Automated collection of forensic evidence associated with a network security incident
First Claim
1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:
- arranging the enterprise network environment so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise network environment;
invoking a mode for forensic evidence collecting in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised;
invoking a mode for retaining the collected forensic evidence; and
applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint'"'"'s understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.
-
Citations
20 Claims
-
1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:
-
arranging the enterprise network environment so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise network environment; invoking a mode for forensic evidence collecting in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised; invoking a mode for retaining the collected forensic evidence; and applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for presenting forensic evidence pertaining to a security incident occurring in an enterprise network that includes a plurality of endpoints which are arranged to share security assessments over a common communication channel, the method comprising the steps of:
-
receiving a security assessment at an endpoint in the enterprise network that is arranged for centralized logging and auditing of security assessments produced by the plurality of endpoints, the security assessment indicating a suspected compromised object; and providing a presentation of forensic evidence associated with the suspected compromised object, the forensic evidence being collected by endpoints in the environment in accordance with dynamic policies that vary by object and by criteria expressed in the security assessment. - View Dependent Claims (16, 17)
-
-
18. A method for retaining forensic evidence associated with a compromised object in an enterprise network environment, the method comprising the steps of:
-
arranging the enterprise network environment so that each of a plurality of endpoints in the enterprise network may communicate security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise network environment that is suspected of being compromised or malicious; and retaining the collected forensic evidence associated with the object in accordance with dynamic forensic evidence collection policies, the dynamic forensic evidence collection policies being dependent on criteria specified in the security assessment. - View Dependent Claims (19, 20)
-
Specification