SYSTEMS AND METHODS FOR REMOTE IDENTIFICATION OF ENTERPRISE THREATS
First Claim
1. A computer-implemented method, comprising:
- receiving, a threat analysis system, threat parameters associated with an enterprise management system;
configuring a tool based on the threat parameters;
distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems, wherein at each computing system the tool;
collects a system data set based on the threat parameters associated with the computing system; and
sends the system data set to a data store;
obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems;
analyzing the plurality of system data sets to identify potential threats;
generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and
causing an alert including the threat report to be provided to the enterprise management system.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention provide techniques, systems, and methods for remote, agent-less enterprise computer threat data collection, malicious threat analysis, and identification and reporting of potential and real threats present on an enterprise computer system. Specifically, embodiments are directed to a system that securely collects system information from computers across the enterprise, internally encrypts and analyzes the collected information for indicators of compromise, threatening behavior, and known vulnerabilities, and generates alerts regarding known and potential threats for further analysis and remediation. If potential threats are identified, the system may deploy a memory analysis module that takes a deeper analysis of the potentially compromised computer to obtain more information about the potential threat. The remote, agent-less collection, analysis, and identification process can be repeated periodically to obtain additional information over time in order to identify the nature of the threat, and may delete itself after completion to avoid detection.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, a threat analysis system, threat parameters associated with an enterprise management system; configuring a tool based on the threat parameters; distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems, wherein at each computing system the tool; collects a system data set based on the threat parameters associated with the computing system; and sends the system data set to a data store; obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems; analyzing the plurality of system data sets to identify potential threats; generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and causing an alert including the threat report to be provided to the enterprise management system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device comprising:
-
a processor; and a computer-readable medium comprising code, executable by the processor, to perform a method comprising; receive threat parameters associated with an enterprise management system; configure a tool based on the threat parameters; distribute the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the computing device remote from the plurality of computing systems, wherein at each computing system the tool; collects a system data set based on the threat parameters associated with the computing system; and sends the system data set to a data store; obtain a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems; analyze the plurality of system data sets to identify potential threats; generate a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and cause an alert including the threat report to be provided to the enterprise management system. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a threat analysis system configured to; receive threat parameters associated with an enterprise management system; configure a tool based on the threat parameters; distribute the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems; obtain a plurality of system data sets associated with the plurality of computing systems from a data store, each system data set associated with one of the plurality of computing systems; analyzing the plurality of system data sets to identify potential threats; generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and causing an alert including the threat report to be provided to the enterprise management system; the enterprise management system configured to; provide the threat parameters associated with the tool to the threat analysis system; and receive the threat report including the one or more identified potential threats from the threat analysis system; and mediate the one or more identified threats on the one or more computing systems for the plurality of computing systems; and the plurality of computing systems in the enterprise, wherein each of the plurality of computing systems are configured to; receive the tool; and execute the tool, wherein the tool is configured to; collect a system data set based on the threat parameters associated with the computing system; and send the system data set to a data store. - View Dependent Claims (18, 19, 20)
-
Specification