Quantitative Security Improvement System Based on Crowdsourcing

US 20160255115A1
Filed: 04/17/2015
Published: 09/01/2016
Est. Priority Date: 02/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for quantifying the efficacy of security products and practices, based on monitored activities and conditions on a plurality of computing devices over time, the method comprising the steps of:

defining metrics that specify what criteria concerning computer security systems are to be quantified;

collecting telemetry data concerning defined metrics from different ones of the plurality of computing devices;

monitoring security configuration information concerning different ones of the plurality of computing devices;

correlating collected telemetry data with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security actions occur on specific ones of the plurality of computing devices;

amalgamating correlations of telemetry data with security configuration information;

analyzing the amalgamated correlations of telemetry data with security configuration information; and

quantifying efficacy of specific security products and configurations, based on the analysis of the amalgamated correlations of telemetry data with security configuration information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The efficacy of security products and practices is quantified, based on monitored activities and conditions on multiple computers over time. A set of metrics is defined, specifying what criteria concerning computer security systems are to be quantified. Telemetry data concerning the defined metrics are collected from multiple computers, such as the customer base of a security product vendor. Security configuration information such as the deployments and settings of security systems on computing devices is monitored. This monitored information tracks what security products are deployed on which machines, and how these products are configured and used. Collected telemetry is correlated with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security incidents, operations and other types of actions occur. The determined correlations are amalgamated, amalgamated correlation information is analyzed, and the efficacy of specific security products and configurations is quantified.

21 Citations

View as Search Results

20 Claims

1. A computer implemented method for quantifying the efficacy of security products and practices, based on monitored activities and conditions on a plurality of computing devices over time, the method comprising the steps of:
- defining metrics that specify what criteria concerning computer security systems are to be quantified;
  
  collecting telemetry data concerning defined metrics from different ones of the plurality of computing devices;
  
  monitoring security configuration information concerning different ones of the plurality of computing devices;
  
  correlating collected telemetry data with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security actions occur on specific ones of the plurality of computing devices;
  
  amalgamating correlations of telemetry data with security configuration information;
  
  analyzing the amalgamated correlations of telemetry data with security configuration information; and
  
  quantifying efficacy of specific security products and configurations, based on the analysis of the amalgamated correlations of telemetry data with security configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein defining metrics further comprises:
    - defining metrics that measure occurrence of negative security incidents per period of time.
  - 3. The method of claim 1 wherein defining metrics further comprises:
    - defining metrics that measure occurrence of positive security incidents per period of time.
  - 4. The method of claim 1 wherein defining metrics further comprises:
    - defining metrics that measure time spent administering specific security products.
  - 5. The method of claim 1 wherein defining metrics further comprises:
    - defining metrics that measure frequency with which default settings of specific security products are overridden.
  - 6. The method of claim 1 wherein collecting telemetry data concerning defined metrics further comprises:
    - collecting information concerning occurrence of specific security incidents on specific ones of the plurality of computing devices.
  - 7. The method of claim 1 wherein collecting telemetry data concerning defined metrics further comprises:
    - collecting information implicitly indicative of at least one defined metric.
  - 8. The method of claim 1 wherein collecting telemetry data concerning defined metrics further comprises:
    - collecting metadata concerning sources from which collected telemetry data originates.
  - 9. The method of claim 1 wherein monitoring security configuration information concerning different ones of the plurality of computing devices further comprises:
    - monitoring what security products are deployed on which specific ones of the plurality of computing devices.
  - 10. The method of claim 1 wherein monitoring security configuration information concerning different ones of the plurality of computing devices further comprises:
    - monitoring configurations of security products deployed on specific ones of the plurality of computing devices.
  - 11. The method of claim 1 further comprising:
    - receiving, by a central computer, telemetry data and/or security configuration information explicitly transmitted to the central computer by specific ones of the plurality of computing devices.
  - 12. The method of claim 1 further comprising:
    - reading, by a central computer, telemetry data and/or security configuration information corresponding to specific ones of the plurality of computing devices.
  - 13. The method of claim 1 further comprising:
    - receiving, by a central computer, updated telemetry data and/or security configuration information from computing devices of the plurality of computing devices over time.
  - 14. The method of claim 1 wherein correlating collected telemetry data with monitored configuration information further comprises:
    - correlating occurrences of specific types of security incidents with deployments and configurations of specific security products on computing devices at times of the occurrences.
  - 15. The method of claim 1 wherein correlating collected telemetry data with monitored configuration information further comprises:
    - correlating an occurrence of a specific security incident on a first computing device with deployment and configuration of a specific security product on a second computing device at time of the occurrence.
  - 16. The method of claim 1 wherein amalgamating correlations of telemetry data with security configuration information further comprises:
    - maintaining a current collection of correlation information concerning what security product deployments and settings are in place as measured security incidents occur on multiple computing devices over time.
  - 17. The method of claim 1 further comprising:
    - transmitting recommendations to users concerning security product usage, based on quantified efficacy of specific security products and configurations.
  - 18. The method of claim 1 wherein quantifying efficacy of specific security products and configurations further comprises:
    - quantifying efficacy of specific security products and configurations on computing devices of at least one of;
      
      an install base of a security product vendor, a specific organization, a type of organization, a size of organization and a specific industry.

19. At least one non-transitory computer readable medium for quantifying the efficacy of security products and practices, based on monitored activities and conditions on a plurality of computing devices over time, the at least one non-transitory computer readable medium storing computer executable instructions that, when loaded into computer memory and executed by at least one processor of at least one computing device, cause the at least one computing device to perform the following steps:
- defining metrics that specify what criteria concerning computer security systems are to be quantified;
  
  collecting telemetry data concerning defined metrics from different ones of the plurality of computing devices;
  
  monitoring security configuration information concerning different ones of the plurality of computing devices;
  
  correlating collected telemetry data with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security actions occur on specific ones of the plurality of computing devices;
  
  amalgamating correlations of telemetry data with security configuration information;
  
  analyzing the amalgamated correlations of telemetry data with security configuration information; and
  
  quantifying efficacy of specific security products and configurations, based on the analysis of the amalgamated correlations of telemetry data with security configuration information.

20. A computer system for quantifying the efficacy of security products and practices, based on monitored activities and conditions on a plurality of computing devices over time, the computer system comprising:
- at least one processor;
  
  system memory;
  
  a metric defining module residing in the system memory, the metric defining module being programmed to define metrics that specify what criteria concerning computer security systems are to be quantified;
  
  a telemetry data collecting module residing in the system memory, the telemetry data collecting module being programmed to collect telemetry data concerning defined metrics from different ones of the plurality of computing devices;
  
  a configuration monitoring module residing in the system memory, the configuration monitoring module being programmed to monitor security configuration information concerning different ones of the plurality of computing devices;
  
  a correlating module residing in the system memory, the correlating module being programmed to correlate collected telemetry data with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security actions occur on specific ones of the plurality of computing devices;
  
  an amalgamating module residing in the system memory, the amalgamating module being programmed to amalgamate correlations of telemetry data with security configuration information;
  
  an analyzing module residing in the system memory, the analyzing module being programmed to analyze the amalgamated correlations of telemetry data with security configuration information; and
  
  a quantifying module residing in the system memory, the quantifying module being programmed to quantify efficacy of specific security products and configurations, based on the analysis of the amalgamated correlations of telemetry data with security configuration information

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Mital, Amit, Nachenberg, Carey S., Efstathopoulos, Petros

Granted Patent

US 9,794,290 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/20 for managing network securi...

Quantitative Security Improvement System Based on Crowdsourcing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Quantitative Security Improvement System Based on Crowdsourcing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links