CONTAINMENT OF SECURITY THREATS WITHIN A COMPUTING ENVIRONMENT

US 20160164908A1
Filed: 03/31/2015
Published: 06/09/2016
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide security actions in a computing environment, the method comprising:

identifying communication interactions between a plurality of computing assets in the computing environment;

after identifying the communication interactions, identifying a security incident in a first computing asset in the plurality of computing assets;

determining at least one security action to be taken against the security incident in the first computing asset;

identifying at least one related computing asset to the first computing asset based on the communication interactions; and

determining one or more secondary security actions to be taken against the security incident in the at least one related computing asset.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide for identifying and implementing security actions within a computing environment. In one example, a method of operating an advisement system to provide security actions in a computing environment includes identifying communication interactions between a plurality of computing assets and, after identifying the communication interactions, identifying a security incident in a first computing asset. The method further provides identifying at least one related computing asset to the first asset based on the communication interactions, and determining the security actions to be taken in the first computing asset and the related computing asset.

Citations

20 Claims

1. A method of operating an advisement system to provide security actions in a computing environment, the method comprising:
- identifying communication interactions between a plurality of computing assets in the computing environment;
  
  after identifying the communication interactions, identifying a security incident in a first computing asset in the plurality of computing assets;
  
  determining at least one security action to be taken against the security incident in the first computing asset;
  
  identifying at least one related computing asset to the first computing asset based on the communication interactions; and
  
  determining one or more secondary security actions to be taken against the security incident in the at least one related computing asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein determining the at least one security action to be taken against the security incident in the first computing asset comprises determining at least one default security action to be taken against the security incident in the first computing asset based on enrichment information obtained for the security incident and a criticality rating for the first computing asset.
  - 3. The method of claim 2 wherein the enrichment information comprises information obtained from one or more internal and external databases.
  - 4. The method of claim 1 wherein determining the at least one security action to be taken against the security incident in the first computing asset comprises:
    - identifying one or more suggested security actions to be supplied to an administrator based on enrichment information obtained for the security incident and a criticality rating for the first computing asset; and
      
      identifying a selected security action by the administrator.
  - 5. The method of claim 1 wherein identifying the communication interactions between the plurality of computing assets in the computing environment comprises receiving communication reports indicating data communication flow for the plurality of computing assets in the computing environment.
  - 6. The method of claim 1 wherein the security action comprises an action to prevent outgoing communications from the first computing asset, and wherein the secondary security actions comprise actions to prevent incoming communications from the first computing asset.
  - 7. The method of claim 1 wherein identifying the at least one related computing asset comprises identifying at least one computing asset reliant on the first computing asset, and wherein the secondary security actions comprise actions to prevent incoming communication requests from the first computing asset and permit outgoing communication requests to the first computing asset.
  - 8. The method of claim 1 wherein identifying the security incident in the first computing asset in the plurality of computing assets comprises receiving a notification of the security incident in the first computing asset from a security information and event management (SIEM).

9. A computer readable storage medium having instructions stored thereon, that when executed by an advisement computing system, direct the advisement computing system to perform a method of providing security actions in a computing environment, the method comprising:
- identifying communication interactions between a plurality of computing assets in the computing environment;
  
  after identifying the communication interactions, identifying a security incident in a first computing asset in the plurality of computing assets;
  
  determining at least one security action to be taken against the security incident in the first computing asset;
  
  identifying at least one related computing asset to the first computing asset based on the communication interactions; and
  
  determining one or more secondary security actions to be taken against the security incident in the at least one related computing asset.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer readable storage medium of claim 9, wherein determining the at least one security action to be taken against the security incident in the first computing asset comprises determining at least one default security action to be taken against the security incident in the first computing asset based on enrichment information obtained for the security incident and a criticality rating for the first computing asset.
  - 11. The computer readable storage medium of claim 10, wherein the enrichment information comprises information obtained from one or more internal or external databases.
  - 12. The computer readable storage medium of claim 9, wherein determining the at least one security action to be taken against the security incident in the first computing asset comprises:
    - identifying one or more suggested security actions to be supplied to an administrator based on enrichment information obtained for the security incident and a criticality rating for the first computing asset; and
      
      identifying a selected security action by the administrator.
  - 13. The computer readable storage medium of claim 9, wherein identifying the communication interactions between the plurality of computing assets in the computing environment comprises receiving communication reports indicating data communication flow for the plurality of computing assets in the computing environment.
  - 14. The computer readable storage medium of claim 9, wherein the security action comprises an action to prevent outgoing communication from the first computing asset, and wherein the secondary security actions comprise actions to prevent incoming communications from the first computing asset.
  - 15. The computer readable storage medium of claim 9, wherein identifying the at least one related computing asset comprises identifying at least one computing asset reliant on the first computing asset, and wherein the secondary security actions comprise actions to prevent incoming communication requests from the first computing asset and permit outgoing communication requests to the first computing asset.
  - 16. The computer readable storage medium of claim 9, wherein identifying the security incident in the first computing asset in the plurality of computing assets comprises receiving a notification of the security incident in the first computing asset from a security information and event management (SIEM).

17. An apparatus to provide security actions in a computing environment, the apparatus comprising:
- one or more computer readable storage media;
  
  processing instructions stored on the one or more computer readable media that, when executed by a processing system, direct the processing system to at least;
  
  identify a security incident in a first computing asset in a plurality of computing assets, wherein the first computing asset provides a service to one or more related computing assets in the plurality of computing assets;
  
  obtain enrichment information related to the security incident;
  
  identify a rule set based at least on the enrichment information; and
  
  determine security actions to be taken against the security incident based on the rule set, wherein the security actions comprise actions to prevent the first computing asset from initiating communications with other assets in the computing environment.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 wherein the security actions further comprise process related actions that permit the one or more related computing assets to initiate communication with the first computing asset to provide the service.
  - 19. The apparatus of claim 17 wherein the processing instructions to obtain enrichment information related to the security incident direct the processing system to obtain enrichment information from at least one internal or external source related to the security incident.
  - 20. The apparatus of claim 17 wherein the processing instructions to determine security actions to be taken against the security incident based on the rule set direct the processing system to identify default security actions associated with the rule set to be taken against the security incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Phantom Cyber Corporation (Cisco Systems, Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind

Granted Patent

US 11,165,812 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

CONTAINMENT OF SECURITY THREATS WITHIN A COMPUTING ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTAINMENT OF SECURITY THREATS WITHIN A COMPUTING ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links