing instructions stored on the one or more non-transitory computer readable storage media that, when executed by the processing system, direct the processing system to;
  
  identify an incident associated with an asset in a computing environment, the computing environment comprising a plurality of assets;
  
  identify properties associated with the incident;
  
  obtain, using the properties, enrichment information associated with the incident from one or more internal or external sources;
  
  identify a criticality rating associated with the asset, wherein the criticality rating is based on an operation provided by the asset for the computing environment;
  
  determine one or more actions to respond to the incident based at least on the enrichment information and the criticality rating; and
  
  initiate implementation of at least one action in the computing environment from the one or more actions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset.
  - 13. The apparatus of claim 11, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset, wherein the characteristics comprise indications of data accessible by the asset.
  - 14. The apparatus of claim 11, wherein the one or more internal or external sources comprise one or more databases or websites.
  - 15. The apparatus of claim 11, wherein identifying the incident in the computing environment comprises:
    - receiving a user indication of the incident;
      
      orreceiving an indication of the incident from a security information and event management (SIEM) system.
  - 16. The apparatus of claim 11, wherein the processing instructions further direct the processing system to:
    - cause display of the one or more actions; and
      
      receive input indicative of a request to implement the at least one action in the computing environment.
  - 17. The apparatus of claim 11, wherein the processing instructions further direct the processing system to:
    - rank the one or more actions based on the criticality rating;
      
      cause display of the ranked one or more actions; and
      
      receive input indicative of a request to implement the at least one action in the computing environment.
  - 18. The apparatus of claim 11, wherein the processing instructions further direct the processing system to determine a severity rating for the incident based at least on the enrichment information obtained from the one or more internal or external sources, and wherein determining the one or more actions to respond to the incident is further based on the enrichment information, the criticality rating, and the severity rating.
  - 19. The apparatus of claim 11, wherein the properties associated with the incident comprise one or more internet protocol addresses associated with the incident, a file name associated with the incident, a service name associated with the incident, or a uniform resource locator associated with the incident.
  - 20. The apparatus of claim 11, wherein the asset comprises one of a router, a switch, or a computer.

21. An apparatus comprising:
- one or more non-transitory computer readable storage media; and
  
  processing instructions stored on the one or more non-transitory computer readable storage media that, when executed by a processing system, direct the processing system to;
  
  identify an incident associated with an asset in a computing environment, the computing environment comprising a plurality of assets;
  
  identify properties associated with the incident;
  
  obtain, using the properties, enrichment information associated with the incident from one or more internal or external sources;
  
  identify a criticality rating associated with the asset, wherein the criticality rating is based on an operation provided by the asset for the computing environment;
  
  determine one or more actions to respond to the incident based at least on the enrichment information and the criticality rating; and
  
  cause display of the one or more actions;
  
  receive input indicative of a request to implement at least one action from the one or more actions; and
  
  initiate implementation of the at least one action in the computing environment.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset.
  - 23. The apparatus of claim 21, wherein identifying the criticality rating associated with the asset comprises identifying the criticality rating associated with the asset based on characteristics of the asset, wherein the characteristics comprise indications of data accessible by the asset.
  - 24. The apparatus of claim 21, wherein the one or more internal or external sources comprise one or more databases.
  - 25. The apparatus of claim 21, wherein identifying the incident in the computing environment comprises:
    - receiving a user indication of the incident;
      
      orreceiving an indication of the incident from a security information and event management (SIEM) system.
  - 26. The apparatus of claim 21, wherein the one or more internal or external sources comprise one or more websites.
  - 27. The apparatus of claim 21:
    - wherein the processing instructions further direct the processing system to rank the one or more actions based on the criticality rating; and
      
      wherein causing display of the one or more actions comprises causing display of the ranked one or more actions.
  - 28. The apparatus of claim 21, wherein the processing instructions further direct the processing system to determine a severity rating for the incident based at least on the enrichment information obtained from the one or more internal or external sources, and wherein determining the one or more actions to respond to the incident is further based on the enrichment information, the criticality rating, and the severity rating.
  - 29. The apparatus of claim 21, wherein the properties associated with the incident comprise one or more internet protocol addresses associated with the incident, a file name associated with the incident, a service name associated with the incident, or a uniform resource locator associated with the incident.
  - 30. The apparatus of claim 21, wherein the asset comprises one of a router, a switch, or a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Powers, William S
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/924,759
Publication Number

US 20180316718A1
Time in Patent Office

603 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Security actions for computing assets based on enrichment information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Security actions for computing assets based on enrichment information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links