SYSTEM AND METHOD FOR REAL-TIME REMEDIATION RESPECTIVE OF SECURITY INCIDENTS

US 20160149938A1
Filed: 11/25/2015
Published: 05/26/2016
Est. Priority Date: 11/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method of remediating at least one security incident in a computer network, comprising:

identifying, by a computer, said at least one security incident in the computer network based on forensic data;

identifying, by the computer, at least one resource affected by the security incident based on the identified security incident;

suspending the at least one identified resource; and

storing the identified at least one resource in a separate memory that is not connected to the computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, an apparatus, and a method thereof identifies at least one security threat in an enterprise'"'"'s network. The system characterizes sources affected by the security threat within the enterprise'"'"'s network. The identification of the sources affected by the security threat is made based on the forensic data extracted by the system. The system then suspends the affected sources. The system also stores the affected sources in a separate memory to prevent execution thereof.

16 Citations

View as Search Results

20 Claims

1. A method of remediating at least one security incident in a computer network, comprising:
- identifying, by a computer, said at least one security incident in the computer network based on forensic data;
  
  identifying, by the computer, at least one resource affected by the security incident based on the identified security incident;
  
  suspending the at least one identified resource; and
  
  storing the identified at least one resource in a separate memory that is not connected to the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving, by a computer from at least one user device, the forensic data regarding the security incident collected by said at least one user device,wherein the at least one security incident is identified based on the received forensic data, andwherein the forensic data comprises attributes of an event that is outside normal functioning of the at least one user device.
  - 3. The method of claim 1, wherein the separate memory is accessible only by the computer and is inaccessible to the at least one user device.
  - 4. The method of claim 1, wherein the storing the at least one affected resource comprises storing a data structure which comprises a first field which identifies a type of the affected resource, a second field which comprises attributes of the affected resource, and a third field, which indicates location from where the affected resource was extracted, and a fourth field indicating whether the affected resource is suspended in a respective device.
  - 5. The method of claim 4, wherein the affected resource comprises at least one of an application, an applet, a plug in, a script, an executable file, a process executed by the respective device, an operating system, and a device.
  - 6. The method of claim 1, wherein the suspending the at least one identified resource comprises removing at least one of a portion of the identified resource from a location occupied by the identified resource at the time of the security incident and moving the removed portion to the external memory.
  - 7. The method of claim 6, wherein the removed portion comprises at least one of:
    - an executable file of an application, an essential file of the application, and the application.
  - 8. The method of claim 1, wherein the identified resource is a user device and wherein the suspending comprises disconnecting the user device from the computer network.
  - 9. The method of claim 1, wherein the computer network comprises at least one of a local area network, a private network, a public network, a wide area network, metro area network (MAN), and internet.
  - 10. The method of claim 1 further comprising outputting a notification indicating that the security incident occurred and identifying the suspended resources.
  - 11. A non-transitory computer readable medium storing executable instructions for implementing the method of claim 1.

12. An apparatus of remediating at least one security incident in a computer network, comprising:
- a memory configured to store computer-executable instructions;
  
  a processor configured to execute the stored instructions, which when executed configure the processor to;
  
  identify said at least one security incident in the computer network based on forensic data;
  
  identify at least one resource affected by the security incident based on the identified security incident;
  
  suspend the at least one identified resource; and
  
  store the identified at least one resource in a separate memory that is not connected to the computer network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, wherein the processor is further configured to receive, from at least one user device, the forensic data regarding the security incident collected by said at least one user device, wherein the at least one security incident is identified based on the received forensic data, and wherein the forensic data comprises attributes of an event that is outside normal functioning of the at least one user device.
  - 14. The apparatus of claim 12, wherein the separate memory is accessible only by the computer and is inaccessible to the at least one user device.
  - 15. The apparatus of claim 12, wherein the processor configured to store the at least one affected resource comprises storing a data structure which comprises a first field which identifies a type of the affected resource, a second field which comprises attributes of the affected resource, and a third field, which indicates location from where the affected resource was extracted, and a fourth field indicating whether the affected resource is suspended in a respective device.
  - 16. The apparatus of claim 15, wherein the affected resource comprises at least one of an application, an applet, a plug in, a script, an executable file, a process executed by the respective device, an operating system, and a device.
  - 17. The apparatus of claim 12, wherein the processor suspending the at least one identified resource comprises removing at least one of a portion of the identified resource from a location occupied by the identified resource at the time of the security incident and moving the removed portion to the external memory.
  - 18. The apparatus of claim 17, wherein the removed portion comprises at least one of:
    - an executable file of an application, an essential file of the application, and the application.
  - 19. The apparatus of claim 12, wherein the identified resource is a user device and wherein the processor suspending the user device comprises disconnecting the user device from the computer network.
  - 20. The apparatus of claim 12, further comprising:
    - a display configured to output a notification indicating that the security incident occurred and identify the suspended resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Cyber Secdo, Ltd.
Inventors
BARAK, Gil, MORAG, Shai

Granted Patent

US 10,616,245 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR REAL-TIME REMEDIATION RESPECTIVE OF SECURITY INCIDENTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR REAL-TIME REMEDIATION RESPECTIVE OF SECURITY INCIDENTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links