ENTERPRISE POLICY TRACKING WITH SECURITY INCIDENT INTEGRATION

US 20190052660A1
Filed: 02/03/2017
Published: 02/14/2019
Est. Priority Date: 02/05/2016
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring security policy violations in a computer network, the method comprising:

(a) creating a rule corresponding to a security policy;

(b) determining a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable;

(c) receiving a log associated with the computer network;

(d) parsing the log to determine the value of the variable;

(e) evaluating the rule conditional on the value of the variable;

(f) identifying a rule violation corresponding to the value of the variable and the rule;

(g) generating a security event corresponding to the rule violation; and

(h) recording information representing the security event to a computer-readable storage medium.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.

62 Citations

42 Claims

1. A method for monitoring security policy violations in a computer network, the method comprising:
- (a) creating a rule corresponding to a security policy;
  
  (b) determining a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable;
  
  (c) receiving a log associated with the computer network;
  
  (d) parsing the log to determine the value of the variable;
  
  (e) evaluating the rule conditional on the value of the variable;
  
  (f) identifying a rule violation corresponding to the value of the variable and the rule;
  
  (g) generating a security event corresponding to the rule violation; and
  
  (h) recording information representing the security event to a computer-readable storage medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 2. The method of claim 1, wherein the security event comprises a plurality of security events.
  - 3. The method of claim 2, further comprising recording a time associated with each security event of the plurality of security events.
  - 4. The method of claim 3, further comprising checking for an anomaly.
  - 5. The method of claim 4, wherein checking for an anomaly comprises:
    - (a) identifying a time period;
      
      (b) dividing the time period into a plurality of time bins;
      
      (c) assigning each of the plurality of security events to a corresponding time bin;
      
      (d) determining a number of security events assigned to each of the plurality of time bins;
      
      (e) generating a predicted event range for a time bin of the plurality of time bins based on the pattern of security events assigned to each of the plurality of time bins earlier than the time bin; and
      
      (f) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within the predicted event range;
      
      otherwise marking the time bin as not anomalous.
  - 6. The method of claim 4, wherein checking for an anomaly comprises:
    - (a) identifying a time period;
      
      (b) dividing the time period into a plurality of time bins;
      
      (c) assigning each of the plurality of security events to a corresponding time bin;
      
      (d) determining a number of security events assigned to each of the plurality of time bins; and
      
      (e) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within a user-defined event range;
      
      otherwise marking the time bin as not anomalous.
  - 7. The method of any of the preceding claims, wherein the variable represents an IP address.
  - 8. The method of claim 7, further comprising associating a geographic coordinate with the IP address.
  - 9. The method of claim 8, further comprising:
    - (a) identifying a plurality of geographic regions;
      
      (b) associating each security event with a geographic region based on the geographic coordinate;
      
      (c) identifying a time period;
      
      (d) generating, from a statistical distribution of past security events associated with a geographic region of the plurality of geographic regions, an expected range of security events for the time period; and
      
      (e) determining that the number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
  - 10. The method of claim 9, further comprising generating a security alert indicating that the number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
  - 11. The method of any of the preceding claims, further comprising collecting statistical information related to the plurality of security events.
  - 12. The method of claim 11, further comprising generating a report based on the statistical information, wherein the report reflects at least one of a response rate, a number of security events per security policy, a number of security alerts per security policy, or a percentage of policies covered by rules.
  - 13. The method of any of the preceding claims, wherein the information representing the security event comprises an IP address or a host name, and wherein recording the information comprises adding the information to a relational database.
  - 14. The method of claim 13, wherein the relational database indicates which IP addresses or host names were identified in each of a plurality of days.
  - 15. The method of any of the preceding claims, further comprising receiving a network topology identifying one or more segments of the network.
  - 16. The method of any of the preceding claims, further comprising querying the security event against one or more classifying queries.
  - 17. The method of claim 16, further comprising taking one or more specified actions based on the classifying query, wherein the one or more specified actions comprise adding metadata to the security event, rewriting the security event, dropping the security event, or sending an alert related to the security event.
  - 18. The method of claim 11 or 12, further comprising comparing the statistical information with one or more sets of statistical information relating to other networks.
  - 19. The method of claim 18, further comprising ranking the network in relation to the other networks based on one or more statistical categories.
  - 20. The method of claim 19, wherein the one or more statistical categories comprise a triage time, a response rate, a number of security events per unit time, or a number of security alerts per unit time.
  - 21. The method of any of the preceding claims, further comprising:
    - (a) identifying a security task to be periodically performed;
      
      (b) identifying a repetition period for the security task;
      
      (c) generating, in a plurality of repetition periods, a plurality of notifications to perform the security task, at a rate of one notification per repetition period;
      
      (d) receiving user input for each of the plurality of repetition periods indicating whether the security task has been performed for that repetition period; and
      
      (e) recording to a computer-readable medium, for each of the plurality of repetition periods, information indicating whether the security task has been performed in that repetition period.
  - 28. The system of any of the preceding claims, wherein the variable represents an IP address.
  - 29. The system of claim 28, wherein the memory includes instructions to associate a geographic coordinate with the IP address.
  - 30. The system of claim 29, wherein the memory includes instructions to:
    - (a) identify a plurality of geographic regions;
      
      (b) associate each security event with a geographic region based on the geographic coordinate;
      
      (c) identify a time period;
      
      (d) generate, from a statistical distribution of past security events associated with a geographic region of the plurality of geographic regions, an expected range of security events for the time period; and
      
      (e) determine whether the number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
  - 31. The system of claim 30, wherein the memory includes instructions to generate a security alert when the number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
  - 32. The system of any of the preceding claims, wherein the memory includes instructions to collect statistical information related to the plurality of security events.
  - 33. The system of claim 32, wherein the memory includes instructions to generate a report based on the statistical information, wherein the report reflects at least one of a response rate, a number of security events per security policy, a number of security alerts per security policy, or a percentage of policies covered by rules.
  - 34. The system of any of the preceding claims, further comprising a relational database, and wherein the information representing the security event comprises an IP address or a host name, and wherein recording the information comprises adding the information to the relational database.
  - 35. The system of claim 34, wherein the relational database indicates which IP addresses or host names were identified in each of a plurality of days.
  - 36. The system of any of the preceding claims, further configured to receive a network topology identifying one or more segments of the network.
  - 37. The system of any of the preceding claims, further configured to query the security event against one or more classifying queries.
  - 38. The system of claim 37, further configured to take one or more specified actions based on the classifying query, wherein the one or more specified action comprise adding metadata to the security event, rewriting the security event, dropping the security event, or sending an alert related to the security event.
  - 39. The system of claim 32 or 33, further configured to compare the statistical information with one or more sets of statistical information relating to other networks.
  - 40. The system of claim 39, further configured to rank the network in relation to the other networks based on one or more statistical categories.
  - 41. The system of claim 40, wherein the one or more statistical categories comprise a triage time, a response rate, a number of security events per unit time, or a number of security alerts per unit time.
  - 42. The system of any of the preceding claims, wherein the memory includes instructions to:
    - (a) receive input identifying a security task to be periodically performed;
      
      (b) receive input identifying a repetition period for the security task;
      
      (c) generate, in a plurality of repetition periods, a plurality of notifications to perform the security task, at a rate of one notification per repetition period;
      
      (d) receive user input for each of the plurality of repetition periods indicating whether the security task has been performed for that repetition period; and
      
      record to a computer-readable medium, for each of the plurality of repetition periods, information indicating whether the security task has been performed in that repetition period.

22. A system for monitoring violations of security policies, the system comprising:
- (a) a computer network;
  
  (b) a computer-readable storage medium;
  
  (c) a processor; and
  
  (d) memory, including instructions executable by the processor to cause the system to at least;
  
  (i) create a rule corresponding to a security policy;
  
  (ii) determine a variable from the rule, wherein the variable is enabled to be set to a plurality of values, and wherein the rule is violated or not violated conditional on the value of the variable;
  
  (iii) receive from the computer network a log associated with the computer network;
  
  (iv) parse the log to determine the value of the variable;
  
  (v) evaluate the rule conditional on the value of the variable;
  
  (vi) identify a rule violation corresponding to the rule and the value of the variable;
  
  (vii) generate a security event associated with the rule violation; and
  
  (viii) record information representing the security event to the computer-readable storage medium.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22, wherein the security event comprises a plurality of security events.
  - 24. The system of claim 23, wherein the memory includes instructions to record a time associated with each security event of the plurality of security events.
  - 25. The method of claim 24, wherein the memory includes instructions to check for an anomaly.
  - 26. The system of claim 25, wherein checking for an anomaly comprises:
    - (a) identifying a time period;
      
      (b) dividing the time period into a plurality of time bins;
      
      (c) assigning each of the plurality of security events to a corresponding time bin;
      
      (d) determining a number of security events assigned to each of the plurality of time bins;
      
      (e) generating a predicted event range for a time bin of the plurality of time bins based on the pattern of security events assigned to each of the plurality of time bins earlier than the time bin; and
      
      (f) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within the predicted event range;
      
      otherwise marking the time bin as not anomalous.
  - 27. The system of claim 25, wherein checking for an anomaly comprises:
    - (a) identifying a time period;
      
      (b) dividing the time period into a plurality of time bins;
      
      (c) assigning each of the plurality of security events to a corresponding time bin;
      
      (d) determining a number of security events assigned to each of the plurality of time bins; and
      
      (e) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within a user-defined event range;
      
      otherwise marking the time bin as not anomalous.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DefenseStorm, Inc.
Original Assignee
DefenseStorm, Inc.
Inventors
Cassidy, Sean, Hernandez, Alejandro, Landreneau, Darryl J., Nazario, Edgardo

Granted Patent

US 11,558,407 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 43/067   using time frame reporting

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

ENTERPRISE POLICY TRACKING WITH SECURITY INCIDENT INTEGRATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

ENTERPRISE POLICY TRACKING WITH SECURITY INCIDENT INTEGRATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links