Automated Internet Threat Detection and Mitigation System and Associated Methods
First Claim
1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:
- a centralized database;
a customer database operable with the centralized database;
a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources;
an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment;
a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem; and
a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein;
the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and
the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system.
7 Assignments
0 Petitions
Accused Products
Abstract
A risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. A proactive, intelligence-driven and customized approach is taken to protect network users. Assessments of threats are made before and after a breach. Cyber threats are identified in advance of a resulting network problem, and automated analysis locates the threats and stops them from having an adverse effect. Humans can focus on the high-level view, instead of looking at every single potential problem area. Troubling patterns may be reviewed within the network environment to identify issues. Cyber analysis is conducted to provide a baseline over time via statistically proven, predictive models that anticipate vulnerabilities brought on by social-media usage, Web surfing and other behaviors that invite risk.
-
Citations
21 Claims
-
1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:
-
a centralized database; a customer database operable with the centralized database; a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources; an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment; a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem; and a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein; the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for automated internet threat detection and mitigation, the method comprising:
-
providing an analytics subsystem for identifying suspicious patterns of behavior in a customer network environment; providing a reader processor operable with the analytics subsystem for gathering threat intelligence data from a plurality of threat intelligence sources, including commercial and open-source feeds as well as suspicious patterns identified by the analytic subsystem or specified by an analysts through a portal connection; normalizing the data by the reader processor and providing a common format; providing an initial believability factor based only on past performance of the relevant source of the threat intelligence data; providing a gatekeeper processor operable with the reader processor and the analytics subsystem, the gatekeeper reviewing the normalized intelligence data and comparing the data to past incidents and rules operable by the analytics subsystem for refining the believability factor and severity of each indicator, wherein if the believability factor is too low, the gatekeeper processor will either ask a human to check the data or discard the believability factor indicated as unusable and overly likely to generate false positives. - View Dependent Claims (18, 19)
-
-
20. A computer-implemented method for detecting and mitigating an internet threat, the method comprising:
-
collecting a plurality of cyber threat data from a plurality of threat intelligence sources; weighting the cyber threat data based on past performance by the threat intelligence source providing the data; normalizing the cyber threat data into a common format; sorting the cyber threat data by severity and reliability for providing indicators thereof; distributing the indicators of the cyber threat data to a user system; evaluating user security tools operating with the user system against the indicators of the cyber threat; monitoring incidents of the cyber threat; displaying the incidents; analyzing the incidents; and providing a recommended course of action and modification to the user system.
-
-
21. A computer-implemented method for automatically securing a network against threats, the method comprising:
-
collating data feeds for sending through a scanning system; scanning the data feeds based on preselected categories by determining type of information discerned from each data feed; tagging data from the data feed scanning and providing extended data pieces by adding context surrounding threats including at least one of geophysical, customer verticals, operating system, adversary campaigns, and a combination thereof; storing the tagged data into at least one of a relational database and a NoSQL database, wherein the storing is based on contextual tags and link analysis between contextual categories assigned to the data pieces; automatically scanning multiple different programs based on enterprise tools for taking contextual threat data pieces and projecting the contextual threat data pieces into enterprise tools using application programming interfaces; automatically discovering a match for at least one of the threat data pieces to the tagged data; and sending an alert to a security information and event manager (SIEM).
-
Specification