Techniques for sharing network security event information

US 10,628,582 B2
Filed: 10/03/2018
Issued: 04/21/2020
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method to protect against threats to a distributed computing network, comprising:

generating a profile comprising one or more properties of a network device of the distributed computing network via a central service coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both;

storing, via the central service, the one or more properties of the network device of the distributed computing network into a common data store of the central service to generate stored properties;

receiving, via the central service, a source file that comprises indications of one or more security threats to one or more properties of a source network device;

identifying, via the central service, a subset of the indications of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device;

accessing, via the central service, a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device;

using, via the central service, the rule to determine the action to perform to remediate the subset of the indications of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed to remediate security threats; and

performing the action to facilitate remediating vulnerabilities associated with the one or more security threats to the network device of the distributed computing network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Citations

20 Claims

1. A method to protect against threats to a distributed computing network, comprising:
- generating a profile comprising one or more properties of a network device of the distributed computing network via a central service coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both;
  
  storing, via the central service, the one or more properties of the network device of the distributed computing network into a common data store of the central service to generate stored properties;
  
  receiving, via the central service, a source file that comprises indications of one or more security threats to one or more properties of a source network device;
  
  identifying, via the central service, a subset of the indications of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device;
  
  accessing, via the central service, a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device;
  
  using, via the central service, the rule to determine the action to perform to remediate the subset of the indications of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed to remediate security threats; and
  
  performing the action to facilitate remediating vulnerabilities associated with the one or more security threats to the network device of the distributed computing network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the source file is received from a security data importer that translates the source file from an XML file into a second data format.
  - 3. The method of claim 1, wherein the source file comprises an indication of vulnerable operating systems.
  - 4. The method of claim 1, comprising updating an administrator dashboard with a ranking associated with a respective security threat of the one or more security threats, wherein the ranking communicates a severity of the respective security threat.
  - 5. The method of claim 1, comprising:
    - receiving the source file from a third party reporting service; and
      
      transmitting source file to an importer for conversion from a first data format into a second data format interpretable by a first computing system.
  - 6. The method of claim 5, wherein the third party reporting service comprises an information repository, and wherein the third party reporting service derives the source file from the information repository.
  - 7. The method of claim 5, wherein the third party reporting service is configured to receive additional security threat information from one or more additional computing systems to facilitate monitoring of security threats between the first computing system and the one or more additional computing systems.
  - 8. The method of claim 1, wherein the action comprises performing steps based on information included in the source file to mitigate security vulnerabilities associated with the one or more security threats.

9. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that, when executed by one or more processors associated with a distributed computing network, cause a central service to:
- generate a profile comprising one or more properties of a network device of the distributed computing network, wherein the central service is coupled to a plurality of network devices of a distributed computing network, wherein the one or more properties comprise hardware attributes, software attributes, or a combination of both;
  
  store the one or more properties of the network device of the distributed computing network into a common data store to generate stored properties;
  
  receive a source file that comprises an indication of one or more security threats to one or more properties of a source network device;
  
  parse the source file to translate data of the source file from a first data format into a second data format interpretable by each of the plurality of network devices of the distributed computing network;
  
  identify a subset of the one or more security threats that apply to the network device at least in part by matching at least one property of the stored properties with at least one property of the one or more properties of the source network device;
  
  access a rule that associates performance of an action with identifying that the subset of the one or more security threats apply to the network device;
  
  use the rule to determine the action to perform to remediate the subset of the one or more security threats that apply to the network device, wherein the rule identifies the action from a plurality of actions able to be performed by the network device to remediate security threats; and
  
  initiate performance of the action configured to remedy a vulnerability corresponding to the indication of one or more security threats.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The machine-readable medium of claim 9, wherein parsing occurs based at least in part on communication with a security data importer.
  - 11. The machine-readable medium of claim 9, wherein the vulnerability is associated with a security advisory corresponding to the source network device.
  - 12. The machine-readable medium of claim 9, wherein the network device is determined to have the same vulnerability as the source network device through determining a property of the one or more properties is substantially similar to a property of the source network device.
  - 13. The machine-readable medium of claim 9, wherein the source file comprises XML formatted data.
  - 14. The machine-readable medium of claim 9, wherein the action comprises updating a severity associated with the vulnerability.
  - 15. The machine-readable medium of claim 14, comprising instructions that cause the central service to:
    - update a dashboard with the severity;
      
      compare the severity to additional severities associated with an additional vulnerability; and
      
      perform a remediation action based on the comparison.
  - 16. The machine-readable medium of claim 9, wherein the action comprises performing steps based on information included in the source file to mitigate security vulnerabilities associated with the indications of one or more security threats.
  - 17. The machine-readable medium of claim 9, wherein the one or more properties of the source network device comprises an indication of an operating system associated with the source network device.
  - 18. The machine-readable medium of claim 9, wherein the one or more properties of the source network device is an indication of a model of the source network device.
  - 19. The machine-readable medium of claim 9, comprising instructions that cause the central service to:
    - query a third party reporting service for the source file; and
      
      receive the source file from the third party reporting service.
  - 20. The machine-readable medium of claim 19, wherein the stored properties of the network device of the distributed computing network are used for regulatory compliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Reybok, Richard, Haugsnes, Andreas Seip, Zettel, II, Kurt Joseph, Rhines, Jeffrey, Geddes, Henry, Osypov, Volodymyr, Lewis, Scott, Brady, Sean, Manning, Mark
Primary Examiner(s)
Powers, William S

Application Number

US16/151,085
Publication Number

US 20190034626A1
Time in Patent Office

566 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/145 the attack involving the pr...

Techniques for sharing network security event information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for sharing network security event information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links