Techniques for sharing network security event information
First Claim
1. A method to protect against threats to a distributed computing network, comprising:
- generating a profile comprising one or more properties of a network device of the distributed computing network via a central service coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both;
storing, via the central service, the one or more properties of the network device of the distributed computing network into a common data store of the central service to generate stored properties;
receiving, via the central service, a source file that comprises indications of one or more security threats to one or more properties of a source network device;
identifying, via the central service, a subset of the indications of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device;
accessing, via the central service, a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device;
using, via the central service, the rule to determine the action to perform to remediate the subset of the indications of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed to remediate security threats; and
performing the action to facilitate remediating vulnerabilities associated with the one or more security threats to the network device of the distributed computing network.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.
-
Citations
20 Claims
-
1. A method to protect against threats to a distributed computing network, comprising:
-
generating a profile comprising one or more properties of a network device of the distributed computing network via a central service coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both; storing, via the central service, the one or more properties of the network device of the distributed computing network into a common data store of the central service to generate stored properties; receiving, via the central service, a source file that comprises indications of one or more security threats to one or more properties of a source network device; identifying, via the central service, a subset of the indications of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device; accessing, via the central service, a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device; using, via the central service, the rule to determine the action to perform to remediate the subset of the indications of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed to remediate security threats; and performing the action to facilitate remediating vulnerabilities associated with the one or more security threats to the network device of the distributed computing network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that, when executed by one or more processors associated with a distributed computing network, cause a central service to:
-
generate a profile comprising one or more properties of a network device of the distributed computing network, wherein the central service is coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both; store the one or more properties of the network device of the distributed computing network into a common data store to generate stored properties; receive a source file that comprises an indication of one or more security threats to one or more properties of a source network device; parse the source file to translate data of the source file from a first data format into a second data format interpretable by each of the plurality of network devices of the distributed computing network; identify a subset of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device; access a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device; use the rule to determine the action to perform to remediate the subset of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed by the network device to remediate security threats; and initiate performance of the action configured to remedy a vulnerability corresponding to the indication of one or more security threats. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification