System and method of protecting client computers
First Claim
1. A method for threat detection and response, the method comprising:
- receiving, by a threat response computer from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device other than the client computer;
automatically remotely activating, by the threat response computer, a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the threat response computer for evaluation;
receiving, by the threat response computer from the data collector, the data identifying the potential IOCs on the client computer;
comparing, by the threat response computer, the potential IOCs on the client computer and IOCs in a database local to the threat response computer;
based at least in part on the comparing, determining, by the threat response computer, whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and
responsive to the evidence of malware on the client computer, sending an instruction from the threat response computer to configure a firewall in the enterprise computing network.
5 Assignments
0 Petitions
Accused Products
Abstract
A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.
-
Citations
20 Claims
-
1. A method for threat detection and response, the method comprising:
-
receiving, by a threat response computer from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device other than the client computer; automatically remotely activating, by the threat response computer, a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the threat response computer for evaluation; receiving, by the threat response computer from the data collector, the data identifying the potential IOCs on the client computer; comparing, by the threat response computer, the potential IOCs on the client computer and IOCs in a database local to the threat response computer; based at least in part on the comparing, determining, by the threat response computer, whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and responsive to the evidence of malware on the client computer, sending an instruction from the threat response computer to configure a firewall in the enterprise computing network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for threat detection and response, the system comprising:
-
a processor; a non-transitory computer-readable medium; and stored instructions translatable by the processor for; receiving, from a threat detector running on a client computer in an enterprise computing network wherein the client computer is separate from the threat response computer, an event report identifying a suspicious communication over a network between the client computer and a network device; automatically remotely activating a data collector on the client computer, the data collector configured for searching potential indications of compromise (IOCs) on the client computer and sending data identifying the potential IOCs to the system for evaluation; receiving, from the data collector, the data identifying the potential IOCs on the client computer; comparing the potential IOCs on the client computer and IOCs in a database local to the system; based at least in part on the comparing, determining whether the potential IOCs on the client computer indicate evidence of malware on the client computer; and responsive to the evidence of malware on the client computer, sending an instruction to configure a firewall in the enterprise computing network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification