PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY

US 20130104236A1
Filed: 10/15/2012
Published: 04/25/2013
Est. Priority Date: 10/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing and mitigating risks and enhancing cyber security throughout enterprise-wide operational technology (OT) systems and information technology (IT) systems supporting business processes of an enterprise, and other information processing needs of said enterprise, and security technology (ST) networks to maintain a high level of security, comprising:

identifying within said networks a plurality of monitored and controlled elements (MCEs);

providing pervasive business risk and security monitoring and control capabilities that adapt to evolving situational intelligence and existing control postures of target systems, subsystems, and elements at a plurality of hierarchical levels of said networks;

wherein said pervasive security monitoring and control capabilities are self-similar structurally, pervasive functionally, adaptive across various time scales, and relational analytically based on domain knowledge of physical operational and IT systems, operating rules, business processes and compliance policies;

monitoring real-time conditions and activities on said network elements, as well as elements of underlying enterprise business processes that are affected if and when security of an element is breached or business processes compromised; and

adapting said security monitoring and control capabilities at selected hierarchical levels and at selected time scales in response to enterprise situational knowledge that is relevant to said OT, IT, and ST networks, as well as subsystems and elements of said networks with regard to underlying business processes;

wherein said situational knowledge comprising any of situational changes, control implementations, and adjustments thereof, and other transitions in any of said OT systems, said IT systems, and a security threat environment; and

wherein said hierarchical levels range from an entire enterprise-wide network at a highest level to a single transaction at a lowest level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.

301 Citations

23 Claims

1. A method for analyzing and mitigating risks and enhancing cyber security throughout enterprise-wide operational technology (OT) systems and information technology (IT) systems supporting business processes of an enterprise, and other information processing needs of said enterprise, and security technology (ST) networks to maintain a high level of security, comprising:
- identifying within said networks a plurality of monitored and controlled elements (MCEs);
  
  providing pervasive business risk and security monitoring and control capabilities that adapt to evolving situational intelligence and existing control postures of target systems, subsystems, and elements at a plurality of hierarchical levels of said networks;
  
  wherein said pervasive security monitoring and control capabilities are self-similar structurally, pervasive functionally, adaptive across various time scales, and relational analytically based on domain knowledge of physical operational and IT systems, operating rules, business processes and compliance policies;
  
  monitoring real-time conditions and activities on said network elements, as well as elements of underlying enterprise business processes that are affected if and when security of an element is breached or business processes compromised; and
  
  adapting said security monitoring and control capabilities at selected hierarchical levels and at selected time scales in response to enterprise situational knowledge that is relevant to said OT, IT, and ST networks, as well as subsystems and elements of said networks with regard to underlying business processes;
  
  wherein said situational knowledge comprising any of situational changes, control implementations, and adjustments thereof, and other transitions in any of said OT systems, said IT systems, and a security threat environment; and
  
  wherein said hierarchical levels range from an entire enterprise-wide network at a highest level to a single transaction at a lowest level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, further comprising:
    - using structural self-similarity, adjusted to roles, capabilities, and topological location of MCEs to reduce implementation complexity.
  - 3. The method of claim 1, wherein said OT systems comprise one or more industrial control systems (ICSs) further comprising embedded devices for monitoring and controlling performance of other physical process equipment.
  - 4. The methods of claim 1, further comprising:
    - providing a threat and vulnerability analysis processor for dynamically executing a formal computational algorithm in response to dynamic input from other systems to derive a ranked list of business functions subject to threats; and
      
      for producing a dynamic output for use either stand-alone for enterprise management of risks or integrated into a pervasive framework to provide real-time and dynamic input back into coordinated learning and rules engines.
  - 5. The method of claim 1, further comprising:
    - providing a formal business and security threat prioritization processor configured to lower analysis and control priority of less consequential inputs, wherein information exchanges among computer applications, along with state information about devices and infrastructure controlled by said devices, are monitored; and
      
      prioritized situational awareness information, including exogenous security incidents or state transition alerts are analyzed and correlated for automated security risk analysis;
      
      wherein where a change in a situational awareness state or domain knowledge system, process, rule, or real time or longer interval control postures is warranted, a control synthesis process is used to implement a needed change; and
      
      wherein where a change in a security and business control blueprint, process, rule, or real time or longer interval control postures is warranted, a control synthesis process is used to implement a needed change.
  - 6. The method of claim 1, further comprising:
    - providing a pre-characterized library of control functions;
      
      providing a plurality of business process rules comprising any of physical, operational, security and regulatory processes; and
      
      synthesizing optimal implementations of controls at appropriate strengths, locations, and other qualities by using a combination of one or more of the above.
  - 7. The method of claim 1, further comprising:
    - providing a proactive information acquisition engine for soliciting information, knowledge, and evidence from a plurality of sources to gather evidentiary reinforcements in the form of corroboration or refutation needed for inadequate or unresolved analysis of monitored inputs and events.
  - 8. The method of claim 1, wherein said enterprise comprises:
    - an enterprise-wide computer network;
      
      a plurality of computers in said network organized into clusters;
      
      wherein each cluster comprises one or more computers designated as a server or client;
      
      wherein said computers within each cluster may communicate with each other through various physical network configurations and logical messaging structures, such as an enterprise service bus (ESB) dedicated to that cluster;
      
      wherein a communication and messaging structure of a cluster is connected to a communication and messaging structure of another cluster to facilitate inter-cluster communications;
      
      wherein each such communication and messaging structure is connectable to the global Internet either directly or indirectly through enterprise-wide networks and gateways interconnecting various ESBs;
      
      wherein a computer (server or client) comprises any of a real computer and a virtual computer;
      
      wherein a computer comprises a plurality of peripheral devices for functions which comprise any of input, output, communication, and data storage; and
      
      wherein each computer is adapted to host a plurality of computer programs which interact with each other through messages.
  - 9. The method of claim 1, wherein said enterprise elements that are monitored and controlled (MCEs) comprise any of:
    - an entire enterprise-wide OT and IT network comprising any of hardware, firmware, and software applications and systems distributed within diverse geographical locations;
      
      one or more subsystems of said enterprise-wide OT and IT network;
      
      one or more information or data processing device;
      
      one or more peripheral devices and embedded information devices;
      
      one or more software elements within said peripheral devices and embedded information devices;
      
      one or more messages, represented by a collection of information and data elements, exchanged between said elements, devices, subsystems, and systems; and
      
      one or more messages exchanged between of said enterprise-wide network or its elements with any elements external to a monitored network.
  - 10. The method of claim 8, wherein at each MCE all messages relevant to that MCE are monitored and analyzed and control posture information is sent to all subscribing MCEs;
    - wherein capability for monitoring, analyzing, and adjusting control postures is pervasively implemented for each MCE as a set of conceptually and structurally self-similar components.
  - 11. The method of claim 7, wherein an enterprise-wide level of a control hierarchy is a highest level in a security hierarchy and comprises one or more enterprise security and business risk analysis engines (SBRAE) for monitoring and analyzing all messages going through a designated enterprise-wide message infrastructure, such as an enterprise service bus (ESB);
    - wherein said messages comprise messages exchanged among computers directly connected to messaging structures, such as ESB and messages to and from other clusters, as well as external computer network systems; and
      
      wherein said enterprise SBRAE sends security control posture information for all subscribing MCEs.
  - 12. The method of claim 10, wherein a cluster with its ESB connected to an enterprise-wide network ESB is a second level in said security hierarchy and comprises one or more cluster SBRAEs for monitoring and analyzing all messages going through a designated cluster-wide ESB;
    - wherein said messages comprise messages among computers directly connected to said ESB and messages to and from other clusters, as well as external computer network systems; and
      
      wherein said cluster SBRAE sends security control posture information for all subscribing MCEs.
  - 13. The method of claim 11, wherein elements below the levels of said enterprise-wide and cluster-wide hierarchies include individual computers, applications, and local networks which comprise one or more server SBRAEs for monitoring and analyzing all messages going through various ports of said computer;
    - andwherein said server SBRAE sends security control posture information for all subscribing MCEs.
  - 14. The method of claim 12, wherein any one or more monitored and controlled element (MCE) at lower hierarchy levels of applications, databases, and messages comprises security and business risk analysis engines (SBRAE) for monitoring and analyzing all relevant messages, and for providing security control posture information for all subscribing MCEs.
  - 15. The method of claim 8, one or more of said MCEs further comprising:
    - security analysis and inference engines (SAEs and SIEs) dedicated to a particular MCE, but which does not necessarily reside on a same host as said MCE itself.
  - 16. The method of claim 8, wherein depending on elapsed time requirements of relevant analytical needs, each MCE is assigned to a particular security cycle;
    - wherein a number of standardized security cycles are defined to cover all time scales of domain specific business processes.
  - 17. The method of claim 8, wherein each and every interaction of each MCE in said enterprise-wide network is associated with a corresponding message in said IT system;
    - andwherein promiscuous listening in time and space and deep message inspection and analysis is applied to assign to each interaction a confidence measure which, in turn, is used to adjust a control posture over a next security cycle.
  - 18. The method of claim 8, further comprising:
    - monitoring situational awareness comprising data describing the state of the world external to the security monitor, wherein situational awareness comprises any of security threat state, operational system state, and information system state;
      
      wherein security threat state describes a threat environment in which an MCE is operating;
      
      wherein operational system state describes an operational environment in which an MCE is operating; and
      
      wherein information system state describes an IT system environment in which an MCE is operating.
  - 19. The method of claim 17, wherein in each execution cycle, real-time state of situational awareness relevant to each relevant MCE is analyzed by said security and business risk analysis engine (SBRAE) together with the domain knowledge which comprises any of operational system, information system, and security system knowledge.
  - 20. The method of claim 17, wherein operational system knowledge comprises any of functional, structural, and vulnerability knowledge;
    - wherein functional knowledge comprises any of physical laws pertaining to the operational system and operating rules governing use of business processes, individual equipment, as well as groups of equipment, wherein said operating rules comprise any of legal and operational requirements affecting operation of business processes;
      
      wherein structural knowledge comprises any of information about operational components, their topology, and their semantic relationships; and
      
      wherein vulnerability knowledge comprises any of information about structural, functional, or performance weakness of individual MCEs or groups of MCEs in operational domains.
  - 21. The method of claim 17, wherein information system knowledge comprises any of functional, structural, and vulnerability knowledge related to IT systems, including said computers, networks, and applications;
    - wherein functional knowledge in IT systems comprises functional and configurability knowledge of the software and hardware and operational rules and settings affecting usage of MCEs of said IT system;
      
      wherein structural knowledge in IT systems comprises information about all MCEs of said IT system and their hierarchical relationships along with their capabilities; and
      
      wherein vulnerability knowledge in IT systems comprises vulnerabilities of MCEs, their interfaces, their hosts and connecting networks.
  - 22. The method of claim 17, wherein security system knowledge comprises any of functional, structural, and vulnerability knowledge;
    - wherein functional knowledge in the security system comprises information regarding operational and legal rules relevant to MCEs and functional and performance information about said security and risk system;
      
      wherein structural knowledge in said security system comprises a mapping of MCEs of operational domains to corresponding MCEs of said IT system and MCEs of said security system, as well as how they are interconnected; and
      
      wherein vulnerability knowledge in said security system comprises vulnerabilities of MCEs as a result of security system weakness.
  - 23. The method of claim 8, wherein for each MCE, in each execution cycle, a security and business risk analysis engine uses business function priority, situational awareness and domain knowledge to identify and analyze overall prioritized risks of said MCE;
    - wherein said security and business risk analysis engine executes only upon changes in at least one of its inputs;
      
      wherein if there is no change in situational awareness or domain knowledge, then no changes are made to prioritized risks for that MCE.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Albeado Inc.
Original Assignee
Albeado Inc.
Inventors
KUMAR, Atluri Bhima Ranjit, AGARWAL, Atul Prakash, REED, Christopher, RAY, Partha Datta

Granted Patent

US 8,856,936 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06Q 10/0635   Risk analysis of enterprise...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Y04S 40/20   Information technology spec...

PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

301 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

301 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links