Enterprise console

US 20050086534A1
Filed: 03/19/2004
Published: 04/21/2005
Est. Priority Date: 03/24/2003
Status: Active Grant

First Claim

Patent Images

1. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, an apparatus comprising:

an enterprise console comprising a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network;

a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client;

wherein said distributed clients gather said advisories and process said advisories; and

wherein said advisories formally target specific states of a computational device and formally specify actions to take in response thereto.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A console for an enterprise suite is disclosed. The enterprise suite addresses the increasingly complex problem of keeping critical systems updated, compatible, and free of security holes. It uses Fixlet® technology to identify vulnerable computers on the network and then allows authorized personnel to correct problems across any subset of the network with a few simple mouse-clicks. The enterprise suite helps keep the networked computers updated and properly patched, all from a central console which, along with supporting architectural enhancements, is the subject matter of this document. The invention allows rolling out a security patch in minutes instead of months, thus allowing an administrator to stay ahead of potential hacker attacks. The invention also makes it possible to track the progress of each computer as updates are applied, thus making it simple to gauge the level of compliance across the entire enterprise.

Citations

67 Claims

1. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, an apparatus comprising:
- an enterprise console comprising a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network;
  
  a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client;
  
  wherein said distributed clients gather said advisories and process said advisories; and
  
  wherein said advisories formally target specific states of a computational device and formally specify actions to take in response thereto.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, said system further comprising:
    - a central server coupled to a central database, said central server storing data in and retrieving data from said central database.
  - 3. The apparatus of claim 2, wherein each of said distributed clients determines relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of a computational device on which said client runs.
  - 4. The apparatus of claim 3, wherein said relevance clause is written in a formal descriptive language;
    - and wherein said advisory comprises a short, clear explanation of said problem.
  - 5. The apparatus of claim 4, further comprising:
    - means for adding, modifying, or canceling a subscription of a distributed client to one or more advice provider sites.
  - 6. The apparatus of claim 5, further comprising:
    - means for selecting a group of computational devices, specifying action messages, scheduling, and controlling execution when deploying actions proposed by relevant advice messages.
  - 7. The apparatus of claim 6, further comprising:
    - means for securely deploying actions of relevant advice messages to a selected group of said distributed clients.
  - 8. The apparatus of claim 7, further comprising:
    - means for monitoring status of deployed actions.
  - 9. The apparatus of claim 8, further comprising:
    - means for stopping previously deployed actions which have not finished running.
  - 10. The apparatus of claim 9, further comprising:
    - means for monitoring status of each computational device while actions are being deployed and executed.
  - 11. The apparatus of claim 10, wherein said means for monitoring allows said system administrator to define and retrieve customized properties of computational devices using a formal descriptive language.

12. An enterprise management apparatus, comprising:
- a centrally managed advisory diffusion server for gathering advisories from an advisory site, wherein said advisories comprise relevance criteria and an action, and wherein said advisories identify relevant computers on a network and allow authorized personnel to monitor, modify, and maintain said computers across any subset of said network;
  
  a console in communication with said server for displaying any of changes and new knowledge about said network; and
  
  a plurality of clients associated with said network, each client processing said advisories based upon a relevance determination, inspecting an associated computer, and reporting any relevance determination and actions to said server
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, further comprising:
    - a plurality of relays for relaying said advisories to said clients and for receiving related data from said client to forward to said server.
  - 14. The apparatus of claim 12, said console further comprising:
    - means for a console operator to target patches or other fixes to appropriate computers when vulnerabilities are discovered.
  - 15. The apparatus of claim 14, said console further comprising:
    - means for following progress of said patches or fixes in near real-time as they spread to all relevant computers and, one by one, eliminate bugs and vulnerabilities for affected computers across said network.
  - 16. The apparatus of claim 12, further comprising:
    - means for keeping a running history of any and all remedial actions taken with regard to said computers.
  - 17. The console of claim 12, further comprising:
    - means for providing a detailed audit trail for every action and every maintained computer on said network.

18. In a network comprising a plurality of managed computers, an enterprise management apparatus, comprising:
- a console for providing a system-wide view of said managed computers, along with specific characteristics thereof and associated actions, and for distributing information only to those computers for which said information is relevant;
  
  a client associated with each managed computer for accessing a collection of messages comprising said information and that identify relevant computer characteristics, wherein if said characteristics are identified, said client implements associated actions received from said console; and
  
  a server for coordinating information flow to and from individual clients and for storing results in a database.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The apparatus of claim 18, further comprising:
    - a relay for offloading said server, wherein a plurality of clients point to a relay for downloads, which in turn makes only a single request of said server.
  - 20. The apparatus of claim 19, wherein a plurality of interaccessible relays are provided.
  - 21. The apparatus of claim 18, further comprising:
    - a report module for maintaining an audit trail of all console activity on said network.
  - 22. The apparatus of claim 18, further comprising:
    - a filter panel for providing a set of folders that contains specific field values to focus console activity.
  - 23. The apparatus of claim 18, wherein each message describes a problem that has been discovered on a client, and a short, clear explanation of said problem.
  - 24. The apparatus of claim 18, further comprising:
    - a human-readable relevance language for said messages that provides expressions for querying an exhaustive set of computer properties to target actions only to those computers matching predetermined relevance criteria.

25. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, and a server for coordinating information flow to and from individual clients, an apparatus comprising:
- at least one relay for offloading a download burden from said server, wherein said clients download from a designated relay;
  
  wherein said server distributes each advisory once to said relay, which in turn distributes said advisory to said clients; and
  
  overhead on said server is reduced by a ratio of relays to clients.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The apparatus of claim 25, wherein for each client in said network, both a primary and a secondary relay are specified.
  - 27. The apparatus of claim 26, wherein each client first attempts to download from its primary relay;
    - and wherein if said primary relay is unavailable for a client, said client can download from said secondary relay.
  - 28. The apparatus of claim 26, wherein if said primary relay fails, said secondary becomes a primary relay.
  - 29. The apparatus of claim 28, wherein if said secondary also fails, said client automatically downloads directly from said server.

30. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, a method comprising the steps of:
- providing a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network;
  
  providing a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client, said advisory comprising a short, clear explanation of said problem;
  
  wherein said distributed clients gather said advisories and process said advisories; and
  
  wherein said advisories formally target specific states of a computational device and formally specify actions to take in response thereto.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The method of claim 30, further comprising the step of:
    - providing a central server coupled to a central database, said central server storing data in and retrieving data from said central database.
  - 32. The method of claim 31, further comprising the step of:
    - each of said distributed clients determining relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of a computational device on which said client runs.
  - 33. The method of claim 32, wherein said relevance clause is written in a formal descriptive language.
  - 34. The method of claim 33, further comprising the step of:
    - any of adding, modifying, and canceling a subscription of a distributed client to one or more advice provider sites.
  - 35. The method of claim 34, further comprising the step of:
    - selecting a group of computational devices, specifying action messages, scheduling, and controlling execution when deploying actions proposed by relevant advice messages.
  - 36. The method of claim 35, further comprising the step of:
    - securely deploying actions of relevant advice messages to a selected group of said distributed clients.
  - 37. The method of claim 35, further comprising the step of:
    - monitoring status of deployed actions.
  - 38. The method of claim 37, further comprising the step of:
    - stopping previously deployed actions which have not finished running.
  - 39. The method of claim 38, further comprising the step of:
    - monitoring status of each computational device while actions are being deployed and executed.
  - 40. The method of claim 39, wherein said monitoring step allows said system administrator to define and retrieve customized properties of computational devices using a formal descriptive language.

41. An enterprise management method, comprising the steps of:
- gathering advisories from an advisory site with a centrally managed advisory diffusion server, wherein said advisories comprise relevance criteria and an action, and wherein said advisories identify relevant computers on a network and allow authorized personnel to monitor, modify, and maintain said computers across any subset of said network;
  
  displaying any of changes and new knowledge about said network with a console in communication with said server; and
  
  providing a plurality of clients associated with said network, each client processing said advisories based upon a relevance determination, inspecting an associated computer, and reporting any relevance determination and actions to said server
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The method of claim 41, further comprising the step of:
    - relaying said advisories to said clients and receiving related data from said client to forward to said server with a plurality of relays.
  - 43. The method of claim 41, said console further comprising the step of:
    - a console operator to targeting patches or other fixes to appropriate computers when vulnerabilities are discovered.
  - 44. The method of claim 43, said console further comprising the step of:
    - following progress of said patches or fixes in near real-time as they spread to all relevant computers and, one by one, eliminate bugs and vulnerabilities for affected computers across said network.
  - 45. The method of claim 43, further comprising the step of:
    - keeping a running history of any and all remedial actions taken with regard to said computers.
  - 46. The method of claim 43, further comprising the step of:
    - providing a detailed audit trail for every action and every maintained computer on said network.

47. An enterprise management method for a network comprising a plurality of managed computers, comprising the steps of:
- providing a system-wide view of said managed computers, along with specific characteristics thereof and associated actions, and for distributing information only to those computers for which said information is relevant;
  
  providing a client associated with each managed computer for accessing a collection of messages comprising said information and that identify relevant computer characteristics, wherein if said characteristics are identified, said client implements associated actions received from said console; and
  
  coordinating information flow to and from individual clients and for storing results in a database.
- View Dependent Claims (48, 49, 50, 51, 52, 53)
- - 48. The method of claim 47, further comprising the step of:
    - offloading said server with a relay, wherein a plurality of clients point to a relay for downloads, which in turn makes only a single request of said server.
  - 49. The method of claim 48, wherein a plurality of interaccessible relays are provided.
  - 50. The method of claim 47, further comprising the step of:
    - maintaining an audit trail of all console activity on said network.
  - 51. The method of claim 47, further comprising the step of:
    - providing a set of folders that contains specific field values to focus console activity.
  - 52. The method of claim 47, wherein each message describes a problem that has been discovered on a client, and a short, clear explanation of said problem.
  - 53. The method of claim 47, further comprising the step of:
    - providing a human-readable relevance language for said messages that provides expressions for querying an exhaustive set of computer properties to target actions only to those computers matching predetermined relevance criteria.

54. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, and a server for coordinating information flow to and from individual clients, a method comprising the steps of:
- offloading a download burden from said server with a relay, wherein said clients download from a designated relay;
  
  said server distributing each advisory once to said relay, which in turn distributes said advisory to said clients; and
  
  reducing overhead on said server a ratio of relays to clients.
- View Dependent Claims (55, 56, 57, 58)
- - 55. The method of claim 54, wherein for each client in said network, both a primary and a secondary relay are specified.
  - 56. The method of claim 55, wherein each client first attempts to download from its primary relay;
    - and wherein if said primary relay is unavailable for a client, said client can download from said secondary relay.
  - 57. The method of claim 55, wherein if said primary relay fails, said secondary becomes a primary relay.
  - 58. The method of claim 57, wherein if said secondary also fails, said client automatically downloads directly from said server.

59. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of the networks of computational devices, said system comprising:
- a plurality of distributed clients, each of which runs on a corresponding networked computational device, a server for coordinating information flow to and from individual clients, and a plurality of relays, each of which aggregates and mediates communication between said distributed clients and said server, an apparatus comprising;
  
  means associated with each said client for evaluating a relevance clause identifying a file or group of files to upload to said server from the associated computational device;
  
  means associated with each said client for aggregating a file or group of files resident on a corresponding networked computational device into a file collection;
  
  wherein said relay offloads an upload burden from said server; and
  
  wherein said clients upload said file collection to said server via a designated relay; and
  
  means associated with each said client for distributing each file collection once to said relay, which in turn distributes said file collection to said server.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67)
- - 60. The apparatus of claim 59, said system further comprising:
    - a central server coupled to a repository of files, said server storing data in, and retrieving data from, said repository of files.
  - 61. The apparatus of claim 59, wherein said client compresses said file collection to reduce said collection'"'"'s data size.
  - 62. The apparatus of claim 59, wherein said client distributes each file collection periodically to said relay, which in turn distributes said files to said server.
  - 63. The apparatus of claim 59, wherein said client does not include files in a file collection that have not changed since a previous file collection continuing said files was uploaded.
  - 64. The apparatus of claim 59, further comprising:
    - means for limiting bandwidth consumed by said client during upload of said file collection to said relay.
  - 65. The apparatus of claim 59, further comprising:
    - means for limiting bandwidth consumed by said relay during upload of said file collection to said server.
  - 66. The apparatus of claim 59, further comprising:
    - means for resuming an interrupted upload of said file collection by said client to said relay at a point of interruption.
  - 67. The apparatus of claim 59, further comprising:
    - means for resuming an interrupted upload of said file collection by said client to said relay at a point of interruption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
BigFix, Inc. (International Business Machines Corporation)
Inventors
Loer, Peter Benjamin, Lippincott, Lisa Ellen, Hindawi, Orion Yosef, Brown, James Milton, Donoho, David Leigh, Hindawi, David Salim, Goodrow, Dennis S., Lincroft, Peter

Granted Patent

US 7,398,272 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 8/65 Updates security arrangemen...

H04L 63/1433 Vulnerability analysis

Enterprise console

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise console

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links