SYSTEMS AND METHODS FOR IMPLEMENTING INTRUSION PREVENTION
First Claim
1. A computer system comprising:
- one or more processing units;
memory storing one or more programs for execution by the one or more processors, the one more programs comprising;
instructions for receiving data collected at one or more remote computing assets;
instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; and
instructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise;
(A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises;
(a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and(b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and(B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template.
4 Assignments
0 Petitions
Accused Products
Abstract
System and methods are provided for implementing an intrusion prevention system in which data collected at one or more remote computing assets is analyzed against a plurality of workflow templates. Each template corresponding to a different threat vector and comprises: (i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector. When a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified. When this occurs the authorization token of the corresponding workflow template is enacted by obtaining authorization from at least two authorization contacts across established trust channels for the at least two authorization contacts. Responsive to obtaining this authorization, the enumerated countermeasure of the corresponding workflow template is executed.
-
Citations
35 Claims
-
1. A computer system comprising:
-
one or more processing units; memory storing one or more programs for execution by the one or more processors, the one more programs comprising; instructions for receiving data collected at one or more remote computing assets; instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; andinstructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise; (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises; (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and (b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and (B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 25, 26, 27, 28, 29, 30, 32)
-
-
21. (canceled)
-
24. (canceled)
-
31. The computer system of claim, wherein the instructions for receiving data collected at the one or more remote computing assets is scheduled to repeat execution at a predetermined time or at predetermined time intervals.
-
33. A non-transitory computer readable storage medium storing one or more programs configured for execution by a computing device having one or more processors and memory, the one or more programs comprising:
-
instructions for receiving data collected at one or more remote computing assets; instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; andinstructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise; (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises; (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and (b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and (B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template. - View Dependent Claims (34)
-
-
35-64. -64. (canceled)
Specification