SYSTEMS, METHODS, AND DEVICES FOR IMPROVED CYBERSECURITY

US 20160127417A1
Filed: 10/28/2015
Published: 05/05/2016
Est. Priority Date: 10/29/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

sending a risk assessment template to a user device;

receiving a response to the risk assessment template comprising a list of one or more assets;

determining a score for each of the one or more assets based on the response;

determining a network security policy based on the response and the scores using a network security policy computer knowledge base;

determining a network system design based on the network security policy and the response;

determining at least one hardware element and at least one software element based on the network security policy;

determining commands based on the at least one hardware element, the at least one software element, and the network security policy; and

transmitting, using one or more processors, the commands to a security appliance corresponding to the at least one hardware element, whereby the commands cause the security appliance to execute one or more machine-readable rules and security processes corresponding to the network security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to systems, devices, and computing-implemented methods for initiating a secure network communication system using a response to a risk assessment template and one or more computer knowledge bases to determine a network security policy, network security controls, hardware and software devices, and commands for the hardware and software devices. Embodiments also relate to systems, devices, and computing-implemented methods for monitoring the secure network communication system by monitoring communications from user devices, determining to hold communications based on the network security policy, notifying users of held communications, and allowing the users, via their user devices, to adjust the network security policy for overridable controls to authorize held communications.

Citations

26 Claims

1. A method comprising:
- sending a risk assessment template to a user device;
  
  receiving a response to the risk assessment template comprising a list of one or more assets;
  
  determining a score for each of the one or more assets based on the response;
  
  determining a network security policy based on the response and the scores using a network security policy computer knowledge base;
  
  determining a network system design based on the network security policy and the response;
  
  determining at least one hardware element and at least one software element based on the network security policy;
  
  determining commands based on the at least one hardware element, the at least one software element, and the network security policy; and
  
  transmitting, using one or more processors, the commands to a security appliance corresponding to the at least one hardware element, whereby the commands cause the security appliance to execute one or more machine-readable rules and security processes corresponding to the network security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the response to the risk assessment template further comprises a list of one or more personnel corresponding to the one or more assets.
  - 3. The method of claim 1, further comprising determining one or more network security controls based on the network security policy and the response using a network security controls computer knowledge base, wherein the commands are further based on the network security controls.
  - 4. The method of claim 1, wherein determining the network system design comprises using a network system design computer knowledge base to determine one or more virtual domains corresponding to the one or more assets and clustering the one or more virtual domains based on the one or more assets and one or more personnel.
  - 5. The method of claim 1, further comprising testing the security appliance using a testing computer knowledge base by:
    - sending one or more communications to the security appliance;
      
      receiving one or more responses from the security appliance; and
      
      comparing the one or more responses to the network security policy to determine whether the security appliance passes the testing; and
      
      storing results of the comparing in a database.
  - 6. The method of claim 5, further comprising:
    - determining that the security appliance passes the testing; and
      
      sending commands to the security appliance to begin operations.
  - 7. The method of claim 5, further comprising:
    - determining that the security appliance does not pass the testing; and
      
      sending a communication to a device to schedule a fix of the security appliance.
  - 8. The method of claim 1, further comprising:
    - receiving indications of user device events from the security appliance; and
      
      storing the indications of user device events in a primary instance of a distributed database, wherein security appliances comprise second level instances of the distributed database, network and user devices comprise third level instances of the distributed database, the instances of the distributed database store data used to command security appliances, and the data comprises threat intelligence and security events.

9. A method executed by a security appliance, comprising:
- receiving commands corresponding to a network security policy;
  
  executing the commands to establish one or more network security rules;
  
  receiving, from a user device, information corresponding to user device events, wherein the user device comprises an instance of a distributed database;
  
  storing the information in a second instance of the distributed database;
  
  receiving a communication from the user device;
  
  comparing the communication to the one or more network security rules and the information corresponding to the user device events in the second instance of the distributed database;
  
  determining to hold the communication based on the comparing;
  
  transmitting an indication of a network security event based on determining to hold the communication;
  
  receiving a command in response to the transmitting; and
  
  executing the command, using one or more processors, wherein the command causes the security appliance to block or allow the communication.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The method of claim 9, wherein the communication includes a network data packet.
  - 11. The method of claim 9, wherein comparing the communication to the one or more network security rules and the information corresponding to the user device events in the second instance of the distributed database comprises correlating the communication to the user device events.
  - 12. The method of claim 9, further comprising holding the communication for subsequent release within a session.
  - 13. The method of claim 9, further comprising:
    - holding the communication by storing information corresponding to the communication;
      
      ending a session associated with the communication; and
      
      recreating and transmitting the communication in response to the command comprising instructions to allow the communication.
  - 14. The method of claim 9, wherein:
    - the command comprises instructions to always allow the communication; and
      
      executing the command comprises transmitting the communication and adjusting the network security rules to always allow communications similar to the communication.
  - 15. The method of claim 9, wherein:
    - the command comprises instructions to allow the communication for a set period of time; and
      
      executing the command comprises transmitting the communication and adjusting the network security rules to allow communications similar to the communication for the set period of time.
  - 16. The method of claim 9, wherein:
    - the command comprises instructions to block the communication; and
      
      executing the command comprises adjusting the network security rules to block communications similar to the communication.
  - 17. The method of claim 9, wherein:
    - the communication comprises an indication that the user device is attempting to access a website with a missing certificate; and
      
      executing the command comprises;
      
      attempting to find the missing certificate on the Internet; and
      
      sending a notification to a user device, wherein the notification causes the user device to display an indication of the missing certificate and display a selection option on whether to authorize or deny access to the website.
  - 18. The method of claim 9, wherein the user device events comprise key words counts from one or more communications by the user device in a session, the method further comprising:
    - accumulating the key word counts into a session count for the session;
      
      accumulating the session count into a daily count and initializing the session count to zero;
      
      accumulating the daily count into a monthly count and initializing the daily count to zero;
      
      accumulating the monthly count into a yearly count and initializing the monthly count to zero, wherein the daily count, the monthly count, and the yearly count are used to establish normal user behavior; and
      
      detecting an anomaly in user behavior based on at least one of the daily count, the monthly count, and the yearly count.
  - 19. The method of claim 9, wherein the user device events comprise internet protocol (IP) address destination counts from one or more communications by the user device, the method further comprising:
    - accumulating the IP address destination counts into a daily count;
      
      accumulating the daily count into a monthly count and initializing the daily count to zero;
      
      accumulating the monthly count into a yearly count and initializing the monthly count to zero, wherein the daily count, the monthly count, and the yearly count are used to establish normal user behavior; and
      
      detecting an anomaly in user behavior based on at least one of the daily count, the monthly count, and the yearly count.
  - 20. The method of claim 9, further comprising receiving, from the user device, instructions to enable notifications based on network security events.

21. A method comprising:
- receiving an indication of a network security event from a security appliance;
  
  comparing the network security event to information in a network security database;
  
  determining to notify a user based on the comparing;
  
  determining, using one or more processors, a user device to notify based on a user authorization hierarchy and an asset corresponding to the network security event;
  
  sending a notification to the user device, wherein the notification causes the user device to display an indication of the network security event and display a selection option on whether to allow or block a communication;
  
  receiving a response from the user device;
  
  determining commands based on the response; and
  
  transmitting the commands to the security appliance.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21, wherein the notification includes an option to provide more information about the network security event to the user.
  - 23. The method of claim 21, wherein the response comprises instructions from the user to allow communications similar to a communication associated with the network security event for a set period of time.
  - 24. The method of claim 21, wherein the response comprises instructions from the user to always allow communications similar to a communication associated with the network security event.
  - 25. The method of claim 21, wherein the response comprises instructions from the user to block a communication associated with the network security event.
  - 26. The method of claim 21, further comprising adding an indication of the network security event, an indication of the user device, an indication of the response from the user device, and information corresponding to a user'"'"'s digital certificate for non-repudiation of the response to a log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SeCaaS Inc.
Original Assignee
SeCaaS Inc.
Inventors
Janssen, Terry L.

Application Number

US14/925,730
Publication Number

US 20160127417A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SYSTEMS, METHODS, AND DEVICES FOR IMPROVED CYBERSECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS, METHODS, AND DEVICES FOR IMPROVED CYBERSECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links