Real-time remediation respective of security incidents

US 10,616,245 B2
Filed: 11/25/2015
Issued: 04/07/2020
Est. Priority Date: 11/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

analyzing forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing;

detecting a first security incident based, at least in part, on comparing the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices;

based on detecting the first security incident, identifying at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data;

isolating the first resource from the network based on identifying the first resource as affected by the first security incident; and

storing information about the first resource in association with indication of the first security incident and indication of the isolating.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For remediation of security incidents occurring in a network, forensic data which is collected from devices connected to a network is analyzed. A security incident is detected based on the analysis of the forensic data. Based on detecting the security incident, a source which is affected by the security data is identified based, at least in part, on attributes of the forensic data. The affected source is isolated from the network. Information about the affected source in association with an indication of the security incident and an indication of the isolating is stored.

11 Citations

20 Claims

1. A method comprising:
- analyzing forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing;
  
  detecting a first security incident based, at least in part, on comparing the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices;
  
  based on detecting the first security incident, identifying at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data;
  
  isolating the first resource from the network based on identifying the first resource as affected by the first security incident; and
  
  storing information about the first resource in association with indication of the first security incident and indication of the isolating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining the regular behavior patterns associated with at least one of the network and the plurality of devices; and
      
      identifying the first security incident based on identifying irregular behavior in the forensic data based, at least in part, on the regular behavior patterns, wherein the forensic data comprises attributes of an event of irregular behavior.
  - 3. The method of claim 1, wherein storing information about the first resource comprises storing the information in external memory, wherein the external memory is inaccessible to the plurality of devices.
  - 4. The method of claim 1, wherein storing the information comprises storing a data structure in external memory, wherein the data structure comprises at least a first field which identifies the first security incident, a second field which identifies the first resource affected by the first security incident, a third field which comprises attributes of the first resource, and a fourth field indicating whether the first resource is isolated in a respective device.
  - 5. The method of claim 1, wherein the first resource is a first device of the plurality of devices, and wherein isolating the first resource from the network comprises disconnecting the first device from the network.
  - 6. The method of claim 1 further comprising outputting a notification indicating that the first security incident occurred, wherein the notification indicates the isolating of the first resource.
  - 7. The method of claim 1, further comprising installing agents on the plurality of devices, wherein the agents collect the forensic data from the plurality of devices.
  - 8. The method of claim 1, wherein the first resource is a first application, and wherein isolating the first resource comprises requesting a corresponding one of the plurality of devices to disable the first application, obtaining identification information of the first application, and forwarding the identification information to an external memory for storage.
  - 9. The method of claim 1, wherein the first resource is a first application, and wherein isolating the first resource comprises requesting a corresponding one of the plurality of devices to remove the first application from memory of the corresponding device and to delete an executable of the first application.
  - 10. The method of claim 9 further comprising storing at least a portion of the first application in external memory.
  - 11. The method of claim 1, wherein the first resource is a first process, and wherein isolating the first resource comprises stopping allocation of central processing unit time to the first process and changing the name of the first process.

12. One or more non-transitory machine-readable media comprising program code for security incident remediation, the program code to:
- analyze forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing;
  
  detect a first security incident based, at least in part, on comparison of the forensic data with at least a first regular behavior pattern associated with at least one of the network and the plurality of devices;
  
  based on detection of the first security incident, identify at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data;
  
  isolate the first resource from the network based on identification of the first resource as affected by the first security incident; and
  
  store information about the first resource in association with indication of the first security incident and indication of the isolating.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory machine-readable media of claim 12 further comprising program code to install agents on the plurality of devices, wherein the agents collect the forensic data from the plurality of devices.
  - 14. The non-transitory machine-readable media of claim 12, wherein the program code to store information about the first resource comprises program code to store the information in external memory, wherein the external memory is inaccessible to the plurality of devices.
  - 15. The non-transitory machine-readable media of claim 12, wherein the first resource is a first device of the plurality of devices, and wherein the program code to isolate the first resource from the network comprises program code to disconnect the first device from the network.

16. An apparatus comprising:
- a processor; and
  
  a machine-readable medium having program code executable by the processor to cause the apparatus to,analyze forensic data collected from a plurality of devices connected to a network, wherein the forensic data collection is ongoing;
  
  detect a first security incident based, at least in part, on comparison of the forensic data with regular behavior patterns associated with at least one of the network and the plurality of devices;
  
  based on detection of the first security incident, identify at least a first resource affected by the first security incident based, at least in part, on attributes of the forensic data;
  
  isolate the first resource from the network based on identification of the first resource as affected by the first security incident; and
  
  store information about the first resource in association with indication of the first security incident and indication of the isolation.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, further comprising program code executable by the processor to cause the apparatus to:
    - determine the regular behavior patterns associated with at least one of the network and the plurality of devices; and
      
      identify the first security incident based on identifying irregular behavior in the forensic data based, at least in part, on the regular behavior patterns, wherein the forensic data comprises attributes of an event of irregular behavior.
  - 18. The apparatus of claim 16, wherein the program code executable by the processor to cause the apparatus to store information about the first resource in association with indication of the first security incident and indication of the isolating comprises program code to store the information in an external memory, wherein the external memory is inaccessible to the plurality of devices.
  - 19. The apparatus of claim 16, wherein the first resource is a first application, and wherein the program code executable by the processor to cause the apparatus to isolate the first resource comprises program code to request a corresponding one of the plurality of devices to remove the first application from memory, delete an executable of the first application, and forward an image of the first application for analysis.
  - 20. The apparatus of claim 16 further comprising program code executable by the processor to cause the apparatus to output a notification indicating that the first security incident occurred, wherein the notification indicates the isolation of the first resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Barak, Gil, Morag, Shai
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas A

Application Number

US14/952,326
Publication Number

US 20160149938A1
Time in Patent Office

1,595 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Real-time remediation respective of security incidents

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Real-time remediation respective of security incidents

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others