Information system service-level security risk analysis

US 8,438,643 B2
Filed: 03/02/2006
Issued: 05/07/2013
Est. Priority Date: 09/22/2005
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus comprising:

a risk analyzer configured to identify one or more assets of an information system that have respective relationships with a service provided by the information system, and to determine one or more security risks to the service by analyzing effects of security vulnerabilities which are associated with the identified assets and are propagated to the service through the relationships; and

an interface operatively coupled to the risk analyzer and configured to provide a consolidated representation of the service, the consolidated representation comprising an indication of the one or more determined security risks and an indication of at least one of the respective relationships between the service and the one or more identified assets, the indication of the one or more determined security risks comprising, for each determined security risk, an indication of an overall security state associated with the security risk and respective indications of a plurality of security sub-states comprising the overall security state,wherein at least one of the risk analyzer and the interface is implemented using hardware,wherein the one or more identified assets comprise an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service,wherein the indication of the one or more determined security risks comprises different representations of a security risk arising from a security vulnerability associated with an asset that has a relationship with the service and a security risk arising from a security vulnerability associated with an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Information system service-level security risk analysis systems, methods, and Graphical User Interfaces are disclosed. Assets of an information system that have relationships with a service provided by the information system are identified, and at least one security risk to the service is determined by analyzing security vulnerabilities associated with the identified assets. A consolidated representation of the service is provided, and includes an indication of the determined security risk(s) and an indication of a relationship between the service and at least one of the identified assets. The security risk indication may include indications of multiple security parameters. Security risks may be represented differently depending on whether they arise from a security vulnerability of an asset that has a relationship with the service or a security vulnerability of an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service.

Citations

16 Claims

1. An apparatus comprising:
- a risk analyzer configured to identify one or more assets of an information system that have respective relationships with a service provided by the information system, and to determine one or more security risks to the service by analyzing effects of security vulnerabilities which are associated with the identified assets and are propagated to the service through the relationships; and
  
  an interface operatively coupled to the risk analyzer and configured to provide a consolidated representation of the service, the consolidated representation comprising an indication of the one or more determined security risks and an indication of at least one of the respective relationships between the service and the one or more identified assets, the indication of the one or more determined security risks comprising, for each determined security risk, an indication of an overall security state associated with the security risk and respective indications of a plurality of security sub-states comprising the overall security state,wherein at least one of the risk analyzer and the interface is implemented using hardware,wherein the one or more identified assets comprise an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service,wherein the indication of the one or more determined security risks comprises different representations of a security risk arising from a security vulnerability associated with an asset that has a relationship with the service and a security risk arising from a security vulnerability associated with an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, wherein at least one of the risk analyzer and the interface is implemented in software for execution by a processing element.
  - 3. The apparatus of claim 1, wherein the one or more identified assets further comprise one or more other services that have respective relationships with the service.
  - 4. The apparatus of claim 1, wherein the risk analyzer is configured to determine the one or more security risks to the service by aggregating security risks to multiple contributing assets of the one or more identified assets.
  - 5. The apparatus of claim 4, wherein the risk analyzer is configured to determine an aggregated security risk of the one or more security risks by performing one of:
    - selecting as the aggregated security risk a maximum of the security risks to the multiple contributing assets;
      
      selecting as the aggregated security risk a minimum of the security risks to the multiple contributing assets; and
      
      determining the aggregated security risk based on a combination of maximum and minimum security risks to the multiple contributing assets.
  - 6. The apparatus of claim 1, wherein the risk analyzer is configured to determine an aggregated asset security risk to an asset of the one or more assets by aggregating security risks arising from multiple security vulnerabilities associated with the asset, and wherein aggregating comprises performing one of:
    - determining the aggregated asset security risk based on a maximum of the security risks arising from the multiple security vulnerabilities;
      
      determining the aggregated asset security risk based on a minimum of the security risks arising from the multiple security vulnerabilities; and
      
      determining the aggregated asset security risk based on a combination of maximum and minimum security risks arising from the multiple security vulnerabilities.
  - 7. The apparatus of claim 1, wherein the consolidated representation of the service further comprises respective icons representing the service and at least one of the one or more identified assets, the indication of the at least one of the respective relationships between the service and the one or more identified assets comprising respective links between the respective icons representing the service and the at least one of the one or more identified assets.
  - 8. The apparatus of claim 4, wherein the risk analyzer is further configured to maintain a record of at least one of the multiple contributing assets.
  - 9. The apparatus of claim 1, wherein the respective relationships comprise an asset relationship between an asset, which has a relationship with the service, and another asset of the information system that has a relationship with the service only through the asset relationship.
  - 10. The apparatus of claim 4, wherein the indication of the one or more security risks comprises a functional graphical element representing an aggregated security risk, the functional graphical element providing access to a record of at least one of the multiple contributing assets for the aggregated security risk.
  - 11. The apparatus of claim 1, wherein the consolidated representation of the service comprises an icon for display in a Graphical User Interface (GUI), the icon comprising:
    - a representation of the service;
      
      the indication of the overall security state; and
      
      the respective indications of the plurality of sub-states.
  - 12. The apparatus of claim 1, wherein the indication of the one or more determined security risks comprises:
    - a first set of indications of the overall security state and the plurality of security sub-states for a security risk to the service arising from one or more security vulnerabilities associated with the identified assets; and
      
      a second set of indications of the overall security state and the plurality of security sub-states for a security risk arising from one or more security vulnerabilities associated with one or more other assets that have respective relationships with the service only through respective relationships with an asset of the identified assets.

13. A method comprising:
- a risk analyzer identifying one or more assets of an information system that have respective relationships with a service provided by the information system;
  
  the risk analyzer analyzing effects of security vulnerabilities, which are associated with the identified assets and are propagated to the service through the relationships, to determine one or more security risks to the service; and
  
  the risk analyzer providing through an interface, in a consolidated representation of the service, an indication of the one or more determined security risks and an indication of at least one of the respective relationships between the service and the one or more identified assets, the indication of the one or more determined security risks comprising, for each determined security risk, an indication of an overall security state associated with the security risk and respective indications of a plurality of security sub-states comprising the overall security state,wherein at least one of the risk analyzer and the interface is implemented using hardware,wherein identifying comprises identifying an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service,wherein the indication of the one or more determined security risks comprises different representations of a security risk arising from a security vulnerability associated with an asset that has a relationship with the service and a security risk arising from a security vulnerability associated with an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein determining the one or more security risks comprises determining one or more aggregated security risks by aggregating security risks to multiple contributing assets of the identified assets, and maintaining a record of at least one of the contributing assets for each of the one or more aggregated security risks, and wherein aggregating security risks to multiple contributing assets to determine an aggregated security risk of the one or more security risks comprises performing one of:
    - selecting as the aggregated security risk a maximum of the security risks to the multiple contributing assets;
      
      selecting as the aggregated security risk a minimum of the security risks to the multiple contributing assets; and
      
      determining the aggregated security risk based on a combination of maximum and minimum security risks to the multiple contributing assets.
  - 15. The method of claim 13, wherein determining the one or more security risks comprises determining an aggregated asset security risk to an asset of the one or more assets by aggregating security risks arising from multiple security vulnerabilities associated with the asset, and wherein aggregating comprises performing one of:
    - determining the aggregated asset security risk based on a maximum of the security risks arising from the multiple security vulnerabilities;
      
      determining the aggregated asset security risk based on a minimum of the security risks arising from the multiple security vulnerabilities; and
      
      determining the aggregated asset security risk based on a combination of maximum and minimum security risks arising from the multiple security vulnerabilities.
  - 16. A non-transitory machine-readable medium storing instructions which when executed perform the method of claim 13.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Wiemer, Douglas, Gustave, Christophe, Chow, Stanley TaiHai, McFarlane, Bradley Kenneth
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/366,101
Publication Number

US 20070067847A1
Time in Patent Office

2,623 Days
Field of Search

726/25, 726/24
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Information system service-level security risk analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Information system service-level security risk analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links