Threat management system and method
First Claim
Patent Images
1. A method of automating network threat responses, the method comprising:
- enabling a customer to enter a customer supplied assessment of assets and threats to the assets;
identifying, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resourcesproviding managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources;
comparing the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets;
comparing asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
assigning an asset value to each type of asset of the customer based on the identified asset values of the other customers corresponding to the customer supplied assessment of assets and threats;
identifying types of threats of network attack to the assets of the customer;
comparing the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats;
comparing threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats;
assigning a threat value to each type of threat to the assets of the customer based on the identified threat values of the other customers corresponding to the customer supplied assessment of assets and threats;
applying a first statistical algorithm to events in the hosting area network to identify anomalous event patterns;
comparing the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack;
applying a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer; and
plotting on a map of the hosting area network at least one of the actual threats identified as severe.
8 Assignments
0 Petitions
Accused Products
Abstract
In a threat management system and method for managed systems, leveraging of identifications and/or assessments of common threats, and/or valuation of assets which may be susceptible to common threats, can be applied to facilitate monitoring of customer compliance with policies needed to guard against threats to customer assets. Threat identification and response in managed systems may be tailored for different customers, in some instances without having to parse individual customer details, such as assets at risk and types of threats to those assets.
56 Citations
9 Claims
-
1. A method of automating network threat responses, the method comprising:
-
enabling a customer to enter a customer supplied assessment of assets and threats to the assets; identifying, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resources providing managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources; comparing the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets; comparing asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats; assigning an asset value to each type of asset of the customer based on the identified asset values of the other customers corresponding to the customer supplied assessment of assets and threats; identifying types of threats of network attack to the assets of the customer; comparing the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats; comparing threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats; assigning a threat value to each type of threat to the assets of the customer based on the identified threat values of the other customers corresponding to the customer supplied assessment of assets and threats; applying a first statistical algorithm to events in the hosting area network to identify anomalous event patterns; comparing the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack; applying a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer; and plotting on a map of the hosting area network at least one of the actual threats identified as severe. - View Dependent Claims (2, 3)
-
-
4. In a managed services system providing managed services to a plurality of customers, an automated network threat response system comprising:
a processing device configured to execute instructions to instantiate a plurality of threat response modules including; a knowledge base module configured to retain threat solutions associated with asset types and security threats, retain information about previous incidents affecting a plurality of customers to identify a granularity of data delivered to the customer and provide threat containment, and plot on a map of the hosting area network at least one actual threat identified as severe at the identified granularity; a correlation module configured to; enable a customer to enter a customer supplied assessment of assets and threats to the assets; identify, through a processing device, types of assets of the customer in a hosting area network susceptible to network attack, the assets comprising physical computing system and networking resources providing managed services in the hosting area network to a plurality of customers, each customer having a dedicated set of the resources; compare the identified types of assets of the customer to the types of assets of other customers of the hosting area network to identify other customers having similar types of assets; compare asset values of the identified other customers having similar types of assets to the customer supplied assessment of assets and threats to identify the asset values of the identified other customers corresponding to the customer supplied assessment of assets and threats; assign the identified asset value to each type of asset of the customer based on the comparing;
identifying types of threats of network attack to the assets of the customer;compare the identified types of threats to the assets of the customer to the types of threats faced by the other customers of the hosting area network having similar types of assets to identify other customers facing similar types of threats; compare threat values of the identified other customers facing similar types of threats to the customer supplied assessment of assets and threats to identify the threat values of the identified other customers corresponding to the customer supplied assessment of assets and threats; assign the identified threat value to each type of threat to the assets of the customer; apply a first statistical algorithm to events in the hosting area network to identify anomalous event patterns; compare the identified anomalous event patterns to accumulated historical data on prior attacks and events stored in a historical correlation module to identify actual threats from an attack; apply a second statistical algorithm to the assigned asset value, the assigned threat values, and the identified actual threats to identify a severity of the actual threats for the customer; a management module, working with the correlation module, configured to manage responses to said security threats; and an incident resolution module, working with the correlation module, configured to resolve security threats in said managed services system. - View Dependent Claims (5, 6, 7, 8, 9)
Specification