Automated collection of forensic evidence associated with a network security incident

US 8,424,094 B2
Filed: 06/30/2007
Issued: 04/16/2013
Est. Priority Date: 04/02/2007
Status: Active Grant

First Claim

Patent Images

1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:

arranging the enterprise networking environment so that each of a plurality of endpoints in the enterprise networking environment collects and communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise networking environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident;

invoking a mode for forensic evidence collecting, by at least one of the plurality of endpoints, in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised;

invoking a mode for retaining the collected forensic evidence; and

applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint'"'"'s understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.

Citations

18 Claims

1. An automated method for collecting and retaining forensic evidence that is applicable to a security incident that occurs in an enterprise networking environment, the method comprising the steps of:
- arranging the enterprise networking environment so that each of a plurality of endpoints in the enterprise networking environment collects and communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise networking environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident;
  
  invoking a mode for forensic evidence collecting, by at least one of the plurality of endpoints, in response to a security assessment of a detected security incident by which the object in the enterprise network environment becomes compromised;
  
  invoking a mode for retaining the collected forensic evidence; and
  
  applying dynamic policies to the forensic evidence collecting and retaining so that the collecting and retaining will use different modes for different objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The automated method of claim 1 in which the applying of dynamic policies will result in forensic evidence associated with a compromised object being retained for a longer period of time than for a non-compromised object.
  - 3. The automated method of claim 1 in which the object is one of host computer, user, IP address, URI, or network subnet in the enterprise networking environment.
  - 4. The automated method of claim 1 in which the forensic evidence collecting and retaining is dependent upon the fidelity.
  - 5. The automated method of claim 1 in which the forensic evidence collecting and retaining is dependent upon the severity.
  - 6. The automated method of claim 1 in which the mode of collecting is dependent upon the type of endpoint that is performing the collecting.
  - 7. The automated method of claim 1 in which the forensic evidence collecting comprises a mode for comprehensive data collection.
  - 8. The automated method of claim 7 in which the mode for comprehensive data collection comprises collecting forensic evidence from a plurality of sources, the sources including network traffic captures, hard disk data images, memory dumps, firewall log, or operational system audit logs.
  - 9. The automated method of claim 1 in which the forensic evidence collecting comprises a mode for detailed data collection.
  - 10. The automated method of claim 9 in which the mode for detailed data collection comprises one of collecting details from logs, examining contents of transactions, examining requests for network connectivity, or capturing network packets.
  - 11. The automated method of claim 1 including a further step of marking for retention forensic evidence associated with a compromised object that was collected prior to the detected security incident.
  - 12. The automated method of claim 1 in which the dynamic policies are varied responsively to new security assessments that are generated by the endpoints.
  - 13. The automated method of claim 1 in which the endpoints comprise different security products.

14. A method for presenting forensic evidence pertaining to a security incident occurring in an enterprise network that includes a plurality of endpoints which are arranged to share security assessments over a common communication channel, the method comprising the steps of:
- receiving a security assessment at an endpoint in the enterprise network that is arranged for centralized logging and auditing of security assessments produced by the plurality of endpoints, the security assessment indicating a suspected compromised object, environment, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident; and
  
  providing a presentation of forensic evidence associated with the suspected compromised object, the forensic evidence being collected by endpoints in the enterprise network in accordance with dynamic policies that vary by object and by criteria expressed in the security assessment.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 in which the criteria include security assessment fidelity and security assessment severity.
  - 16. The method of claim 14 in which the object is one of host computer, user, IP address, URI, or network subnet in the enterprise network.

17. A method for retaining forensic evidence associated with a compromised object in an enterprise network environment, the method comprising the steps of:
- arranging the enterprise network environment so that each of a plurality of endpoints in the enterprise network environment communicates security assessments over a communication channel, each of the security assessments being arranged for describing an object in the enterprise network environment that is suspected of being compromised or malicious, and each of the plurality of endpoints being configured for receiving security assessments published by other endpoints and each of the plurality of endpoints being further configured for generating a new security assessment, in response to a received security assessment, using information that is locally-available to one of the plurality of endpoints performing the generating, wherein the received security assessment is arranged to provide contextual meaning to the security incident and further being defined with a fidelity to describe a degree of confidence in reliability of the detected security incident, or with a severity to describe a degree of seriousness for the security incident; and
  
  retaining the forensic evidence associated with the object in accordance with dynamic forensic evidence collection policies, the dynamic forensic evidence collection policies being dependent on criteria specified in each of the security assessments in which the criteria use a pre-defined taxonomy having a schematized vocabulary comprising object types and assessment categories.
- View Dependent Claims (18)
- - 18. The method of claim 17 in which the object is one of host computer, user, IP address, URI, or network subnet in the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Hudis, Efim, Helman, Yair, Faynburd, Alexandra
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/824,732
Publication Number

US 20080244694A1
Time in Patent Office

2,117 Days
Field of Search

726/1, 726/25
US Class Current

726/25
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/308 retaining data, e.g. retain...

Automated collection of forensic evidence associated with a network security incident

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automated collection of forensic evidence associated with a network security incident

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links