Determining security actions for security threats using enrichment information

US 10,567,424 B2
Filed: 08/21/2018
Issued: 02/18/2020
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:

identifying a security threat within the computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of the plurality of computing assets;

obtaining state information for the security threat, wherein the state information indicates at least one of;

a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;

obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets;

determining that the potentially malicious process is a malicious process based on the enrichment information;

determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat;

causing display of the plurality of security actions in a ranked order;

obtaining a selection of one or more security actions of the plurality of security actions; and

translating the one or more security actions into processes implemented on the asset of the plurality of computing assets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

82 Citations

24 Claims

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
- identifying a security threat within the computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of the plurality of computing assets;
  
  obtaining state information for the security threat, wherein the state information indicates at least one of;
  
  a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;
  
  obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets;
  
  determining that the potentially malicious process is a malicious process based on the enrichment information;
  
  determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat;
  
  causing display of the plurality of security actions in a ranked order;
  
  obtaining a selection of one or more security actions of the plurality of security actions; and
  
  translating the one or more security actions into processes implemented on the asset of the plurality of computing assets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining the plurality of security actions for responding to the security threat based on the enrichment information and the state information comprises:
    - identifying a rule set based on the enrichment information; and
      
      identifying at least one security action associated with the rule set based on the state information.
  - 3. The method of claim 1, further comprising determining, based on the state information, a current state of the security threat.
  - 4. The method of claim 1, further comprising determining, based on the state information, a current state of the security threat, whether the current state is one of:
    - a reconnaissance state, an exploit state, a persist state, lateral movement state, or an exfiltration state.
  - 5. The method of claim 1, further comprising, in response to determining the plurality of security actions for responding to the security threat, initiating automated implementation of at least one security action in the computing environment.
  - 6. The method of claim 1, wherein obtaining the enrichment information about the potentially malicious process comprises obtaining, from at least one internal or external database, the enrichment information for the potentially malicious process.
  - 7. The method of claim 1, wherein the state information for the security threat further indicates identifiers for assets targeted by communications of the security threat.
  - 8. The method of claim 1, wherein the security threat is one or more of:
    - a virus, a denial of service attack, or a malware attack.

9. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
- identifying a security threat within a computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of a plurality of computing assets;
  
  obtaining state information for the security threat, wherein the state information indicates at least one of;
  
  a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;
  
  obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets;
  
  determining that the potentially malicious process is a malicious process based on the enrichment information;
  
  determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat;
  
  causing display of the plurality of security actions in a ranked order;
  
  obtaining a selection of one or more security actions of the plurality of security actions; and
  
  translating the one or more security actions into processes implemented on the asset of the plurality of computing assets.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein determining the plurality of security actions for responding to the security threat based on the enrichment information and the state information comprises:
    - identifying a rule set based on the enrichment information; and
      
      identifying at least one security action associated with the rule set based on the state information.
  - 11. The non-transitory computer-readable storage medium of claim 9, further comprising determining, based on the state information, a current state of the security threat.
  - 12. The non-transitory computer-readable storage medium of claim 9, further comprising determining, based on the state information, a current state of the security threat, whether the current state is one of:
    - a reconnaissance state, an exploit state, a persist state, lateral movement state, or an exfiltration state.
  - 13. The non-transitory computer-readable storage medium of claim 9, further comprising, in response to determining the plurality of security actions for responding to the security threat, initiating automated implementation of at least one security action in the computing environment.
  - 14. The non-transitory computer-readable storage medium of claim 9, wherein obtaining the enrichment information about the potentially malicious process comprises obtaining, from at least one internal or external database, the enrichment information for the potentially malicious process.
  - 15. The non-transitory computer-readable storage medium of claim 9, wherein the state information for the security threat further indicates identifiers for assets targeted by communications of the security threat.
  - 16. The non-transitory computer-readable storage medium of claim 9, wherein the security threat is one or more of:
    - a virus, a denial of service attack, or a malware attack.

17. An apparatus, comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to;
  
  identify a security threat within a computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of a plurality of computing assets;
  
  obtain state information for the security threat, wherein the state information indicates at least one of;
  
  a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;
  
  obtain enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets;
  
  determine that the potentially malicious process is a malicious process based on the enrichment information;
  
  determine a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat;
  
  cause display of the plurality of security actions in a ranked order;
  
  obtain a selection of one or more security actions of the plurality of security actions; and
  
  translate the one or more security actions into processes implemented on the asset of the plurality of computing assets.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein determining the plurality of security actions for responding to the security threat based on the enrichment information and the state information comprises:
    - identifying a rule set based on the enrichment information; and
      
      identifying at least one security action associated with the rule set based on the state information.
  - 19. The apparatus of claim 17, further comprising determining, based on the state information, a current state of the security threat.
  - 20. The apparatus of claim 17, further comprising determining, based on the state information, a current state of the security threat, whether the current state is one of:
    - a reconnaissance state, an exploit state, a persist state, lateral movement state, or an exfiltration state.
  - 21. The apparatus of claim 17, further comprising, in response to determining the plurality of security actions for responding to the security threat, initiating automated implementation of at least one security action in the computing environment.
  - 22. The apparatus of claim 17, wherein obtaining the enrichment information about the potentially malicious process comprises obtaining, from at least one internal or external database, the enrichment information for the potentially malicious process.
  - 23. The apparatus of claim 17, wherein the state information for the security threat further indicates identifiers for assets targeted by communications of the security threat.
  - 24. The apparatus of claim 17, wherein the security threat is one or more of:
    - a virus, a denial of service attack, or a malware attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Hailu, Teshome

Application Number

US16/107,979
Publication Number

US 20190020677A1
Time in Patent Office

546 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Determining security actions for security threats using enrichment information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Determining security actions for security threats using enrichment information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links