Determining security actions for security threats using enrichment information
First Claim
1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
- identifying a security threat within the computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of the plurality of computing assets;
obtaining state information for the security threat, wherein the state information indicates at least one of;
a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;
obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets;
determining that the potentially malicious process is a malicious process based on the enrichment information;
determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat;
causing display of the plurality of security actions in a ranked order;
obtaining a selection of one or more security actions of the plurality of security actions; and
translating the one or more security actions into processes implemented on the asset of the plurality of computing assets.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
82 Citations
24 Claims
-
1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
-
identifying a security threat within the computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of the plurality of computing assets; obtaining state information for the security threat, wherein the state information indicates at least one of;
a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets; determining that the potentially malicious process is a malicious process based on the enrichment information; determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat; causing display of the plurality of security actions in a ranked order; obtaining a selection of one or more security actions of the plurality of security actions; and translating the one or more security actions into processes implemented on the asset of the plurality of computing assets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
-
identifying a security threat within a computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of a plurality of computing assets; obtaining state information for the security threat, wherein the state information indicates at least one of;
a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;obtaining enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets; determining that the potentially malicious process is a malicious process based on the enrichment information; determining a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat; causing display of the plurality of security actions in a ranked order; obtaining a selection of one or more security actions of the plurality of security actions; and translating the one or more security actions into processes implemented on the asset of the plurality of computing assets. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus, comprising:
-
one or more processors; a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to; identify a security threat within a computing environment, wherein the security threat comprises a potentially malicious process executing on an asset of a plurality of computing assets; obtain state information for the security threat, wherein the state information indicates at least one of;
a type of information the security threat seeks to obtain, a type of computing system targeted by the security threat, and a communication path of the security threat;obtain enrichment information about the potentially malicious process executing on the asset of the plurality of computing assets; determine that the potentially malicious process is a malicious process based on the enrichment information; determine a plurality of security actions for responding to the security threat based on the enrichment information and the state information for the security threat; cause display of the plurality of security actions in a ranked order; obtain a selection of one or more security actions of the plurality of security actions; and translate the one or more security actions into processes implemented on the asset of the plurality of computing assets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification