Real-time remediation respective of security incidents
First Claim
Patent Images
1. A method comprising:
- analyzing forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing;
detecting a first security incident based, at least in part, on comparing the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices;
based on detecting the first security incident, identifying at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data;
isolating the first resource from the network based on identifying the first resource as affected by the first security incident; and
storing information about the first resource in association with indication of the first security incident and indication of the isolating.
2 Assignments
0 Petitions
Accused Products
Abstract
For remediation of security incidents occurring in a network, forensic data which is collected from devices connected to a network is analyzed. A security incident is detected based on the analysis of the forensic data. Based on detecting the security incident, a source which is affected by the security data is identified based, at least in part, on attributes of the forensic data. The affected source is isolated from the network. Information about the affected source in association with an indication of the security incident and an indication of the isolating is stored.
11 Citations
20 Claims
-
1. A method comprising:
-
analyzing forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing; detecting a first security incident based, at least in part, on comparing the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices; based on detecting the first security incident, identifying at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data; isolating the first resource from the network based on identifying the first resource as affected by the first security incident; and storing information about the first resource in association with indication of the first security incident and indication of the isolating. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more non-transitory machine-readable media comprising program code for security incident remediation, the program code to:
-
analyze forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing; detect a first security incident based, at least in part, on comparison of the forensic data with at least a first regular behavior pattern associated with at least one of the network and the plurality of devices; based on detection of the first security incident, identify at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data; isolate the first resource from the network based on identification of the first resource as affected by the first security incident; and store information about the first resource in association with indication of the first security incident and indication of the isolating. - View Dependent Claims (13, 14, 15)
-
-
16. An apparatus comprising:
-
a processor; and a machine-readable medium having program code executable by the processor to cause the apparatus to, analyze forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing; detect a first security incident based, at least in part, on comparison of the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices; based on detection of the first security incident, identify at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data; isolate the first resource from the network based on identification of the first resource as affected by the first security incident; and store information about the first resource in association with indication of the first security incident and indication of the isolation. - View Dependent Claims (17, 18, 19, 20)
-
Specification