SYSTEM AND METHOD EMPLOYING STRUCTURED INTELLIGENCE TO VERIFY AND CONTAIN THREATS AT ENDPOINTS

US 20140344926A1
Filed: 03/17/2014
Published: 11/20/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:

via a threat monitor;

monitoring network data;

extracting at least one set of network data;

processing the at least one set of network data to generate a report;

via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and

processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module.

249 Citations

46 Claims

1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:
- via a threat monitor;
  
  monitoring network data;
  
  extracting at least one set of network data;
  
  processing the at least one set of network data to generate a report;
  
  via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and
  
  processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computerized method according to claim 1, wherein the verification information includes audit data.
  - 3. The computerized method according to claim 2, wherein the audit data includes hit data.
  - 4. The computerized method according to claim 1, further comprising the step of:
    - providing the verification information to the verifier.
  - 5. The computerized method according to claim 4, further comprising the step of:
    - processing, via the verifier, the verification information to determine whether it indicates a verified threat.
  - 6. The computerized method according to claim 4, wherein the verification information is processed via the verifier by comparing the verification information to at least one of (a) data obtained from another endpoint, and (b) data obtained from a SIEM.
  - 7. The computerized method according to claim 1, wherein the report includes structured threat intelligence.
  - 8. The computerized method according to claim 1, further comprising the step of:
    - providing the verification information to at least one of (a) the verifier, (b) a SIEM, and (c) the threat monitor.
  - 9. The computerized method according to claim 1, wherein the processing of the at least one set of network data is performed by an analyzer of the threat monitor.
  - 10. The computerized method according to claim 9, wherein the analyzer is a static analyzer.
  - 11. The computerized method according to claim 9, wherein the analyzer is a dynamic analyzer.
  - 12. The computerized method according to claim 1, further comprising the step of:
    - processing the report via a report analyzer of the verifier to generate the at least one of (i) instructions and (ii) indicators.
  - 13. The computerized method according to claim 1, wherein the processing of the at least one of (i) instructions and (ii) indicators is performed via an audit module that generates audit data.
  - 14. The computerized method according to claim 13, further comprising the step of:
    - storing the audit data in a buffered storage module.
  - 15. The computerized method according to claim 13, wherein the audit data is processed by an indicator matcher to produce the verification information.
  - 16. The computerized method according to claim 1, further comprising the step of:
    - changing the configuration of the threat monitor based on the verification information.
  - 17. The computerized method according to claim 1, further comprising the step of:
    - performing a containment action on the endpoint via the endpoint agent based on the verification information.
  - 18. The computerized method according to claim 17, wherein the containment action is taken by a containment agent of the endpoint agent.
  - 19. The computerized method according to claim 18, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator.

20. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
- a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report; and
  
  a verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report;
  
  wherein,the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 21. The system according to claim 20, wherein the verifier is operable to process the verification information to determine whether it indicates a verified threat.
  - 22. The system according to claim 20,wherein,the report includes structured threat intelligence, andthe verifier is operable to process the structured threat intelligence to issue the at least one of (i) instructions and (ii) indicators.
  - 23. The system according to claim 20, wherein the threat monitor includes an analyzer configured to process the at least one set of network data.
  - 24. The system according to claim 23, wherein the analyzer is a static analyzer.
  - 25. The system according to claim 23, wherein the analyzer is a dynamic analyzer.
  - 26. The system according to claim 20, wherein the verifier includes a report analyzer operable to generate the at least one of (i) instructions and (ii) indicators.
  - 27. The system according to claim 20, wherein the endpoint agent includes an audit module operable to process the at least one of (i) instructions and (ii) indicators to generate audit data.
  - 28. The system according to claim 27, wherein the endpoint agent includes a buffered storage module operable to store the audit data.
  - 29. The system according to claim 27, wherein the endpoint agent includes an indicator matcher operable to process audit data to produce the verification information.
  - 30. The system according to claim 20, wherein the endpoint agent includes a containment agent operable to perform a containment action based on the verification information.
  - 31. The system according to claim 30, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator based on the verification information.

32. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
- a controller configured to manage,(i) a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report, and(ii) a verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report,wherein,the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 33. The system according to claim 32, wherein the verifier is operable to process the verification information to determine whether it indicates a verified threat.
  - 34. The system according to claim 32,wherein,the report includes structured threat intelligence, andthe verifier is operable to process the structured threat intelligence to issue the at least one of (i) instructions and (ii) indicators.
  - 35. The system according to claim 32, wherein the threat monitor includes an analyzer configured to process the at least one set of network data.
  - 36. The system according to claim 35, wherein the analyzer is a static analyzer.
  - 37. The system according to claim 35, wherein the analyzer is a dynamic analyzer.
  - 38. The system according to claim 32, wherein the verifier includes a report analyzer operable to generate the at least one of (i) instructions and (ii) indicators.
  - 39. The system according to claim 32, wherein the endpoint agent includes an audit module operable to process the at least one of (i) instructions and (ii) indicators to generate audit data.
  - 40. The system according to claim 39, wherein the endpoint agent includes a buffered storage module operable to store the audit data.
  - 41. The system according to claim 39, wherein the endpoint agent includes an indicator matcher operable to process audit data to produce the verification information.
  - 42. The system according to claim 32, wherein the endpoint agent includes a containment agent operable to perform a containment action based on the verification information.
  - 43. The system according to claim 42, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator based on the verification information.
  - 44. The system according to claim 32,wherein,the controller is communicatively coupled to the threat monitor and the verifier via a communication network, andthe system further includes a SIEM managed by the controller that correlates verification information with intelligence gathered from at least one of (i) the endpoint agent, (ii) other endpoints, and (iii) other threat monitoring systems.
  - 45. The system according to claim 32, further comprising:
    - an agent coordinator of the verifier,wherein,at least one of (i) the threat monitor and (ii) the agent coordinator is stored at a memory location on the endpoint.
  - 46. The system according to claim 32, further comprising:
    - an agent coordinator of the verifier,wherein,at least one of (i) the threat monitor and (ii) the agent coordinator is stored at a middleware layer communicatively coupled to a communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Cunningham, Sean, Nardone, Joseph, Dana, Robert, Faber, Joseph, Arunski, Kevin

Granted Patent

US 9,413,781 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

SYSTEM AND METHOD EMPLOYING STRUCTURED INTELLIGENCE TO VERIFY AND CONTAIN THREATS AT ENDPOINTS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

249 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD EMPLOYING STRUCTURED INTELLIGENCE TO VERIFY AND CONTAIN THREATS AT ENDPOINTS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links