Enterprise console

US 7,398,272 B2
Filed: 03/19/2004
Issued: 07/08/2008
Est. Priority Date: 03/24/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, an apparatus comprising:

an enterprise console comprising a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network of computational devices;

a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client computational device;

wherein said distributed clients running on said associated computational devices gather said advisories and process said advisories; and

wherein each of said distributed clients, each running on an associated computational device, determines relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of the computational device on which said client runs;

wherein said advisories formally target specific states of a computational device associated with a client running thereon and formally specify actions to take in response thereto;

wherein said client implements associated actions received from said console.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A console for an enterprise suite is disclosed. The enterprise suite addresses the increasingly complex problem of keeping critical systems updated, compatible, and free of security holes. It uses Fixlet® technology to identify vulnerable computers on the network and then allows authorized personnel to correct problems across any subset of the network with a few simple mouse-clicks. The enterprise suite helps keep the networked computers updated and properly patched, all from a central console which, along with supporting architectural enhancements, is the subject matter of this document. The invention allows rolling out a security patch in minutes instead of months, thus allowing an administrator to stay ahead of potential hacker attacks. The invention also makes it possible to track the progress of each computer as updates are applied, thus making it simple to gauge the level of compliance across the entire enterprise.

95 Citations

View as Search Results

65 Claims

1. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, an apparatus comprising:
- an enterprise console comprising a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network of computational devices;
  
  a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client computational device;
  
  wherein said distributed clients running on said associated computational devices gather said advisories and process said advisories; and
  
  wherein each of said distributed clients, each running on an associated computational device, determines relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of the computational device on which said client runs;
  
  wherein said advisories formally target specific states of a computational device associated with a client running thereon and formally specify actions to take in response thereto;
  
  wherein said client implements associated actions received from said console.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, said system further comprising:
    - a central server coupled to a central database, said central server storing data in and retrieving data from said central database.
  - 3. The apparatus of claim 1, wherein said relevance clause is written in a formal descriptive language;
    - and wherein said advisory comprises a short, clear explanation of said problem.
  - 4. The apparatus of claim 3, further comprising:
    - means for adding, modifying, or canceling a subscription of a distributed client to one or more advice provider sites.
  - 5. The apparatus of claim 4, further comprising:
    - means for selecting a group of computational devices, specifying action messages, scheduling, and controlling execution when deploying actions proposed by relevant advice messages.
  - 6. The apparatus of claim 5, further comprising:
    - means for securely deploying actions of relevant advice messages to a selected group of said distributed clients.
  - 7. The apparatus of claim 6, further comprising:
    - means for monitoring status of deployed actions.
  - 8. The apparatus of claim 7, further comprising:
    - means for stopping previously deployed actions which have not finished running.
  - 9. The apparatus of claim 8, further comprising:
    - means for monitoring status of each computational device while actions are being deployed and executed.
  - 10. The apparatus of claim 9, wherein said means for monitoring allows said system administrator to define and retrieve customized properties of computational devices using a formal descriptive language.

11. An enterprise management apparatus, comprising:
- a centrally managed advisory diffusion server for gathering advisories from an advisory site, wherein an advisory comprises relevance criteria and an action, and wherein an advisory identifies relevant computers on a network of computational devices and allows authorized personnel to monitor, modify, and maintain said computers across any subset of said network;
  
  a console in communication with said server for displaying any of changes and new knowledge about said network of computational devices; and
  
  a plurality of clients, each running on an associated computational device, associated with said network of computational devices, each client processing said advisories based upon a relevance determination, inspecting said associated computational device, and reporting any relevance determination and actions to said server;
  
  wherein each of said clients, each running on an associated computational device, determines relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of the computational device on which said client runs;
  
  wherein said client implements associated actions received from said console.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, further comprising:
    - a plurality of relays for relaying said advisories to said clients and for receiving related data from said client to forward to said server.
  - 13. The apparatus of claim 11, said console further comprising:
    - means for a console operator to target patches or other fixes to appropriate computers when vulnerabilities are discovered.
  - 14. The apparatus of claim 13, said console further comprising:
    - means for following progress of said patches or fixes in near real-time as they spread to all relevant computers and, one by one, eliminate bugs and vulnerabilities for affected computers across said network.
  - 15. The apparatus of claim 11, further comprising:
    - means for keeping a running history of any and all remedial actions taken with regard to said computers.
  - 16. The console of claim 11, further comprising:
    - means for providing a detailed audit trail for every action and every maintained computer on said network.

17. In a network comprising a plurality of managed computers, an enterprise management apparatus, comprising:
- a console for providing a system-wide view of said network of managed computers, along with specific characteristics of each computer and associated actions and for distributing information only to those computers for which said information is relevant;
  
  a client running on and associated with each managed computer for accessing a collection of messages comprising said information, which messages identify relevant computer characteristics, wherein if said characteristics are identified, said client running on and associated with a computer implements associated actions received from said console on said associated computer, wherein each client determines relevance of a message by evaluating a relevance clause of said message, while automatically retrieving properties of the managed computer on which said client runs; and
  
  a server for coordinating information flow to and from individual clients, each client running on and associated with a networked computer, and for storing results in a database.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17, further comprising:
    - a relay for offloading said server, wherein a plurality of clients point to a relay for downloads, which in turn makes only a single request of said server.
  - 19. The apparatus of claim 18, wherein a plurality of interaccessible relays are provided.
  - 20. The apparatus of claim 17, further comprising:
    - a report module for maintaining an audit trail of all console activity on said network.
  - 21. The apparatus of claim 17, further comprising:
    - a filter panel for providing a set of folders that contains specific field values to focus console activity.
  - 22. The apparatus of claim 17, wherein each message describes a problem that has been discovered on a client, and a short, clear explanation of said problem.
  - 23. The apparatus of claim 17, further comprising:
    - a human-readable relevance language for said messages that provides expressions for querying an exhaustive set of computer properties to target actions only to those computers matching predetermined relevance criteria.

24. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, and a server for coordinating information flow to and from individual clients, an apparatus comprising:
- at least one relay for offloading a download burden from said server, wherein said clients download from a designated relay;
  
  wherein said server distributes each advisory once to said relay, which in turn distributes said advisory to said clients; and
  
  wherein overhead on said server is reduced by a ratio of relays to clients.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The apparatus of claim 24, wherein for each client in said network, both a primary and a secondary relay are specified.
  - 26. The apparatus of claim 25, wherein each client first attempts to download from its primary relay;
    - and wherein if said primary relay is unavailable for a client, said client can download from said secondary relay.
  - 27. The apparatus of claim 25, wherein if said primary relay fails, said secondary relay becomes a primary relay.
  - 28. The apparatus of claim 27, wherein if said secondary also fails, said client automatically downloads directly from said server.

29. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising a plurality of distributed clients, each of which runs on a corresponding networked computational device, a method comprising the steps of:
- providing a centrally managed advisory diffusion mechanism and a protocol for diffusing said advisories across said network of computational devices;
  
  providing a plurality of advisories specifying relevance criteria and an action, at least one advisory describing a problem that has been discovered on a client computational device, said advisory comprising a short, clear explanation of said problem;
  
  wherein said distributed clients, each client running on and associated with a networked computational device, gather said advisories and process said advisories;
  
  each of said distributed clients determining relevance of an advice message by evaluating a relevance clause of said advice message, while automatically retrieving properties of the computational device on which said client runs and with which it is associated; and
  
  wherein said advisories formally target specific states of a computational device and formally specify actions to take in response thereto.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The method of claim 29, further comprising the step of:
    - providing a central server coupled to a central database, said central server storing data in and retrieving data from said central database.
  - 31. the method of claim 29, wherein said relevance clause is written in a formal descriptive language.
  - 32. The method of claim 31, further comprising the step of:
    - any of adding, modifying, and canceling a subscription of a distributed client to one or more advice provider sites.
  - 33. The method of claim 32, further comprising the step of:
    - selecting a group of computational devices, specifying action messages, scheduling, and controlling execution when deploying actions proposed by relevant advice messages.
  - 34. The method of claim 33, further comprising the step of:
    - securely deploying actions of relevant advice messages to a selected group of said distributed clients.
  - 35. The method of claim 33, further comprising the step of:
    - monitoring status of deployed actions.
  - 36. The method of claim 35, further comprising the step of:
    - stopping previously deployed actions which have not finished running.
  - 37. The method of claim 36, further comprising the step of:
    - monitoring status of each computational device while actions are being deployed and executed.
  - 38. The method of claim 37, wherein said monitoring step allows said system administrator to define and retrieve customized properties of computational devices using a formal descriptive language.

39. An enterprise management method, comprising the steps of:
- gathering advisories from an advisory site with a centrally managed advisory diffusion server, wherein each advisory comprises relevance criteria and an action, and wherein each advisory identifies relevant computers on a network and allows authorized personnel to monitor, modify, and maintain said computers across any subset of said network;
  
  displaying any of changes and new knowledge about said network with a console in communication with said server; and
  
  providing a plurality of clients, each client associated with and running on a networked computational device, associated with said network, each client processing said advisories based upon a relevance determination, inspecting its associated computer, and reporting any relevance determination and actions to said server.
- View Dependent Claims (40, 41, 42, 43, 44)
- - 40. The method of claim 39, further comprising the step of:
    - relaying said advisories to said clients and receiving related data from said client to forward to said server with a plurality of relays.
  - 41. The method of claim 39, said console further comprising the step of:
    - a console operator to target patches or other fixes to appropriate computers when vulnerabilities are discovered.
  - 42. The method of claim 41, said console further comprising the step of:
    - following progress of said patches or fixes in near real-time as they spread to all relevant computers and, one by one, eliminate bugs and vulnerabilities for affected computers across said network.
  - 43. The method of claim 41, further comprising the step of:
    - keeping a running history of any and all remedial actions taken with regard to said computers.
  - 44. The method of claim 41, further comprising the step of:
    - providing a detailed audit trail for every action and every maintained computer on said network.

45. An enterprise management method for a network comprising a plurality of managed computers, comprising the steps of:
- providing a system-wide view of said network of managed computers, along with specific characteristics thereof and associated actions, and for distributing information only to those computers for which said information is relevant;
  
  providing a client running on and associated with each managed computer for accessing a collection of messages comprising said information that identify relevant computer characteristics, wherein if said characteristics are identified, said client implements associated actions received from said console, wherein each of said clients determines relevance of a message by evaluating a relevance clause of said message, while automatically retrieving properties of the computer on which said client runs; and
  
  coordinating information flow to and from individual clients and for storing results in a database.
- View Dependent Claims (46, 47, 48, 49, 50, 51)
- - 46. The method of claim 45, further comprising the step of:
    - offloading said server with a relay, wherein a plurality of clients point to a relay for downloads, which in turn makes only a single request of said server.
  - 47. The method of claim 46, wherein a plurality of interaccessible relays are provided.
  - 48. The method of claim 45, further comprising the step of:
    - maintaining an audit trail of all console activity on said network.
  - 49. The method of claim 45, further comprising the step of:
    - providing a set of folders that contains specific field values to focus console activity.
  - 50. The method of claim 45, wherein each message describes a problem that has been discovered on a client, and a short, clear explanation of said problem.
  - 51. The method of claim 45, further comprising the step of:
    - providing a human-readable relevance language for said messages that provides expressions for querying an exhaustive set of computer properties to target actions only to those computers matching predetermined relevance criteria.

52. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising a plurality of distributed clients, each of which is associated with and runs on a corresponding networked computational device, and a server for coordinating information flow to and from individual clients, a method comprising the steps of:
- offloading a download burden from said server with a relay, wherein said clients download from a designated relay;
  
  said server distributing each advisory once to said relay, which in turn distributes said advisory to said clients; and
  
  reducing overhead on said server a ratio of relays to clients.
- View Dependent Claims (53, 54, 55, 56)
- - 53. The method of claim 52, wherein for each client in said network, both a primary relay and a secondary relay are specified.
  - 54. The method of claim 53, wherein each client first attempts to download from its primary relay;
    - and wherein if said primary relay is unavailable for a client, said client can download from said secondary relay.
  - 55. The method of claim 53, wherein if said primary relay fails, said secondary relay becomes a primary relay.
  - 56. The method of claim 55, wherein if said secondary relay also fails, said client automatically downloads directly from said server.

57. In a system for formalizing, diffusing, and enforcing policy advisories and for monitoring policy compliance in the management of a network of computational devices, said system comprising:
- a plurality of distributed clients, each of which is associated with and runs on a corresponding networked computational device, a server for coordinating information flow to and from individual clients, and a plurality of relays, each of which aggregates and mediates communication between said distributed clients and said server, an apparatus comprising;
  
  means associated with each said client for evaluating a relevance clause;
  
  identifying a file or group of files to upload to said server from its associated computational device;
  
  means associated with each said client for aggregating a file or group of files resident on its associated computational device into a file collection;
  
  wherein a relay offloads an upload burden from said server; and
  
  wherein said clients upload said file collection to said server via a designated relay; and
  
  means associated with each said client for distributing each file collection once to said relay, which in turn distributes said file collection to said server.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65)
- - 58. The apparatus of claim 57, said system further comprising:
    - a central server coupled to a repository of files, said server storing, data in, and retrieving data from, said repository of files.
  - 59. The apparatus of claim 57, wherein said client compresses said file collection to reduce said collection'"'"'s data size.
  - 60. The apparatus of claim 57, wherein said client distributes each file collection periodically to said relay, which in turn distributes said files to said server.
  - 61. The apparatus of claim 57, wherein said client does not include files in a file collection that have not changed since a previous file collection continuing said files was uploaded.
  - 62. The apparatus of claim 57, further comprising:
    - means for limiting bandwidth consumed by said client during upload of said file collection to said relay.
  - 63. The apparatus of claim 57, further comprising:
    - means for limiting bandwidth consumed by said relay during upload of said file collection to said server.
  - 64. The apparatus of claim 57, further comprising:
    - means for resuming an interrupted upload of said file collection by said client to said relay at a point of interruption.
  - 65. The apparatus of claim 57, further comprising:
    - means for resuming an interrupted upload of said file collection by said client to said relay at a point of interruption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
BigFix, Inc. (International Business Machines Corporation)
Inventors
Loer, Peter Benjamin, Lippincott, Lisa Ellen, Hindawi, Orion Yosef, Brown, James Milton, Donoho, David Leigh, Hindawi, David Salim, Goodrow, Dennis S., Lincroft, Peter
Primary Examiner(s)
LEWIS, CHERYL RENEA

Application Number

US10/804,799
Publication Number

US 20050086534A1
Time in Patent Office

1,572 Days
Field of Search

707/10, 707/104.1, 707/5, 709/203
US Class Current

709/203
CPC Class Codes

G06F 8/65 Updates security arrangemen...

H04L 63/1433 Vulnerability analysis

Enterprise console

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

65 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise console

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

65 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links