CONNECTED SECURITY SYSTEM

US 20170171235A1
Filed: 02/23/2016
Published: 06/15/2017
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an event management module that;

receives, for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain; and

identifies malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;

a threat intelligence module that;

receives, from the even management module, data identifying the malicious activity in one or more first data constructs of a predefined data structure;

obtain, from one or more third party sources, additional data related to the identified malicious activity; and

generates, using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include enriched data regarding the malicious activity, the enriched data including (i) data describing a campaign in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the malicious activity; and

a course of action module that;

receives the one or more second data constructs from the threat intelligence module and implements a given course of action of the one or more course of action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Citations

36 Claims

1. A system comprising:
- an event management module that;
  
  receives, for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain; and
  
  identifies malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  a threat intelligence module that;
  
  receives, from the even management module, data identifying the malicious activity in one or more first data constructs of a predefined data structure;
  
  obtain, from one or more third party sources, additional data related to the identified malicious activity; and
  
  generates, using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include enriched data regarding the malicious activity, the enriched data including (i) data describing a campaign in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the malicious activity; and
  
  a course of action module that;
  
  receives the one or more second data constructs from the threat intelligence module and implements a given course of action of the one or more course of action.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 further comprising a connection processor configured to coordinate processing functions between the event management module, the threat intelligence module, and the course of action module, and configured to communicate messages between the event management module, the threat intelligence module, and the course of action module using the first and second data constructs of the predefined data structure.
  - 3. The system of claim 1, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 4. The system of claim 1, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.

5. A computer-implemented method comprising:
- receiving, by an event management module and for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;
  
  identifying, by the event management module, malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  receiving, by a threat intelligence module and from the even management module, data identifying the malicious activity in one or more first data constructs of a predefined data structure;
  
  obtaining, by the threat intelligence module and from one or more third party sources, additional data related to the identified malicious activity;
  
  generating, by the threat intelligence module and using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include enriched data regarding the malicious activity, the enriched data including (i) data describing a campaign in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the malicious activity;
  
  receiving, by a course of action module, the one or more second data constructs from the threat intelligence module; and
  
  implementing, by the course of action module, a given course of action of the one or more course of action.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the predefined data structure comprises a Structured Threat Information Expression STIX data structure.
  - 7. The method of claim 5, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 8. The method of claim 5, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.

9. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- receiving, by an event management module and for a network of an organization, network domain activity that includes first domain activity data from a first network domain and second domain activity from a second network domain;
  
  identifying, by the event management module, malicious activity present on at least one of the first network domain or the second network domain based on the received network domain activity;
  
  receiving, by a threat intelligence module and from the even management module, data identifying the malicious activity in one or more first data constructs of a predefined data structure;
  
  obtaining, by the threat intelligence module and from one or more third party sources, additional data related to the identified malicious activity;
  
  generating, by the threat intelligence module and using the data identifying the malicious activity and the additional data, one or more second data constructs of the predefined data structure that include enriched data regarding the malicious activity, the enriched data including (i) data describing a campaign in which at least a portion of the malicious activity is involved and (ii) one or more courses of action for mitigating the malicious activity;
  
  receiving, by a course of action module, the one or more second data constructs from the threat intelligence module; and
  
  implementing, by the course of action module, a given course of action of the one or more course of action.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-storage medium of claim 9, wherein the predefined data structure comprises a Structured Threat Information Expression STIX data structure.
  - 11. The non-transitory computer-storage medium of claim 9, wherein the one or more first data constructs includes at least one of:
    - (i) an incident data construct that includes data describing a particular security event identified from the received network domain activity;
      
      an indicator data construct that includes data describing attack patterns identified from the received network domain activity;
      
      or (iii) an actor data construct that includes data describing a malicious actor that caused at least a portion of the malicious activity.
  - 12. The non-transitory computer-storage medium of claim 9, wherein one or more second data constructs include at least one of (i) a campaign data construct that includes data describing a malicious campaign;
    - (ii) a weakness data construct that includes data describing a weakness of the network;
      
      or (iii) a course of action data construct that includes data describing at least one of the one or more courses of action.

13. A computer-implemented method comprising:
- receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
  
  determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization;
  
  generating one or more first data constructs that include at least one of (i) the first domain activity data, (ii) the second domain activity data, or (iii) data describing the one or more anomalous correlated event paths;
  
  receiving external threat data including events, alerts, or both for one or more organizations different from the organization;
  
  generating a second data construct that includes data from the one or more first data constructs and at least a portion of the external threat data;
  
  determining, based on the one or more anomalous correlated event paths and the threat data, a risk associated with each of one or more outcomes for the organization;
  
  generating a visualization of the one or more anomalous correlated event paths and each risk;
  
  generating a third data construct that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and
  
  providing the third data construct to a course of action module that implements the course of action,wherein the first data construct, the second data construct, and the third data construct have a common data structure.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the first network domain is an information technology domain and the second network domain is an operational technology domain.
  - 15. The method of claim 13, wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes.
  - 16. The method of claim 15, wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization.
  - 17. The method of claim 15, wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset.
  - 18. The method of claim 13, wherein the visualization presents a number of security events for at least one of the first network domain or the second network domain for a particular period of time.
  - 19. The method of claim 13, wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time.
  - 20. The method of claim 13, wherein the visualization presents an amount of security events that have taken each of the one or more attack paths.

21. A system, comprising:
- one or more processors; and
  
  a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
  
  determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization;
  
  generating one or more first data constructs that include at least one of (i) the first domain activity data, (ii) the second domain activity data, or (iii) data describing the one or more anomalous correlated event paths;
  
  receiving external threat data including events, alerts, or both for one or more organizations different from the organization;
  
  generating a second data construct that includes data from the one or more first data constructs and at least a portion of the external threat data;
  
  determining, based on the one or more anomalous correlated event paths and the threat data, a risk associated with each of one or more outcomes for the organization;
  
  generating a visualization of the one or more anomalous correlated event paths and each risk;
  
  generating a third data construct that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and
  
  providing the third data construct to a course of action module that implements the course of action,wherein the first data construct, the second data construct, and the third data construct have a common data structure.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The system of claim 21, wherein the first network domain is an information technology domain and the second network domain is an operational technology domain.
  - 23. The system of claim 21, wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes.
  - 24. The system of claim 23, wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization.
  - 25. The system of claim 23, wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset.
  - 26. The system of claim 21, wherein the visualization presents a number of security events for at least one of the first network domain or the second network domain for a particular period of time.
  - 27. The system of claim 21, wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time.
  - 28. The system of claim 21, wherein the visualization presents an amount of security events that have taken each of the one or more attack paths.

29. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
  
  determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization;
  
  generating one or more first data constructs that include at least one of (i) the first domain activity data, (ii) the second domain activity data, or (iii) data describing the one or more anomalous correlated event paths;
  
  receiving external threat data including events, alerts, or both for one or more organizations different from the organization;
  
  generating a second data construct that includes data from the one or more first data constructs and at least a portion of the external threat data;
  
  determining, based on the one or more anomalous correlated event paths and the threat data, a risk associated with each of one or more outcomes for the organization;
  
  generating a visualization of the one or more anomalous correlated event paths and each risk;
  
  generating a third data construct that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and
  
  providing the third data construct to a course of action module that implements the course of action,wherein the first data construct, the second data construct, and the third data construct have a common data structure.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The non-transitory computer-readable storage medium of claim 29, wherein the first network domain is an information technology domain and the second network domain is an operational technology domain.
  - 31. The non-transitory computer-readable storage medium of claim 29, wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes.
  - 32. The non-transitory computer-readable storage medium of claim 31, wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization.
  - 33. The non-transitory computer-readable storage medium of claim 31, wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset.
  - 34. The non-transitory computer-readable storage medium of claim 29, wherein the visualization presents a number of security events for at least one of the first network domain or the second network domain for a particular period of time.
  - 35. The non-transitory computer-readable storage medium of claim 29, wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time.
  - 36. The non-transitory computer-readable storage medium of claim 29, wherein the visualization presents an amount of security events that have taken each of the one or more attack paths.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Hovor, Elvis, Modi, Shimon, Negm, Walid, Mulchandani, Shaan

Granted Patent

US 10,148,679 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

CONNECTED SECURITY SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

CONNECTED SECURITY SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links