Policy-based selection of remediation

US 8,561,134 B2
Filed: 12/14/2012
Issued: 10/15/2013
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

maintaining, by a remote server, a policy database having stored therein a plurality of policies each of which defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of a particular host asset of a plurality of monitored host assets;

receiving, by a remote server, via a network coupling the plurality of monitored host assets in communication with the remote server, a value of a parameter of a host asset of the plurality of monitored host assets, wherein the parameter value is one of a plurality of parameter values that collectively characterize an operational state of the host asset at a particular point in time;

determining whether a policy of the plurality of policies is violated based on the parameter value by;

retrieving, by the remote server from the policy database, one or more policies of the plurality of policies; and

evaluating, by the remote server, the one or more policies with reference to the parameter value; and

when an affirmative determination regarding violation of the policy has been made;

retrieving, by the remote server from a remediation database associated with the remote server, at least one remediation for the host asset based on the policy; and

deploying, by the remote server, the at least one retrieved remediation to the host asset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for automatically determining one or more remediations for a remotely monitored host asset are provided. According to one embodiment, a policy database, having stored therein policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of the host asset, is maintained by a remote server. The remote server receives via a network, a value of a parameter of the host asset. The parameter value is one of multiple parameter values that collectively characterize an operational state of the host asset. A determination is made whether there is a policy violation based on the parameter value by retrieving and evaluating one or more policies with reference to the parameter value. When a policy violation is confirmed, a remediation is retrieved from a remediation database associated with the remote server and the remediation is deployed to the host asset.

144 Citations

40 Claims

1. A computer-implemented method comprising:
- maintaining, by a remote server, a policy database having stored therein a plurality of policies each of which defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of a particular host asset of a plurality of monitored host assets;
  
  receiving, by a remote server, via a network coupling the plurality of monitored host assets in communication with the remote server, a value of a parameter of a host asset of the plurality of monitored host assets, wherein the parameter value is one of a plurality of parameter values that collectively characterize an operational state of the host asset at a particular point in time;
  
  determining whether a policy of the plurality of policies is violated based on the parameter value by;
  
  retrieving, by the remote server from the policy database, one or more policies of the plurality of policies; and
  
  evaluating, by the remote server, the one or more policies with reference to the parameter value; and
  
  when an affirmative determination regarding violation of the policy has been made;
  
  retrieving, by the remote server from a remediation database associated with the remote server, at least one remediation for the host asset based on the policy; and
  
  deploying, by the remote server, the at least one retrieved remediation to the host asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the retrieved at least one policy relates to presence of an unknown application or a rogue application on the host asset.
  - 3. The method of claim 1, wherein the retrieved at least one policy relates to existence or non-existence of a particular application on the host asset.
  - 4. The method of claim 3, wherein violation of the retrieved at least one policy is based at least in part on the particular application being present on a list of prohibited applications.
  - 5. The method of claim 3, wherein violation of the retrieved at least one policy is based at least in part on a version of the particular application.
  - 6. The method of claim 3, wherein violation of the retrieved at least one policy is based at least in part on the existence or non-existence of installed patches associated with the particular application.
  - 7. The method of claim 1, wherein violation of the retrieved at least one policy is based at least in part on an operating system test relating to an operating system being run by the host asset.
  - 8. The method of claim 7, wherein violation of the retrieved at least one policy is based at least in part on a version of the operating system or a type of the operating system.
  - 9. The method of claim 1, further comprising receiving, by the remote server, information indicative of one or more files stored on the host asset.
  - 10. The method of claim 9, wherein the retrieved at least one policy relates to existence or non-existence of a particular file on the device.
  - 11. The method of claim 10, wherein the retrieved at least one policy relates to a location of the particular file on the device.
  - 12. The method of claim 11, wherein the retrieved at least one policy relates to permissions associated with the particular file.
  - 13. The method of claim 1, further comprising receiving, by the remote server, information indicative of one or more drivers installed on the host asset.
  - 14. The method of claim 13, wherein the retrieved at least one policy relates to existence or non-existence of a particular type of driver on the host asset.
  - 15. The method of claim 14, wherein the particular type of driver comprises a universal serial bus (USB) driver.
  - 16. The method of claim 1, wherein the retrieved at least one policy relates to whether a removable storage device is connected to the device.
  - 17. The method of claim 1, wherein the retrieved at least one policy relates to existence or non-existence of a particular process running on the device.
  - 18. The method of claim 1, further comprising receiving, by the remove server, information indicative of one or more ports of the host asset that are in use.
  - 19. The method of claim 18, wherein the retrieved at least one policy relates to a state associated with the one or more ports.
  - 20. The method of claim 1, wherein said deploying, by the remote server, the at least one retrieved remediation to the host asset comprises delivering, by the remove server, the at least one retrieved remediation in an automatically-machine-actionable format to a light weight sensor running on the host asset.

21. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of one or more remote server systems, cause the one or more processors to perform a method of policy-based remediation, the method comprising:
- maintaining a policy database having stored therein a plurality of policies each of which defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of a particular host asset of a plurality of monitored host assets;
  
  receiving via a network coupling the plurality of monitored host assets in communication with the one or more remote server systems, a value of a parameter of a host asset of the plurality of monitored host assets, wherein the parameter value is one of a plurality of parameter values that collectively characterize an operational state of the host asset at a particular point in time;
  
  determining whether a policy of the plurality of policies is violated based on the parameter value by;
  
  retrieving from the policy database one or more policies of the plurality of policies; and
  
  evaluating the one or more policies with reference to the parameter value; and
  
  when an affirmative determination regarding violation of the policy has been made;
  
  retrieving, from a remediation database associated with the one or more remote server systems, at least one remediation for the host asset based on the policy; and
  
  deploying the at least one retrieved remediation to the host asset.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The computer-readable storage medium of claim 21, wherein the retrieved at least one policy relates to presence of an unknown application or a rogue application on the host asset.
  - 23. The computer-readable storage medium of claim 21, wherein the retrieved at least one policy relates to existence or non-existence of a particular application on the host asset.
  - 24. The computer-readable storage medium of claim 23, wherein violation of the retrieved at least one policy is based at least in part on the particular application being present on a list of prohibited applications.
  - 25. The computer-readable storage medium of claim 23, wherein violation of the retrieved at least one policy is based at least in part on a version of the particular application.
  - 26. The computer-readable storage medium of claim 23, wherein violation of the retrieved at least one policy is based at least in part on the existence or non-existence of installed patches associated with the particular application.
  - 27. The computer-readable storage medium of claim 21, wherein violation of the retrieved at least one policy is based at least in part on an operating system test relating to an operating system being run by the host asset.
  - 28. The computer-readable storage medium of claim 27, wherein violation of the retrieved at least one policy is based at least in part on a version of the operating system or a type of the operating system.
  - 29. The computer-readable storage medium of claim 21, wherein the method further comprises receiving information indicative of one or more files stored on the host asset.
  - 30. The computer-readable storage medium of claim 29, wherein the retrieved at least one policy relates to existence or non-existence of a particular file on the device.
  - 31. The computer-readable storage medium of claim 30, wherein the retrieved at least one policy relates to a location of the particular file on the device.
  - 32. The computer-readable storage medium of claim 31, wherein the retrieved at least one policy relates to permissions associated with the particular file.
  - 33. The computer-readable storage medium of claim 21, wherein the method further comprise receiving information indicative of one or more drivers installed on the host asset.
  - 34. The computer-readable storage medium of claim 33, wherein the retrieved at least one policy relates to existence or non-existence of a particular type of driver on the host asset.
  - 35. The computer-readable storage medium of claim 34, wherein the particular type of driver comprises a universal serial bus (USB) driver.
  - 36. The computer-readable storage medium of claim 21, wherein the retrieved at least one policy relates to whether a removable storage device is connected to the device.
  - 37. The computer-readable storage medium of claim 21, wherein the retrieved at least one policy relates to existence or non-existence of a particular process running on the device.
  - 38. The computer-readable storage medium of claim 21, wherein the method further comprises receiving information indicative of one or more ports of the host asset that are in use.
  - 39. The computer-readable storage medium of claim 38, wherein the retrieved at least one policy relates to a state associated with the one or more ports.
  - 40. The computer-readable storage medium of claim 21, wherein said deploying the at least one retrieved remediation to the host asset comprises delivering the at least one retrieved remediation in an automatically-machine-actionable format to a light weight sensor running on the host asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Colorado Remediation Technologies LLC
Inventors
Bezilla, Daniel B., Immordino, John L., Le Ogura, James
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/715,017
Publication Number

US 20130198800A1
Time in Patent Office

305 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

144 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based selection of remediation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links