System and method of managing network security risks
First Claim
1. A security risk management system, comprising:
- a processor and a memory;
a vulnerability database comprising data indicative of security vulnerabilities possessed by each asset of a plurality of assets connected to a computer network;
an asset database comprising data indicative of attributes possessed by each asset of the plurality of assets such that the vulnerability database and the asset database together define for each asset a group of security vulnerabilities and attributes possessed by each asset; and
a threat correlation module in communication with the vulnerability database and the asset database and configured to;
receive at least one threat intelligence alert that comprises data identifying at least one security threat that affects a class of assets, wherein the threat intelligence alert defines the affected class of assets with reference to an associated group of attributes and security vulnerabilities possessed by the affected class of assets;
identify a selected threat from the at least one security threat identified by the at least one threat intelligence alert;
identify any assets affected by the selected threat, wherein the asset is deemed to be affected by the selected threat if the group of attributes and security vulnerabilities associated with the selected threat matches the group of attributes and security vulnerabilities possessed by the asset, wherein a user recommendation is provided for responding to the selected threat;
generate a prioritized list of the affected assets based on their respective security risks such that scanning activities are initiated for at least some of the affected assets based on their respective security risks; and
communicate with a threat response module configured to access a vulnerability remediation module and to initiate a ticketing and workflow process that at least partially directs remediation of asset vulnerabilities, wherein the ticketing and workflow process assigns at least one user at least one specific remediation task, and initiates a check-up vulnerability scan in order to verify that the remediation has occurred.
13 Assignments
0 Petitions
Accused Products
Abstract
A security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and vulnerabilities with threat attributes and vulnerabilities and displays a list of assets that are affected by a particular threat. The list can be sorted according to a calculated risk score, allowing an administrator to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action.
-
Citations
16 Claims
-
1. A security risk management system, comprising:
-
a processor and a memory; a vulnerability database comprising data indicative of security vulnerabilities possessed by each asset of a plurality of assets connected to a computer network; an asset database comprising data indicative of attributes possessed by each asset of the plurality of assets such that the vulnerability database and the asset database together define for each asset a group of security vulnerabilities and attributes possessed by each asset; and a threat correlation module in communication with the vulnerability database and the asset database and configured to; receive at least one threat intelligence alert that comprises data identifying at least one security threat that affects a class of assets, wherein the threat intelligence alert defines the affected class of assets with reference to an associated group of attributes and security vulnerabilities possessed by the affected class of assets; identify a selected threat from the at least one security threat identified by the at least one threat intelligence alert; identify any assets affected by the selected threat, wherein the asset is deemed to be affected by the selected threat if the group of attributes and security vulnerabilities associated with the selected threat matches the group of attributes and security vulnerabilities possessed by the asset, wherein a user recommendation is provided for responding to the selected threat; generate a prioritized list of the affected assets based on their respective security risks such that scanning activities are initiated for at least some of the affected assets based on their respective security risks; and communicate with a threat response module configured to access a vulnerability remediation module and to initiate a ticketing and workflow process that at least partially directs remediation of asset vulnerabilities, wherein the ticketing and workflow process assigns at least one user at least one specific remediation task, and initiates a check-up vulnerability scan in order to verify that the remediation has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of correlating a conceptual network security threat with assets that can be affected by the conceptual network security threat, the method comprising:
-
identifying a selected conceptual network security threat, wherein the selected conceptual network security threat defines a group of attributes and vulnerabilities that, if possessed by an asset, indicate that the asset possessing the group of attributes and vulnerabilities can be affected by the selected threat if the threat becomes a realized threat; identifying a group of assets for comparison; comparing attributes and vulnerabilities associated with each asset of the group of assets with attributes and vulnerabilities of the selected threat utilizing a threat correlation module; generating a prioritized list of the affected assets based on their respective security risks such that scanning activities are initiated for at least some of the affected assets based on their respective security risks; and displaying the list of affected assets comprising each asset whose attributes and vulnerabilities match the attributes and vulnerabilities of the selected threat; wherein the threat correlation module is in communication with a threat response module configured to access a vulnerability remediation module and initiate an automated ticketing and workflow process that at least partially directs remediation of asset vulnerabilities, the automated ticketing and workflow process automatically assigning at least one user at least one specific remediation task, determining if the at least one specific remediation task has been completed by the at least one user, and commencing a check-up vulnerability scan to verify that the remediation has occurred, wherein a user recommendation is provided for responding to the selected conceptual network security threat. - View Dependent Claims (14, 15, 16)
-
Specification