Asset risk analysis

US 8,495,745 B1
Filed: 11/30/2009
Issued: 07/23/2013
Est. Priority Date: 11/30/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;

receiving, at the data processing apparatus, vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; and

determining, with the data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat;

analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;

determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes;

determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and an agent-based countermeasure; and

determining a likelihood that the network-based countermeasure protects the particular asset; and

determining a likelihood that the agent-based countermeasure protects the particular asset; and

determining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for asset risk analysis. One method includes receiving threat definition data for threats, vulnerability detection data for assets, and countermeasure detection data for assets. The method further includes determining a respective risk metric for each of the assets for each of the threats. This includes analyzing the vulnerability detection data for an asset to determine whether the asset is vulnerable to a threat, determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat, and determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.

151 Citations

32 Claims

1. A computer-implemented method, comprising:
- receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;
  
  receiving, at the data processing apparatus, vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; and
  
  determining, with the data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat;
  
  analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;
  
  determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes;
  
  determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and an agent-based countermeasure; and
  
  determining a likelihood that the network-based countermeasure protects the particular asset; and
  
  determining a likelihood that the agent-based countermeasure protects the particular asset; and
  
  determining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the vulnerability detection data for an asset further identifies threats to which the asset is not vulnerable, and determining the risk metric for the particular asset and the particular threat is further based on whether the particular asset is not vulnerable to the particular threat.
  - 3. The method of claim 1, wherein the threat definition data further includes, for each of the one or more threats, applicability data describing one or more configurations of assets that the threat applies to, the method further comprising:
    - receiving configuration data for each asset, the configuration data describing a configuration of each asset.
  - 4. The method of claim 3, wherein determining the risk metric for the particular asset for the particular threat further comprises determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset, and then determining the risk metric according to whether the particular threat applies to the configuration of the particular asset.
  - 5. The method of claim 4, wherein:
    - analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat includes determining a predicate categorization for the particular asset for the particular threat of vulnerable, not vulnerable, or unknown vulnerability;
      
      determining from the threat definition data and the countermeasure detection data whether the particular asset is protected by one of the countermeasures identified for the particular threat includes determining a predicate categorization for the particular asset for the particular threat of protected, not protected, or unknown protection; and
      
      determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset includes determining a predicate categorization for the particular asset for the particular threat of applicable, not applicable, or unknown applicability.
  - 6. The method of claim 5, wherein:
    - the risk metric for each of the assets for each of the threats is one of;
      
      vulnerable, protected, not protected, unknown, and not vulnerable; and
      
      for each asset and each threat;
      
      the risk metric is vulnerable when the asset has predicate categorizations for the threat of vulnerable and not-protected, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is protected when the asset has a predicate categorization for the threat of protected, a predicate categorization for the threat of either vulnerable or unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is not protected when the asset has predicate categorizations for the threat of protected and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is unknown when the asset has predicate categorizations for the threat of unknown protection and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability; and
      
      otherwise, the risk metric is not vulnerable.
  - 7. The method of claim 1, wherein receiving countermeasure detection data comprises:
    - receiving protection data identifying one or more assets protected by a sensor;
      
      receiving sensor countermeasure data describing one or more countermeasures provided by the sensor; and
      
      generating countermeasure detection data for each of the one or more assets protected by the sensor, the countermeasure detection data describing the one or more countermeasures provided by the sensor.
  - 8. The method of claim 7, wherein the sensor countermeasure data identifies one or more signatures blocked by the sensor, and associates each signature with an attack identifier for a particular threat corresponding to the signature.
  - 9. The method of claim 1, wherein the protection data is received from one or more users.
  - 10. The method of claim 1, wherein the identification of a countermeasure in the threat definition data includes a product identifier, a version identifier, and data describing one or more settings of the countermeasure.
  - 11. The method of claim 1, further comprising:
    - receiving the vulnerability detection data from multiple sources, wherein at least two of the multiple sources provide vulnerability detection data in different formats; and
      
      normalizing the received vulnerability detection data so that the data is in a common format.
  - 12. The method of claim 1, further comprising:
    - receiving the countermeasure detection data from multiple sources, wherein at least two of the multiple sources provide countermeasure detection data in different formats; and
      
      normalizing the countermeasure detection data so that the data is in a common format.
  - 13. The method of claim 1, wherein:
    - the threat definition data further includes a respective risk score for each of the one or more threats, the risk score for a threat measuring how likely the threat is to affect an asset; and
      
      the risk metric for the particular asset relative to the particular threat is further determined from the risk score for the particular threat.
  - 14. The method of claim 1, wherein:
    - the threat definition data further includes a respective confidence score for each countermeasure for each of the one or more threats, the confidence score for a counter measure and a threat measuring how likely the countermeasure is to reduce a risk that the threat will affect an asset; and
      
      the risk metric for the particular asset relative to the particular threat is further determined from the confidence scores for one or more countermeasures determined to be protecting the particular asset from the particular threat.
  - 15. The method of claim 1, further comprising generating a report summarizing the risk metric of each of the one or more assets.

16. A system comprising:
- a processor; and
  
  a computer storage medium coupled to the processor and including instructions, which, when executed by the processor, causes the processor to perform operations comprising;
  
  receiving threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;
  
  receiving vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; and
  
  determining a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat;
  
  analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;
  
  determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes;
  
  determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and a host-based countermeasure; and
  
  determining a likelihood that the network-based countermeasure protects the particular asset; and
  
  determining a likelihood that the host-based countermeasure protects the particular asset; and
  
  determining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the vulnerability detection data for an asset further identifies threats to which the asset is not vulnerable, and determining the risk metric for the particular asset and the particular threat is further based on whether the particular asset is not vulnerable to the particular threat.
  - 18. The system of claim 16, wherein the threat definition data further includes, for each of the one or more threats, applicability data describing one or more configurations of assets that the threat applies to, the system further operable to perform operations comprising:
    - receiving configuration data for each asset, the configuration data describing a configuration of each asset.
  - 19. The system of claim 18, wherein determining the risk metric for the particular asset for the particular threat further comprises determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset, and then determining the risk metric according to whether the particular threat applies to the configuration of the particular asset.
  - 20. The system of claim 19, wherein:
    - analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat includes determining a predicate categorization for the particular asset for the particular threat of vulnerable, not vulnerable, or unknown vulnerability;
      
      determining from the threat definition data and the countermeasure detection data whether the particular asset is protected by one of the countermeasures identified for the particular threat includes determining a predicate categorization for the particular asset for the particular threat of protected, not protected, or unknown protection; and
      
      determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset includes determining a predicate categorization for the particular asset for the particular threat of applicable, not applicable, or unknown applicability.
  - 21. The system of claim 20, wherein:
    - the risk metric for each of the assets for each of the threats is one of;
      
      vulnerable, protected, not protected, unknown, and not vulnerable; and
      
      for each asset and each threat;
      
      the risk metric is vulnerable when the asset has predicate categorizations for the threat of vulnerable and not-protected, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is protected when the asset has a predicate categorization for the threat of protected, a predicate categorization for the threat of either vulnerable or unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is not protected when the asset has predicate categorizations for the threat of protected and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;
      
      the risk metric is unknown when the asset has predicate categorizations for the threat of unknown protection and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability; and
      
      otherwise, the risk metric is not vulnerable.
  - 22. The system of claim 16, wherein receiving countermeasure detection data comprises:
    - receiving protection data identifying one or more assets protected by a sensor;
      
      receiving sensor countermeasure data describing one or more countermeasures provided by the sensor; and
      
      generating countermeasure detection data for each of the one or more assets protected by the sensor, the countermeasure detection data describing the one or more countermeasures provided by the sensor.
  - 23. The system of claim 22, wherein the sensor countermeasure data identifies one or more signatures blocked by the sensor, and associates each signature with an attack identifier for a particular threat corresponding to the signature.
  - 24. The system of claim 16, wherein the protection data is received from one or more users.
  - 25. The system of claim 16, wherein the identification of a countermeasure in the threat definition data includes a product identifier, a version identifier, and data describing one or more settings of the countermeasure.
  - 26. The system of claim 16, further operable to perform operations comprising:
    - receiving the vulnerability detection data from multiple sources, wherein at least two of the multiple sources provide vulnerability detection data in different formats; and
      
      normalizing the received vulnerability detection data so that the data is in a common format.
  - 27. The system of claim 16, further operable to perform operations comprising:
    - receiving the countermeasure detection data from multiple sources, wherein at least two of the multiple sources provide countermeasure detection data in different formats; and
      
      normalizing the countermeasure detection data so that the data is in a common format.
  - 28. The system of claim 16, wherein:
    - the threat definition data further includes a respective risk score for each of the one or more threats, the risk score for a threat measuring how likely the threat is to affect an asset; and
      
      the risk metric for the particular asset relative to the particular threat is further determined from the risk score for the particular threat.
  - 29. The system of claim 16, wherein:
    - the threat definition data further includes a respective confidence score for each countermeasure for each of the one or more threats, the confidence score for a counter measure and a threat measuring how likely the countermeasure is to reduce a risk that the threat will affect an asset; and
      
      the risk metric for the particular asset relative to the particular threat is further determined from the confidence scores for one or more countermeasures determined to be protecting the particular asset from the particular threat.
  - 30. The system of claim 16, further operable to perform operations comprising generating a report summarizing the risk metric of each of the one or more assets.

31. A non-transitory computer-storage medium encoded with a computer program including instructions operable to cause data processing apparatus to perform operations comprising:
- receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;
  
  receiving, at the data processing apparatus, vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; and
  
  determining, with the data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat;
  
  analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;
  
  determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes;
  
  determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and a host-based countermeasure; and
  
  determining a likelihood that the network-based countermeasure protects the particular asset; and
  
  determining a likelihood that the host-based countermeasure protects the particular asset; and
  
  determining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat.

32. A computer-implemented method, comprising:
- receiving configuration data for each of one or more assets, the configuration data describing for each asset configuration of the asset;
  
  receiving threat definition data including, for each of one or more threats, applicability data and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset, wherein the applicability data describes asset configurations applicable to the threat;
  
  receiving, for each of one or more assets, vulnerability detection data and countermeasure detection data, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; and
  
  determining, with a data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat;
  
  analyzing the vulnerability detection data for the particular asset to determine a predicate categorization for the particular asset for the particular threat from a group comprising;
  
  vulnerable, not vulnerable, and unknown vulnerability;
  
  determining, from the threat definition data and the countermeasure detection data, a predicate categorization for the particular asset for the particular threat from a group comprising;
  
  protected, not protected, or unknown protection; and
  
  determining, from the applicability data and configuration data a predicate categorization for the particular asset for the particular threat from a group comprising;
  
  applicable, not applicable, or unknown applicability; and
  
  wherein the risk metric for each of the assets for each of the threats is one of vulnerable, protected, not protected, unknown, and not vulnerable, and for each asset and each threat;
  
  the vulnerable risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of vulnerable and not-protected, the protected risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of protected and either applicable or unknown applicability, the not protected risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of not protected and unknown vulnerability, the unknown risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of unknown protection and unknown vulnerability, and the not vulnerable risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of either not vulnerable or not applicable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Schrecker, Sven, Nakawatase, Ryan, Ritter, Stephen
Primary Examiner(s)
McNally, Michael S

Application Number

US12/627,706
Time in Patent Office

1,331 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/00   Network architectures or ne...

H04L 63/1433   Vulnerability analysis

Asset risk analysis

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Asset risk analysis

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links