Automated collection of forensic evidence associated with a network security incident
First Claim
1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:
- arranging the enterprise networking environment so that each of a plurality of endpoints in the enterprise networking environment collects and communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise networking environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident;
invoking a mode for forensic evidence collecting, by at least one of the plurality of endpoints, in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised;
invoking a mode for retaining the collected forensic evidence; and
applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint'"'"'s understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.
-
Citations
18 Claims
-
1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:
-
arranging the enterprise networking environment so that each of a plurality of endpoints in the enterprise networking environment collects and communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise networking environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident; invoking a mode for forensic evidence collecting, by at least one of the plurality of endpoints, in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised; invoking a mode for retaining the collected forensic evidence; and applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for presenting forensic evidence pertaining to a security incident occurring in an enterprise network that includes a plurality of endpoints which are arranged to share security assessments over a common communication channel, the method comprising the steps of:
-
receiving a security assessment at an endpoint in the enterprise network that is arranged for centralized logging and auditing of security assessments produced by the plurality of endpoints, the security assessment indicating a suspected compromised object, environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident; and providing a presentation of forensic evidence associated with the suspected compromised object, the forensic evidence being collected by endpoints in the enterprise network in accordance with dynamic policies that vary by object and by criteria expressed in the security assessment. - View Dependent Claims (15, 16)
-
-
17. A method for retaining forensic evidence associated with a compromised object in an enterprise network environment, the method comprising the steps of:
-
arranging the enterprise network environment so that each of a plurality of endpoints in the enterprise network environment communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise network environment that is suspected of being compromised or malicious, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident; and retaining the forensic evidence associated with the object in accordance with dynamic forensic evidence collection policies, the dynamic forensic evidence collection policies being dependent on criteria specified in each of the security assessments in which the criteria use a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories. - View Dependent Claims (18)
-
Specification