Threat response systems and methods

US 10,552,615 B2
Filed: 02/18/2016
Issued: 02/04/2020
Est. Priority Date: 02/18/2016
Status: Active Grant

First Claim

Patent Images

1. A method for incident response, comprising:

receiving, by a security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat;

generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm;

populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat;

generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action;

automatically executing, by the security operations system, the first action of the workflow;

receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat;

updating, by the security operations system, the form to include the security contextual data;

enriching, by the security operations system, the workflow to generate a second action; and

automatically executing, by the security operations system, the second action of the workflow.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security operations system may receive an alarm in response to a detected threat. The alarm may include characteristics of the threat. The system may then generate a record in response to the alarm and populate a form with the characteristics of the threat. The form may be associated with the record and selected in response to a type of the threat. The system may further generate a workflow including at least one but potentially multiple actions. The system also receives security contextual information in response to a request including the characteristics of the threat or associated indicators of the threat and then updates the form to include the security contextual information. The security operations system can evaluate contextual information and request additional information, as well as leverage workflow to take iterative changes to rulesets and configurations, to provide additional security protection or gamer additional information on a threat.

Citations

20 Claims

1. A method for incident response, comprising:
- receiving, by a security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat;
  
  generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm;
  
  populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat;
  
  generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action;
  
  automatically executing, by the security operations system, the first action of the workflow;
  
  receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat;
  
  updating, by the security operations system, the form to include the security contextual data;
  
  enriching, by the security operations system, the workflow to generate a second action; and
  
  automatically executing, by the security operations system, the second action of the workflow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising generating, by the security operations system, the form using a drag-and-drop interface to create fields, wherein the form is customizable.
  - 3. The method of claim 1, wherein the characteristics of the threat include at least one of an origination IP address, a target IP address, a severity score, a suggested action, the type of the threat, threat information, or vulnerability information.
  - 4. The method of claim 1, further comprising closing, by the security operations system, the record automatically in response to completing the second action of the workflow, wherein the record is customizable.
  - 5. The method of claim 1, wherein the first action comprises at least one of sending a notification, requesting a threat intelligence, submitting the threat intelligence, modifying the form, or modifying system configurations.
  - 6. The method of claim 1, further comprising updating, by the security operations system, a configuration in response to the receiving the security contextual data, wherein the configuration alters a behavior of the monitored system.
  - 7. The method of claim 6, wherein the updating the configuration comprises altering at least one of an execution of scripts, an application programming interface (API) interaction, a database interaction, or a command-line executable or command in the monitored system.
  - 8. The method of claim 1, wherein the automatically executing the first action comprises at least one of automatically sending an email notification, sending an SMS notification, closing the record, setting a field to read/write, setting the field to optional/required, filtering values, showing the field or a section, hiding the field or the section, or connecting to a third-party system to gather data based on the alarm.
  - 9. The method of claim 8, wherein the automatically executing the second action comprises at least one of automatically sending the email notification, sending the SMS notification, closing the record, setting the field to read/write, setting the field to optional/required, filtering values, showing the field or the section, hiding the field or the section, or connecting to the third-party system to gather data based on the alarm.
  - 10. The method of claim 1, wherein the security contextual data comprises at least one of an attack type, an IP address, a domain, an email address, a related attack, or a related characteristic.
  - 11. The method of claim 1, wherein the security contextual data is received from a third party threat intelligence provider based on the characteristics of the threat.

12. A computer-based system, comprising:
- a processor;
  
  a tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause a security operations system to perform operations comprising;
  
  receiving, by the security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat;
  
  generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm;
  
  populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat;
  
  generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action;
  
  automatically executing, by the security operations system, the first action of the workflow;
  
  receiving, by the security operations system, a security contextual information in response to a request including the characteristics of the threat;
  
  updating, by the security operations system, the form to include the security contextual information;
  
  enriching, by the security operations system, the workflow to generate a second action; and
  
  automatically executing, by the security operations system, the second action of the workflow.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-based system of claim 12, further comprising generating, by the security operations system, the form using a drag-and-drop interface to create at least one of fields, naming conventions, or layouts, wherein the form is customizable.
  - 14. The computer-based system of claim 12, wherein the characteristics of the threat include at least one of an origination IP address, a target IP address, a severity score, a suggested action, the type of the threat, threat information, or vulnerability information.
  - 15. The computer-based system of claim 12, further comprising closing, by the security operations system, the record automatically in response to completing the second action of the workflow, wherein the record is customizable.
  - 16. The computer-based system of claim 12, wherein the first action comprises at least one of sending a notification, requesting a second threat intelligence, submitting the second threat intelligence, or modifying the form.
  - 17. The computer-based system of claim 12, further comprising updating, by the security operations system, a configuration in response to receiving the security contextual information, wherein the configuration alters a behavior of the monitored system.

18. An article of manufacture including a non-transitory, tangible computer readable storage medium having instructions stored thereon that, in response to execution by a security operations system, cause the security operations system to perform operations comprising:
- receiving, by the security operations system, an alarm in response to a threat detected on a monitored system, wherein the alarm includes characteristics of the threat;
  
  generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm;
  
  populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat;
  
  generating, by the security operations system, a workflow, wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving the alarm, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action;
  
  automatically executing, by the security operations system, the first action of the workflow;
  
  receiving, by the security operations system, security contextual data in response to a request including the characteristics of the threat;
  
  updating, by the security operations system, the form to include the security contextual data, enriching, by the security operations system, the workflow to generate a second action; and
  
  automatically executing, by the security operations system, the second action of the workflow.
- View Dependent Claims (19, 20)
- - 19. The article of claim 18, further comprising generating, by the security operations system, the form using input from a drag-and-drop interface to create fields, wherein the form is customizable.
  - 20. The article of claim 18, wherein the characteristics of the threat include at least one of an origination IP address, a target IP address, a severity score, a suggested action, the type of the threat, threat information, or vulnerability information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Swimlane, Inc.
Original Assignee
Swimlane, LLC
Inventors
Cornell, Cody, Kafenbaum, Brian, Wheeler, Brant, McDaniel, Austin
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US15/047,391
Publication Number

US 20170243008A1
Time in Patent Office

1,447 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/0633   Workflow analysis

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Threat response systems and methods

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Threat response systems and methods

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links