System for tracking data security threats and method for same

US 20180063186A1
Filed: 10/23/2017
Published: 03/01/2018
Est. Priority Date: 09/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method for tracking data security incidents in an enterprise network, comprising:

creating one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact;

looking up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data;

augmenting the incident artifact with the knowledge information; and

executing one or more rules associated with the known threats to provide an incident response to the data security incident.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.

Citations

20 Claims

1. A method for tracking data security incidents in an enterprise network, comprising:
- creating one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact;
  
  looking up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data;
  
  augmenting the incident artifact with the knowledge information; and
  
  executing one or more rules associated with the known threats to provide an incident response to the data security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the incident object and the one or more incident artifacts are created in response to receiving a message sent from at least one device in the enterprise network, wherein the message includes the information for the data security incident.
  - 3. The method as described in claim 1 wherein looking up an incident artifact includes:
    - querying a first level threat intelligence source to identify whether the one or more incident artifacts are associated with one or more known threats; and
      
      querying a second level threat intelligence source to provide metadata and/or usage data for at least one incident artifact.
  - 4. The method as described in claim 3 wherein the first level threat intelligence source is one of:
    - an IP address blacklist, and malware hash information, and wherein the second level threat intelligence source is one of;
      
      whois, geolocation, and traceroute information.
  - 5. The method as described in claim 3 further including executing at least one rule associated with a known threat to provide an incident response to the data security incident.
  - 6. The method as described in claim 1 further including correlating the at least one incident object and the augmented incident artifact with similar data derived from one or more other data security incidents to generate tread data.
  - 7. The method as described in claim 1 wherein the one or more data resources identified within the incident objects include one of:
    - Internet Protocol (IP) addresses, file hashes associated with malware, domain names, names of files, user account IDs, registry keys, email addresses, and protocol port numbers.

8. Apparatus, comprising:
- a hardware processor;
  
  computer memory holding computer program instructions executed by the processor to track data security incidents in an enterprise network, the computer program instructions comprising program code configured to;
  
  create one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact;
  
  look up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data;
  
  augment the incident artifact with the knowledge information; and
  
  execute one or more rules associated with the known threats to provide an incident response to the data security incident.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the incident object and the one or more incident artifacts are created in response to receiving a message sent from at least one device in the enterprise network, wherein the message includes the information for the data security incident.
  - 10. The apparatus as described in claim 8 wherein the computer program instructions configured to look up an incident artifact includes program code configured to:
    - query a first level threat intelligence source to identify whether the one or more incident artifacts are associated with one or more known threats; and
      
      query a second level threat intelligence source to provide metadata and/or usage data for at least one incident artifact.
  - 11. The apparatus as described in claim 10 wherein the first level threat intelligence source is one of:
    - an IP address blacklist, and malware hash information, and wherein the second level threat intelligence source is one of;
      
      whois, geolocation, and traceroute information.
  - 12. The apparatus as described in claim 10 wherein the computer program instructions further include program code configured to execute at least one rule associated with a known threat to provide an incident response to the data security incident.
  - 13. The apparatus as described in claim 8 wherein the computer program instructions further include program code configured to correlate the at least one incident object and the augmented incident artifact with similar data derived from one or more other data security incidents to generate tread data.
  - 14. The apparatus as described in claim 8 wherein the one or more data resources identified within the incident objects include one of:
    - Internet Protocol (IP) addresses, file hashes associated with malware, domain names, names of files, user account IDs, registry keys, email addresses, and protocol port numbers.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to track data security incidents in an enterprise network, the computer program instructions comprising program code configured to:
- create one or more incident objects, wherein at least one incident object includes information for at least one data security incident, and one or more incident artifacts that include information for one or more data resources identified within the incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing incident artifact associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same incident artifact;
  
  look up an incident artifact in one or more external threat intelligence sources to obtain knowledge information concerning the incident artifact, wherein the knowledge information identifies whether the incident artifact is associated with one or more known threats, and includes associated metadata or usage data;
  
  augment the incident artifact with the knowledge information; and
  
  execute one or more rules associated with the known threats to provide an incident response to the data security incident
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product as described in claim 15 wherein the incident object and the one or more incident artifacts are created in response to receiving a message sent from at least one device in the enterprise network, wherein the message includes the information for the data security incident.
  - 17. The computer program product as described in claim 15 wherein the computer program instructions configured to look up an incident artifact includes program code configured to:
    - query a first level threat intelligence source to identify whether the one or more incident artifacts are associated with one or more known threats; and
      
      query a second level threat intelligence source to provide metadata and/or usage data for at least one incident artifact.
  - 18. The computer program product as described in claim 17 wherein the first level threat intelligence source is one of:
    - an IP address blacklist, and malware hash information, and wherein the second level threat intelligence source is one of;
      
      whois, geolocation, and traceroute information.
  - 19. The computer program product as described in claim 17 wherein the computer program instructions further include program code configured to execute at least one rule associated with a known threat to provide an incident response to the data security incident.
  - 20. The computer program product as described in claim 15 wherein the computer program instructions further include program code configured to correlate the at least one incident object and the augmented incident artifact with similar data derived from one or more other data security incidents to generate tread data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hadden, Allen, Rogers, Kenneth Allen

Granted Patent

US 10,003,610 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System for tracking data security threats and method for same

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for tracking data security threats and method for same

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links