Threat intelligence management in security and compliance environment

US 10,701,100 B2
Filed: 03/30/2017
Issued: 06/30/2020
Est. Priority Date: 12/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method to provide threat intelligence for hosted services, the method comprising:

receiving data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content, metadata associated with the received data, and activities associated with the received data;

correlating the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data;

determining, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors;

determining, based on the contextual correlation analysis, a potential impact for the threat;

presenting information regarding the threat and the potential impact through an interactive visualization, wherein at least one element of the interactive visualization is actionable;

determining at least one targeted user receiving the threat;

presenting a listing of the determined targeted users;

in response to receiving a selection of a user from the list of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and

one or more selected from a group consisting of presenting a remediation action and automatically implementing a remediation action associated with the received threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based on context and allow users to drill down arbitrarily deep.

54 Citations

View as Search Results

19 Claims

1. A method to provide threat intelligence for hosted services, the method comprising:
- receiving data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content, metadata associated with the received data, and activities associated with the received data;
  
  correlating the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data;
  
  determining, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors;
  
  determining, based on the contextual correlation analysis, a potential impact for the threat;
  
  presenting information regarding the threat and the potential impact through an interactive visualization, wherein at least one element of the interactive visualization is actionable;
  
  determining at least one targeted user receiving the threat;
  
  presenting a listing of the determined targeted users;
  
  in response to receiving a selection of a user from the list of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and
  
  one or more selected from a group consisting of presenting a remediation action and automatically implementing a remediation action associated with the received threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining a user profile for the selected user; and
      
      considering the user profile in the contextual correlation analysis.
  - 3. The method of claim 2, wherein the user profile includes a risk assessment of the selected user based on one or more selected from a group consisting of an exchanged communication with the selected user, shared content associated with the selected user, content accessed by the selected user, and an access location associated with the selected user.
  - 4. The method of claim 1, wherein presenting the received and potential threats and the potential impact comprises:
    - displaying one or more selected from a group consisting of a chart, a map, and textual information associated with the threat and the potential impact.
  - 5. The method of claim 4, wherein the one or more selected from a group consisting of a chart, a map, and textual information associated with the threat and the potential impact include actionable elements that, when selected, drill down on a portion of the displayed information.
  - 6. The method of claim 4, further comprising:
    - enabling, based on a selected criterion, an administrator to one or more selected from a group consisting of filter the one or more visualizations and combine the one or more visualizations.
  - 7. The method of claim 1, further comprising:
    - searching through communications and data associated with a user associated with the received threat; and
      
      determining, based on the searching through the communications and the data associated with a user associated with the threat, affected communications and data.
  - 8. The method of claim 7, further comprising:
    - determining the remediation action based on the affected communications and data.
  - 9. The method of claim 1, further comprising:
    - tailoring the one or more visualizations based on a tenant profile associated with a tenant, wherein the tenant profile includes one or more selected from a group consisting of an industry, a size, a geographical location, a hosted service ecosystem, a role, a regulatory requirement, and a legal requirement, and a threat history associated with the tenant.
  - 10. The method of claim 1, wherein the remediation action includes one or more selected from a group consisting of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, and launching of an investigation.
  - 11. The method of claim 1, further comprising:
    - presenting one or more selected from a group consisting of a threat trend, a filtering option, a configuration option, a protection status, a time range definition option, and a data export option.

12. A server configured to provide threat intelligence for hosted services, the server comprising:
- a communication interface configured to facilitate communication between another server hosting a security and compliance service, one or more client devices, and the server;
  
  a memory configured to store instructions; and
  
  one or more processors coupled to the communication interface and the memory and configured to execute a threat intelligence module, wherein the threat intelligence module is configured to;
  
  receive data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data;
  
  correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data;
  
  determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors;
  
  determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat;
  
  present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable;
  
  determine at least one targeted user receiving the threat;
  
  present a listing of the determined targeted users;
  
  in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and
  
  automatically implement the remediation action associated with the received threat.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The server of claim 12, wherein the remediation action includes one or more selected from a group consisting of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, implementation of a suggested policy, and restriction of one or more selected from a group consisting of a delete action, a share action, a copy action, a move action, an anonymous link creation, a synchronization, a site creation, a created exemption, a permission modification, a purge of email boxes, a folder movement, a user addition, and a group addition.
  - 14. The server of claim 12, wherein the threat intelligence module is further configured to:
    - enable a drill down operation on the listing of determined targeted users to determine the impact of the received threat.
  - 15. The server of claim 12, wherein the threat intelligence module is further configured to:
    - determining, based on following a chain of events associated with a missed threat, a list of potentially affected communications and data, and connections between a user affected by the missed threat and other users.
  - 16. The server of claim 12, wherein the threat intelligence module is further configured to:
    - adjust, based on a used platform and a type of threat, a connection dashboard configuration.
  - 17. The server of claim 16, wherein the used platform is one selected from a group consisting of an operating system and a hosted service.

18. A computer-readable memory device with instructions stored thereon to provide threat intelligence for hosted services, the instructions, when executed, configured to cause one or more computing devices to perform actions comprising:
- receive data associated with a tenant'"'"'s service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data;
  
  correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data;
  
  determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors;
  
  determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat;
  
  present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable;
  
  customize the dashboard based on one or more selected from a group consisting of detected threat types, a tenant profile, and a platform;
  
  determine at least one targeted user receiving the threat;
  
  present a listing of the determined targeted users;
  
  in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and
  
  automatically implement the remediation action associated with the received threat.
- View Dependent Claims (19)
- - 19. The computer-readable memory device of claim 18, wherein the actions further comprise:
    - determine whether the threat is one selected from a group consisting of a targeted threat and a general threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Newman, Philip K., Vetrivel, Puhazholi, Parthasarathy, Krishna Kumar, Chen, Binyan, Singh, Manas, Mishra, Ashish, Narayanamurthy, Sudhakar
Primary Examiner(s)
Li, Meng

Application Number

US15/473,998
Publication Number

US 20180191771A1
Time in Patent Office

1,188 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Threat intelligence management in security and compliance environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Threat intelligence management in security and compliance environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links