SYSTEMS AND METHODS FOR THREAT IDENTIFICATION AND REMEDIATION
First Claim
1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
- receiving, at the trust orchestration server, a dynamic context including endpoint events;
analyzing, by the trust orchestration server, the received endpoint events;
receiving network endpoint assessments;
generating temporal events based at least in part on analyzing the network endpoint assessments;
correlating the received endpoint events and the generated temporal events; and
generating an integrity profile for the system.
3 Assignments
0 Petitions
Accused Products
Abstract
Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator.
408 Citations
20 Claims
-
1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
-
receiving, at the trust orchestration server, a dynamic context including endpoint events; analyzing, by the trust orchestration server, the received endpoint events; receiving network endpoint assessments; generating temporal events based at least in part on analyzing the network endpoint assessments; correlating the received endpoint events and the generated temporal events; and generating an integrity profile for the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 14, 15, 16)
-
-
8. A method of providing flow level remediation to isolate infected or compromised systems and platforms from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising:
-
generating, by the endpoint trust agent, runtime system integrity alerts regarding execution anomalies and risks based on rulesets and a calculus of risk; sending, by the endpoint trust agent, runtime system integrity warnings as endpoint events to the trust orchestrator; generating, by the trust orchestrator, a system integrity profile for the endpoint based on analysis of the received endpoint events; processing and correlating, by the trust orchestrator, one or more of; a system integrity profile generated based on a calculus of risk, a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports received from a plurality of collaboration services, and a system infection profile received from a network analyzer; sending, by the trust orchestrator to the network trust agent, system warnings based on endpoint execution state assessments; and sending, by the network trust agent, messages or directives to OpenFlow security frameworks and/or controllers to apply flow controls based on the received execution state as a threat posture of a connection endpoint. - View Dependent Claims (9, 10, 11, 12, 13, 17, 18, 19)
-
-
20. A system for providing runtime operational integrity by determining execution anomalies and a threat posture of applications executing on computing platforms including mobile devices and client-server systems, the system comprising:
-
an endpoint trust agent including; a process monitor configured to observe local execution context of the applications, a socket monitor configured to observe network activities of the applications, and a resource utilization module monitor configured to observe system and platform resources consumed by the applications; and an application integrity module configured to assess operational integrities of the computing platforms based on a ruleset; wherein native machine instrumentation for the computing platform is configured to; represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the computing platforms, and generate raw events; extended trust instrumentation; a runtime monitor configured to; subscribe to and receive near real time asynchronous notifications of application events for the applications from the extended trust instrumentation, and generate and send dynamic expressions or rules as application filters linked to running instances of the applications; a system event correlator configured to correlate system events of the computing platforms to determine a calculus of risk; a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the computing platforms and the applications; and an endpoint trust sensor configured to measure runtime operational integrity of the computing platforms by evaluating risk based on actions of an application executing on, or a user of, the computing platforms and receiving the raw events from the native machine instrumentation.
-
Specification