Threat management system and method

US 8,220,056 B2
Filed: 09/23/2008
Issued: 07/10/2012
Est. Priority Date: 09/23/2008
Status: Active Grant

First Claim

Patent Images

1. A method of automating network threat responses, the method comprising:

enabling a customer to enter a customer supplied assessment of assets and threats to the assets;

identifying, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resourcesproviding managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources;

comparing the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets;

comparing asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats;

assigning an asset value to each type of asset of the customer based on the identified asset values of the other customers corresponding to the customer supplied assessment of assets and threats;

identifying types of threats of network attack to the assets of the customer;

comparing the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats;

comparing threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats;

assigning a threat value to each type of threat to the assets of the customer based on the identified threat values of the other customers corresponding to the customer supplied assessment of assets and threats;

applying a first statistical algorithm to events in the hosting area network to identify anomalous event patterns;

comparing the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack;

applying a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer; and

plotting on a map of the hosting area network at least one of the actual threats identified as severe.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a threat management system and method for managed systems, leveraging of identifications and/or assessments of common threats, and/or valuation of assets which may be susceptible to common threats, can be applied to facilitate monitoring of customer compliance with policies needed to guard against threats to customer assets. Threat identification and response in managed systems may be tailored for different customers, in some instances without having to parse individual customer details, such as assets at risk and types of threats to those assets.

56 Citations

View as Search Results

9 Claims

1. A method of automating network threat responses, the method comprising:
- enabling a customer to enter a customer supplied assessment of assets and threats to the assets;
  
  identifying, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resourcesproviding managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources;
  
  comparing the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets;
  
  comparing asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
  
  assigning an asset value to each type of asset of the customer based on the identified asset values of the other customers corresponding to the customer supplied assessment of assets and threats;
  
  identifying types of threats of network attack to the assets of the customer;
  
  comparing the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats;
  
  comparing threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
  
  assigning a threat value to each type of threat to the assets of the customer based on the identified threat values of the other customers corresponding to the customer supplied assessment of assets and threats;
  
  applying a first statistical algorithm to events in the hosting area network to identify anomalous event patterns;
  
  comparing the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack;
  
  applying a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer; and
  
  plotting on a map of the hosting area network at least one of the actual threats identified as severe.
- View Dependent Claims (2, 3)
- - 2. A method as claimed in claim 1, further comprising:
    - selectively blocking access to said network in accordance with said identified severity.
  - 3. A method as claimed in claim 2, wherein said selectively blocking comprises blocking access to particular Internet ports.

4. In a managed services system providing managed services to a plurality of customers, an automated network threat response system comprising:
- a processing device configured to execute instructions to instantiate a plurality of threat response modules including;
  
  a knowledge base module configured to retain threat solutions associated with asset types and security threats, retain information about previous incidents affecting a plurality of customers to identify a granularity of data delivered to the customer and provide threat containment, and plot on a map of the hosting area network at least one actual threat identified as severe at the identified granularity;
  
  a correlation module configured to;
  
  enable a customer to enter a customer supplied assessment of assets and threats to the assets;
  
  identify, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resources providing managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources;
  
  compare the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets;
  
  compare asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
  
  assign the identified asset value to each type of asset of the customer based on the comparing;
  
  identifying types of threats of network attack to the assets of the customer;
  
  compare the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats;
  
  compare threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
  
  assign the identified threat value to each type of threat to the assets of the customer;
  
  apply a first statistical algorithm to events in the hosting area network to identify anomalous event patterns;
  
  compare the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack;
  
  apply a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer;
  
  a management module, working with the correlation module, configured to manage responses to said security threats; and
  
  an incident resolution module, working with the correlation module, configured to resolve security threats in said managed services system.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. A system as claimed in claim 4, further comprising a visualization module configured to facilitate visualization of the plotted at least one threat.
  - 6. A system as claimed in claim 4, further comprising a log data module configured to record threat events in said managed services system.
  - 7. A system as claimed in claim 4, wherein a managed services provider develops the threat solutions contained in the knowledge base module.
  - 8. A system as claimed in claim 4, wherein the correlation module obtains said threat values from said customer, based on the customer'"'"'s own assessment.
  - 9. A system as claimed in claim 4, wherein the correlation module obtains said asset values from said customer, based on the customer'"'"'s own assessment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Colorado WSC, LLC
Original Assignee
Savvis, Inc. (Lumen Technologies, Inc.)
Inventors
Owens, Kenneth R. Jr.
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US12/236,439
Publication Number

US 20110239303A1
Time in Patent Office

1,386 Days
Field of Search

726 22- 25
US Class Current

726/25
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Threat management system and method

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Threat management system and method

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links