SYSTEMS AND METHODS FOR IMPLEMENTING INTRUSION PREVENTION

US 20180359264A1
Filed: 05/12/2016
Published: 12/13/2018
Est. Priority Date: 05/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more processing units;

memory storing one or more programs for execution by the one or more processors, the one more programs comprising;

instructions for receiving data collected at one or more remote computing assets;

instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;

(i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; and

instructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise;

(A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises;

(a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and(b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and(B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods are provided for implementing an intrusion prevention system in which data collected at one or more remote computing assets is analyzed against a plurality of workflow templates. Each template corresponding to a different threat vector and comprises: (i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector. When a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified. When this occurs the authorization token of the corresponding workflow template is enacted by obtaining authorization from at least two authorization contacts across established trust channels for the at least two authorization contacts. Responsive to obtaining this authorization, the enumerated countermeasure of the corresponding workflow template is executed.

Citations

35 Claims

1. A computer system comprising:
- one or more processing units;
  
  memory storing one or more programs for execution by the one or more processors, the one more programs comprising;
  
  instructions for receiving data collected at one or more remote computing assets;
  
  instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
  
  (i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; and
  
  instructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise;
  
  (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises;
  
  (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and(b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and(B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 25, 26, 27, 28, 29, 30, 32)
- - 2. The computer system of claim 1, wherein the one or more programs further comprise instructions for:
    - receiving a request from a security control module running within a first operating system on a first remote computing asset in the one or more remote computing assets, wherein the request includes a policy identifier that identifies a security policy;
      
      generating a unique agent identity token, which includes a cryptographic key;
      
      transmitting the agent identity token to the security control module;
      
      selecting a first set of commands according to the identified security policy, based upon (i) a current state of the first operating system, (ii) a current state of the security control module, and (iii) a current state of one or more applications running in the first operating system on the first remote computing asset; and
      
      placing the first set of commands in a command queue for retrieval and execution by the security control module on the first remote computing asset, whereinthe data collected at the one or more remote computing assets includes information that is collected by execution of the first set of commands on the first remote computing asset.
  - 3. The computer system of claim 1, wherein the first remote device is a first mobile device and the second remote device is a second mobile device.
  - 4. The computer system of claim 1, wherein the enumerated countermeasure of the corresponding workflow template comprises a first action that targets a first component of the threat vector associated with the corresponding workflow template.
  - 5. The computer system of claim 4, wherein the enumerated countermeasure of the corresponding workflow template further comprises a second action that targets a second component of the threat vector associated with the corresponding workflow template.
  - 6. The computer system of claim 1, wherein executing the enumerated countermeasure closes or restricts a port in a remote computing asset in the one or more remote computing assets.
  - 7. The computer system of claim 1, wherein the enumerated countermeasure of the corresponding workflow template is a technical control set.
  - 8. The computer system of claim 1, wherein the technical control set comprises:
    - (i) closing a port on a device in the one or more remote computing assets,(ii) deleting an account on a remote computing asset in the one or more remote computing assets,(iii) terminating a process on a remote computing asset in the one or more remote computing assets,(iv) altering a priority level of a process on a remote computing asset in the one or more remote computing assets,(v) communicating incorrect data to an internet address associated with the active threat,(vi) shutting down a remote computing asset in the one or more remote computing assets, or(vii) blocking traffic originating from an IP address associated with the active threat from accessing the one or more remote computing assets.
  - 9. The computer system of claim 1, wherein the instructions further comprise originating or maintaining the established first trust channel by:
    - receiving a request from a security control module running within an operating system on the first remote device, wherein the request includes a policy identifier that identifies a security policy;
      
      generating a unique agent identity token, which includes a cryptographic key;
      
      transmitting the agent identity token to the security control module;
      
      selecting a set of commands according to the identified security policy, based on (i) a current state of the operating system, (ii) a current state of the security control module, and, optionally (iii) a current state of one or more applications running in the operating system on the first remote device;
      
      placing the set of commands in a command queue for retrieval and execution by the first remote device;
      
      receiving data from the first remote device responsive to execution of the set of commands on the first remote device; and
      
      using the data to originate or maintain the first established trust channel with the first remote device.
  - 10. The computer system of claim 9, wherein the pushing the alert regarding the corresponding workflow template through the first trusted channel comprises placing the alert in the command queue for retrieval by the first remote device.
  - 11. The computer system of claim 1, wherein the first indication to proceed is received from the first authorization contact across the first established trust channel, from the first remote device.
  - 12. The computer system of claim 1, wherein the first indication to proceed is received from the first authorization contact outside the first established trust channel.
  - 13. The computer system of claim 1, wherein the enacting the security token comprises pushing the alert to a plurality of authorization contacts, wherein the plurality of authorization contacts consists of three of more authorization contacts and includes the first and second authorization contacts, and wherein satisfactory completion of the authorization protocol requires receiving an indication to proceed from more than a predetermined number of authorization contacts in the plurality of authorization contacts, wherein the predetermined number of authorization contacts is less than the number of authorization contacts in the plurality of authorization contacts.
  - 14. The computer system of claim 1, wherein the enacting the security token comprises pushing the alert to a plurality of authorization contacts, whereinthe plurality of authorization contacts consists of three of more authorization contacts and includes the first and second authorization contact,each authorization contact in the plurality of authorization contacts is associated with a point value that is contributed to an authorization score when the authorization contact provides an indication to proceed, andsatisfactory completion of the authorization protocol comprises achieving a cumulative point score that exceeds a predetermined value.
  - 15. The computer system of claim 14, wherein the first authorization contact has a point value that is different than the second authorization contact.
  - 16. The computer system of claim 1, wherein the authorization token includes a threat level value that represents a threat level of the corresponding workflow template, and wherein enacting the authorization token comprises using the threat level value to select an authorization protocol from among a plurality of authorization protocols, wherein the authorization protocol includes an identity of the first remote device and the second remote device.
  - 17. The computer system of claim 16, whereina first authorization protocol in the plurality of authorization protocols is associated with a first threat level value and includes contact information for a first plurality of authorization contacts that are to be contacted by the enacting (i) upon selection of the first authorization protocol,a second authorization protocol in the plurality of authorization protocols is associated with a second threat level value, other than the first threat level value, and includes contact information for a second plurality of authorization contacts that are to be contacted by the enacting (i) upon selection of the second authorization protocol, anda number of authorization contacts in the first plurality of authorization contacts is different than a number of authorization contacts in the second plurality of authorization contacts.
  - 18. The computer system of claim 1, wherein the one more programs further comprise instructions for determining the authorization token for a first workflow template in the plurality of workflow templates based upon a characteristic of the one or more remote computing assets that the first workflow template is designed to protect.
  - 19. The computer system of claim 18, wherein the characteristic is (i) a quantification of the confidentiality of information handled by the one or more remote computing assets or (ii) a quantification of the importance on maintaining the integrity of the information handled by the one or more remote computing assets, or (iii) a quantification of the importance of maintaining the availability of the one or more remote computing assets.
  - 20. The computer system of claim 18, wherein a remote computing asset in the one or more remote computing assets is a remote computer system at a predetermined IP address, a data stack, a computer service implemented on a computer system, or an internet protocol port on a remote computer system.
  - 22. The computer system of claim 1, wherein the trigger definition of a workflow template in the plurality of workflow templates is correlated with an intrusion of the one or more remote computing assets.
  - 23. The computer system of claim 1, wherein, responsive to unsatisfactory completion of the authorization protocol, the enumerated countermeasure of the corresponding workflow template is not executed.
  - 25. The computer system of claim 1, whereineach respective workflow template in the plurality of workflow templates comprises an indication as to whether it is enabled or not, andthe identifying the active threat compares the data collected at the one or more remote computing assets against only those trigger definitions of respective workflow templates in the plurality of workflow templates that are enabled.
  - 26. The computer system of claim 1, whereina trigger definition of a workflow template in the plurality of workflow templates comprises a plurality of triggers,each respective trigger in the plurality of triggers is represented by (i) a variable indicating a status of the respective trigger and (ii) an event type, andthe trigger definition further comprises logic that relates the plurality of triggers into a single expression.
  - 27. The computer system of claim 1, wherein receiving the data collected uses a cryptographic key assigned to the one or more remote computing assets and data shared with the one or more remote computing assets to decrypt the received data and verify a digital signature within the data.
  - 28. The computer system of claim 1, wherein the data collected at the one or more remote computing assets includes:
    - (i) information regarding one or more processes running in memory associated with the one or more remote computing assets,(ii) information that identifies what processes are running in memory associated with the one or more remote computing assets,(iii) a current set of authorized users of the one or more remote computing assets,(iv) a current set of files and directories hosted by the one or more remote computing assets,(v) current metadata for files and directories hosted by the one or more remote computing assets, or(vi) current content of one or more configuration files for the one or more remote computing assets.
  - 29. The computer system of claim 1, wherein the one or more remote computing assets includes at least one virtual machine.
  - 30. The computer system of claim 1, wherein the one or more remote computing assets consists of a single virtual machine.
  - 32. The computer system of claim 1, wherein a remote computing asset in the one or more remote computing assets is an embedded component of an automobile or an embedded component of an electrical appliance.

21. (canceled)

24. (canceled)

31. The computer system of claim, wherein the instructions for receiving data collected at the one or more remote computing assets is scheduled to repeat execution at a predetermined time or at predetermined time intervals.

33. A non-transitory computer readable storage medium storing one or more programs configured for execution by a computing device having one or more processors and memory, the one or more programs comprising:
- instructions for receiving data collected at one or more remote computing assets;
  
  instructions for obtaining a plurality of workflow templates, wherein each respective workflow template in the plurality of workflow templates corresponds to a different threat vector in a plurality of threat vectors and wherein each respective workflow template in the plurality of workflow templates comprises;
  
  (i) a trigger definition, (ii) an authorization token, and (iii) an enumerated countermeasure responsive to the corresponding threat vector; and
  
  instructions for identifying an active threat by comparing the data collected at the one or more remote computing assets against the trigger definition of respective workflow templates in the plurality of workflow templates, wherein, when a match between the data collected at the one or more remote computing assets and a trigger definition of a corresponding workflow template is identified, an active threat is deemed to be identified, and the instructions for identifying further comprise;
  
  (A) enacting the authorization token of the corresponding workflow template, wherein the enacting comprises;
  
  (a) obtaining authorization from a first authorization contact associated with the corresponding workflow template, the obtaining (a) comprising (i) pushing an alert regarding the corresponding workflow template through a first established trust channel to a first remote device associated with the first authorization contact without user intervention by the first authorization contact, wherein the first remote device is other than the one or more remote computing assets, and (ii) receiving a first indication to proceed from the first authorization contact, and(b) obtaining authorization from a second authorization contact associated with the corresponding workflow template, by a method comprising (i) pushing the alert regarding the corresponding workflow template through a second established trust channel to a second remote device associated with the second authorization contact without user intervention by the second authorization contact, wherein the second remote device is other than the one or more remote computing assets and wherein the second remote device is other than the first remote device, and (ii) receiving a second indication to proceed from the second authorization contact, and(B) responsive to satisfactory completion of the authorization protocol, wherein satisfaction of the authorization protocol requires receiving the first and second indication to proceed, executing the enumerated countermeasure of the corresponding workflow template.
- View Dependent Claims (34)
- - 34. The non-transitory computer readable storage medium of claim 33, wherein theone or more programs further comprise instructions for:
    - receiving a request from a security control module running within a first operating system on a first remote computing asset in the one or more remote computing assets, wherein the request includes a policy identifier that identifies a security policy;
      
      generating a unique agent identity token, which includes a cryptographic key;
      
      transmitting the agent identity token to the security control module;
      
      selecting a first set of commands according to the identified security policy, based upon (i) a current state of the first operating system, (ii) a current state of the security control module, and (iii) a current state of one or more applications running in the first operating system on the first remote computing asset; and
      
      placing the first set of commands in a command queue for retrieval and execution by the security control module on the first remote computing asset, whereinthe data collected at the one or more remote computing assets includes information that is collected by execution of the first set of commands on the first remote computing asset.

35-64. -64. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
CloudPassage Inc.
Inventors
Sweet, Carson, Pokladnikova, Vlasta

Granted Patent

US 10,367,834 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0236   Filtering by address, proto...

H04L 63/0853   using an additional device,...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 9/0819   Key transport or distributi...

H04L 9/3247   involving digital signatures

SYSTEMS AND METHODS FOR IMPLEMENTING INTRUSION PREVENTION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR IMPLEMENTING INTRUSION PREVENTION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links