THREAT INTELLIGENCE MANAGEMENT IN SECURITY AND COMPLIANCE ENVIRONMENT

US 20180191771A1
Filed: 03/30/2017
Published: 07/05/2018
Est. Priority Date: 12/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method to provide threat intelligence for hosted services, the method comprising:

analyzing a tenant'"'"'s service environment to determine received and potential threats based on an analysis of correlated and multi-stage evaluated data, wherein the correlated and multi-stage evaluated data includes communications, stored content metadata, and activities;

determining a potential impact for a received threat based on analysis results;

presenting received and potential threats and the potential impact through one or more interactive visualizations, wherein at least one element of each visualization is actionable; and

one or more of presenting and automatically implementing a remediation action associated with the received threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based on context and allow users to drill down arbitrarily deep.

27 Citations

View as Search Results

20 Claims

1. A method to provide threat intelligence for hosted services, the method comprising:
- analyzing a tenant'"'"'s service environment to determine received and potential threats based on an analysis of correlated and multi-stage evaluated data, wherein the correlated and multi-stage evaluated data includes communications, stored content metadata, and activities;
  
  determining a potential impact for a received threat based on analysis results;
  
  presenting received and potential threats and the potential impact through one or more interactive visualizations, wherein at least one element of each visualization is actionable; and
  
  one or more of presenting and automatically implementing a remediation action associated with the received threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining a user profile for a user associated with the received threat; and
      
      considering the user profile in the analysis.
  - 3. The method of claim 2, wherein the user profile includes a risk assessment of the user based on one or more of exchanged communications, shared content, accessed content, and access locations.
  - 4. The method of claim 1, wherein presenting the received and potential threats and the potential impact comprises:
    - displaying one or more of a chart, a map, and textual information associated with the received and potential threats and the potential impact.
  - 5. The method of claim 4, wherein the one or more of a chart, a map, and textual information associated with the received and potential threats and the potential impact include actionable elements that enable an administrator to drill down on a portion of displayed information.
  - 6. The method of claim 4, further comprising:
    - enabling an administrator to one of filter and combine the one or more visualizations based on a selected criterion.
  - 7. The method of claim 1, further comprising:
    - providing an investigation option to search through communications and data associated with a user associated with the received threat to determine affected communications and data.
  - 8. The method of claim 1, further comprising:
    - determining the remediation action based on the affected communications and data.
  - 9. The method of claim 8, further comprising:
    - tailoring the one or more visualizations based on a tenant profile, wherein the tenant profile includes one or more of an industry, a size, a geographical location, a hosted service ecosystem, a role, a regulatory requirement, a legal requirement, and a threat history associated with the tenant.
  - 10. The method of claim 1, wherein the remediation action includes one or more of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, and launching of an investigation.
  - 11. The method of claim 1, further comprising:
    - presenting one or more of a threat trend, a filtering option, a configuration option, a protection status, a time range definition option, and a data export option.

12. A server configured to provide threat intelligence for hosted services, the server comprising:
- a communication interface configured to facilitate communication between another server hosting a security and compliance service, one or more client devices, and the server;
  
  a memory configured to store instructions; and
  
  one or more processors coupled to the communication interface and the memory and configured to execute a threat intelligence module, wherein the threat intelligence module is configured to;
  
  analyze a tenant'"'"'s service environment to determine received and potential threats based on an analysis of correlated and multi-stage evaluated data, wherein the correlated and multi-stage evaluated data includes communications, stored content, metadata, and activities;
  
  determine a potential impact and a remediation action associated with a received threat based on analysis results;
  
  present a dashboard that includes one or more interactive visualizations representing one or more of threat trends, received and potential threats, and the potential impact, wherein a portion of the one or more visualizations is actionable; and
  
  automatically implement the remediation action associated with the received threat.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The server of claim 12, wherein the remediation action includes one or more of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, implementation of a suggested policy and restriction of one or more of a delete action, a share action, a copy action, a move action, an anonymous link creation, a synchronization, a site creation, a created exemption, a permission modification, a purge of email boxes, a folder movement, a user addition, and a group addition.
  - 14. The server of claim 12, wherein the threat intelligence module is further configured to:
    - present a list of targeted users; and
      
      enable a drill down operation on the list of targeted users to determine the impact o the received threat.
  - 15. The server of claim 14, wherein the drill down operation includes presentation of one or more of exchanged communications, shared documents, processed documents, and used resources by the targeted users.
  - 16. The server of claim 12, wherein the threat intelligence module is further configured to:
    - follow a chain of events associated with a missed threat, wherein the chain of events includes determining a list of potentially affected communications and data, and connections between a user affected by the missed threat and other users.
  - 17. The server of claim 12, wherein the threat intelligence module is further configured to:
    - adjust one or more of a connection and dashboard configuration based on a used platform and a type of threat.
  - 18. The server of claim 12, wherein the platform is one of an operating system and a hosted service.

19. A computer-readable memory device with instructions stored thereon to provide threat intelligence for hosted services, the instructions, when executed, configured to cause one or more computing devices to perform actions comprising:
- analyze a tenant'"'"'s service environment to determine received and potential threats based on an analysis of correlated and multi-stage evaluated data, wherein the correlated and multi-stage evaluated data includes communications, stored content, metadata, and activities;
  
  determine a potential impact and a remediation action associated with a received threat based on analysis results;
  
  present a dashboard that includes one or more interactive visualizations representing one or more of threat trends, received and potential threats, and the potential impact, wherein a portion of the one or more visualizations is actionable;
  
  customize the dashboard based on one or more of detected threat types, a tenant profile, and a platform; and
  
  automatically implement the remediation action associated with the received threat.
- View Dependent Claims (20)
- - 20. The computer-readable memory device of claim 19, wherein the actions further comprise:
    - determine whether the received threat is a targeted threat or a general threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors

Granted Patent

US 10,701,100 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

THREAT INTELLIGENCE MANAGEMENT IN SECURITY AND COMPLIANCE ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT INTELLIGENCE MANAGEMENT IN SECURITY AND COMPLIANCE ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links