Incident response management based on environmental characteristics

US 10,554,687 B1
Filed: 09/26/2018
Issued: 02/04/2020
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a computing device in a computing environment, comprising:

determining, in response to notification of an incident in the computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment;

obtaining, from the computing environment, environmental characteristics related to the incident;

obtaining a default hierarchy of administrators responsible for responding to the incident;

modifying, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators;

outputting the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations;

receiving input associated with an action recommendation of the one or more action recommendations; and

executing an operation based on the input.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

83 Citations

View as Search Results

30 Claims

1. A method implemented by a computing device in a computing environment, comprising:
- determining, in response to notification of an incident in the computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment;
  
  obtaining, from the computing environment, environmental characteristics related to the incident;
  
  obtaining a default hierarchy of administrators responsible for responding to the incident;
  
  modifying, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators;
  
  outputting the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations;
  
  receiving input associated with an action recommendation of the one or more action recommendations; and
  
  executing an operation based on the input.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the environmental characteristics comprise a criticality rating of an asset associated with the incident.
  - 3. The method of claim 1, wherein the environmental characteristics comprise a rate of events associated with the incident.
  - 4. The method of claim 1, wherein the environmental characteristics comprise a geopolitical condition.
  - 5. The method of claim 1 further comprising:
    - obtaining enrichment information associated with the incident from one of a database or a web site;
      
      wherein determining the one or more action recommendations comprises determining the one or more action recommendations based on the enrichment information; and
      
      wherein modifying the default hierarchy of administrators to obtain the modified hierarchy of administrators comprises modifying the default hierarchy of administrators to respond to the incident based on the environmental characteristics and the enrichment information.
  - 6. The method of claim 1 further comprising:
    - obtaining enrichment information associated with the incident from one of a database or a website based on information associated with the incident, wherein the information comprises an internet protocol address, a process identifier, an asset identifier, or a uniform resource locator (URL);
      
      wherein determining the one or more action recommendations comprises determining the one or more action recommendations based on the enrichment information; and
      
      wherein modifying the default hierarchy of administrators to obtain the modified hierarchy of administrators comprises modifying the default hierarchy of administrators to respond to the incident based on the environmental characteristics and the enrichment information.
  - 7. The method of claim 1, wherein the input associated with the action recommendation comprises a selection of the action recommendation to be implemented in response to the incident.
  - 8. The method of claim 1, wherein the input associated with the action recommendation comprises feedback modifying the action recommendation.
  - 9. The method of claim 1, wherein the input associated with the action recommendation comprises feedback to remove the action recommendation from the one or more action recommendations.
  - 10. The method of claim 1, wherein the input associated with the action recommendation comprises deferring selection of an action to another administrator.
  - 11. The method of claim 1, wherein the incident comprises one of an unknown process on an asset in the computing environment or an unknown communication request to an asset in the computing environment.
  - 12. The method of claim 1 further comprising determining, for the modified hierarchy of administrators, at least one time period for an administrator to respond to the incident based at least on the environmental characteristics.
  - 13. The method of claim 1 further comprising:
    - determining, for the modified hierarchy of administrators, a time period to respond to the incident based at least on the environmental characteristics;
      
      determining when an action is not selected by an administrator to respond to the incident in the time period; and
      
      when an action is not selected by an administrator in the time period, initiating an automated response to respond to the incident.
  - 14. The method of claim 1:
    - wherein outputting the one or more action recommendations for receipt by the device associated with the administrator in the modified hierarchy of administrators comprises outputting the one or more action recommendations to a first administrator in the modified hierarchy of administrators;
      
      wherein the method further comprises;
      
      determining a time period for the first administrator to provide an input to respond to the incident; and
      
      when the first administrator fails to provide the input in the time period, causing for display the one or more action recommendations to a second administrator in the modified hierarchy of administrators.

15. A computing apparatus comprising:
- one or more non-transitory computer readable storage media;
  
  a processing system operatively coupled to the one or more non-transitory computer readable storage media; and
  
  program instructions stored on the one or more non-transitory computer readable storage media that, when executed by the processing system, direct the processing system to;
  
  determine, in response to notification of an incident in a computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment;
  
  obtain, from the computing environment, environmental characteristics related to the incident;
  
  obtain a default hierarchy of administrators responsible for responding to the incident;
  
  modify, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators;
  
  output the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations;
  
  receive input associated with an action recommendation of the one or more action recommendations; and
  
  execute an operation based on the input.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The computing apparatus of claim 15, wherein the environmental characteristics comprise a criticality rating of an asset associated with the incident.
  - 17. The computing apparatus of claim 15, wherein the environmental characteristics comprise a rate of events associated with the incident.
  - 18. The computing apparatus of claim 15, wherein the environmental characteristics comprise a geopolitical condition.
  - 19. The computing apparatus of claim 15:
    - wherein the program instructions further direct the processing system to obtain enrichment information associated with the incident from one of a database or a website;
      
      wherein determining the one or more action recommendations comprises determining the one or more action recommendations based on the enrichment information; and
      
      wherein modifying the default hierarchy of administrators to obtain the modified hierarchy of administrators comprises modifying the default hierarchy of administrators to respond to the incident based on the environmental characteristics and the enrichment information.
  - 20. The computing apparatus of claim 15:
    - wherein the program instructions further direct the processing system to obtain enrichment information associated with the incident from one of a database or a website based on information associated with the incident, wherein the information comprises an internet protocol address, a process identifier, an asset identifier, or a uniform resource locator (URL);
      
      wherein determining the one or more action recommendations comprises determining the one or more action recommendations based on the enrichment information; and
      
      wherein modifying the default hierarchy of administrators to obtain the modified hierarchy of administrators comprises modifying the default hierarchy of administrators to respond to the incident based on the environmental characteristics and the enrichment information.
  - 21. The computing apparatus of claim 15, wherein the input associated with the action recommendation comprises a selection of the action recommendation to be implemented in response to the incident.
  - 22. The computing apparatus of claim 15, wherein the input associated with the action recommendation comprises feedback modifying the action recommendation.
  - 23. The computing apparatus of claim 15, wherein the input associated with the action recommendation comprises feedback to remove the action recommendation from the one or more action recommendations.
  - 24. The computing apparatus of claim 15, wherein the input associated with the action recommendation comprises deferring selection of an action to another administrator.
  - 25. The computing apparatus of claim 15, wherein the program instructions further direct the processing system to:
    - determine, for the modified hierarchy of administrators, a time period to respond to the incident based at least on the environmental characteristics;
      
      determine when an action is not selected by an administrator to respond to the incident in the time period; and
      
      when the action is not selected by the administrator in the time period, initiate an automated response to respond to the incident.

26. An apparatus comprising:
- one or more non-transitory computer readable storage media; and
  
  program instructions stored on the one or more non-transitory computer readable storage media that, when executed by a processing system, direct the processing system to;
  
  determine, in response to notification of an incident in a computing environment, one or more action recommendations, wherein the notification is generated upon identification of an issue in the computing environment;
  
  obtain, from the computing environment, environmental characteristics related to the incident;
  
  obtain a default hierarchy of administrators responsible for responding to the incident;
  
  modify, based at least on the environmental characteristics, the default hierarchy of administrators to obtain a modified hierarchy of administrators;
  
  output the one or more action recommendations for receipt by a device associated with an administrator in the modified hierarchy of administrators, wherein upon receipt of the one or more actions recommendations, the device displays the one or more actions recommendations;
  
  receive input associated with an action recommendation of the one or more action recommendations; and
  
  execute an operation based on the input.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The apparatus of claim 26, wherein the environmental characteristics comprise a criticality rating of an asset associated with the incident.
  - 28. The apparatus of claim 26, wherein the environmental characteristics comprise a rate of events associated with the incident.
  - 29. The apparatus of claim 26, wherein the environmental characteristics comprise a geopolitical condition.
  - 30. The apparatus of claim 26, wherein the program instructions further direct the processing system to:
    - determine, for the modified hierarchy of administrators, a time period to respond to the incident based at least on the environmental characteristics;
      
      determine when an action is not selected by an administrator to respond to the incident in the time period; and
      
      when the action is not selected by the administrator in the time period, initiate an automated response to respond to the incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Zee, Edward

Application Number

US16/142,913
Time in Patent Office

496 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Incident response management based on environmental characteristics

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Incident response management based on environmental characteristics

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links