Calculating quantitative asset risk

US 8,595,845 B2
Filed: 01/19/2012
Issued: 11/26/2013
Est. Priority Date: 01/19/2012
Status: Active Grant

First Claim

Patent Images

1. At least one machine accessible, non-transitory storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive vulnerability definition data, using a hardware processor, including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies;

receive vulnerability detection data, countermeasure detection data, and configuration data for each of one or more assets, wherein the vulnerability detection data for each asset identifies vulnerabilities applicable to the asset, the countermeasure detection data for each asset identifying one or more countermeasures protecting the asset, and the configuration data for each asset describes a configuration of the asset; and

determine a respective risk metric for each of the one or more assets for each of the one or more vulnerabilities, wherein determining the risk metric includes, for each asset and each vulnerability;

identifying a standardized vulnerability score for the vulnerability, wherein the standardized vulnerability score indicates a relative level of risk associated with the vulnerability relative to other vulnerabilities in the plurality of vulnerabilities;

determining a vulnerability detection score for the asset from the vulnerability detection data for the asset;

determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;

determining a countermeasure component score from the vulnerability definition data and the countermeasure detection data, wherein determining the countermeasure component score includes analyzing the level of protection afforded by each countermeasure identified in both the vulnerability definition data for the vulnerability and in the countermeasure data as protecting the asset; and

determining the risk metric for the asset and the vulnerability from the vulnerability composite score and the countermeasure component score.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A standardized vulnerability score is identified for a particular vulnerability in a plurality of known vulnerabilities, the standardized vulnerability score indicating a relative level of risk associated with the particular vulnerability relative other vulnerabilities. A vulnerability detection score is determined that indicates an estimated probability that a particular asset possess the particular vulnerability and a vulnerability composite score is determined for the particular asset to the particular vulnerability, the vulnerability composite score derived from the standardized vulnerability score and the vulnerability detection score. A countermeasure component score is identified that indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset. A risk metric for the particular asset and the particular vulnerability is determined from the vulnerability composite score and the countermeasure component score. In some instances, aggregate risk scores can be calculated from a plurality of calculated risk metrics.

82 Citations

View as Search Results

26 Claims

1. At least one machine accessible, non-transitory storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive vulnerability definition data, using a hardware processor, including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies;
  
  receive vulnerability detection data, countermeasure detection data, and configuration data for each of one or more assets, wherein the vulnerability detection data for each asset identifies vulnerabilities applicable to the asset, the countermeasure detection data for each asset identifying one or more countermeasures protecting the asset, and the configuration data for each asset describes a configuration of the asset; and
  
  determine a respective risk metric for each of the one or more assets for each of the one or more vulnerabilities, wherein determining the risk metric includes, for each asset and each vulnerability;
  
  identifying a standardized vulnerability score for the vulnerability, wherein the standardized vulnerability score indicates a relative level of risk associated with the vulnerability relative to other vulnerabilities in the plurality of vulnerabilities;
  
  determining a vulnerability detection score for the asset from the vulnerability detection data for the asset;
  
  determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  determining a countermeasure component score from the vulnerability definition data and the countermeasure detection data, wherein determining the countermeasure component score includes analyzing the level of protection afforded by each countermeasure identified in both the vulnerability definition data for the vulnerability and in the countermeasure data as protecting the asset; and
  
  determining the risk metric for the asset and the vulnerability from the vulnerability composite score and the countermeasure component score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The non-transitory storage medium of claim 1, wherein the standardized vulnerability score includes a standardized component and an environmental component adjusting the standardized component to features of a particular system including the asset.
  - 3. The non-transitory storage medium of claim 2, wherein the environmental component represents, at least in part, criticality of the asset within the particular system.
  - 4. The non-transitory storage medium of claim 3, wherein the environmental component is derived based on criticality information for the asset, wherein the criticality information defining an impact of losing the asset.
  - 5. The non-transitory storage medium of claim 2, wherein each of the standardized component and environmental component include data describing a confidentiality impact to assets based on the vulnerability, an integrity impact to assets based on the vulnerability, and an availability impact to assets based on the vulnerability.
  - 6. The non-transitory storage medium of claim 2, wherein the standardized component includes a temporal component reflecting changes to risk posed by the vulnerability over time.
  - 7. The non-transitory storage medium of claim 2, wherein the standardized vulnerability score is based, at least in part, on the standard score of the Common Vulnerability Scoring System (CVSS).
  - 8. The non-transitory storage medium of claim 1, wherein the countermeasure component score is derived from at least the countermeasure protection data and the countermeasure detection data.
  - 9. The non-transitory storage medium of claim 8, wherein the countermeasure component score is further derived from the configuration data for the asset.
  - 10. The non-transitory storage medium of claim 8, wherein identifying the countermeasure component score includes calculating the countermeasure component score.
  - 11. The non-transitory storage medium of claim 7, wherein the vulnerability detection score is derived from at least the vulnerability detection data.
  - 12. The non-transitory storage medium of claim 10, wherein the vulnerability detection score is further derived from the configuration data for the asset.
  - 13. The method of claim 1, wherein the determined risk metric for the asset is a vulnerability-centric risk metric, the method further comprising determining a threat-centric risk metric for the asset, wherein determining a threat-centric risk metric for the asset includes:
    - determining a threat factor for the asset and particular threat, wherein the threat factor is derived from a threat severity score estimating a severity of the particular threat and an applicability score estimating the applicability of the particular threat to the asset;
      
      determining a threat exposure factor for the asset and the particular threat, wherein the threat exposure factor is derived from the threat factor, a vulnerability component score, and a threat countermeasure component score, wherein the vulnerability component score indicates whether the asset is vulnerable to the particular threat, and the countermeasure component score is derived from an estimate of a likelihood that a second countermeasure will mitigate the effect of an attack on the asset relating to the particular threat; and
      
      wherein the threat-centric risk metric for the asset and the particular threat is determined from the threat exposure factor and a criticality score for the asset, wherein the criticality score represents an impact of losing the asset.
  - 14. The method non-transitory storage medium of claim 13, wherein the threat takes advantage of the vulnerability, the vulnerability component score is equal to the vulnerability detection score, and the countermeasure is the second countermeasure.
  - 15. The non-transitory storage medium of claim 14, wherein respective calculated values of the determined vulnerability-centric metric and threat-centric metric are different.
  - 16. The non-transitory storage medium of claim 1, wherein the standardized vulnerability score has a value within a predefined range.
  - 17. The non-transitory storage medium of claim 1, wherein the standardized countermeasure component score has a value within a predefined range.
  - 18. The non-transitory storage medium of claim 1, wherein at least one or more vulnerabilities in the plurality of known vulnerabilities are associated with at least one in a plurality of known threats, and the vulnerability is not associated with any of the plurality of known threats.

19. A method comprising:
- receiving vulnerability definition data, using a hardware processor, including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies;
  
  receiving vulnerability detection data, countermeasure detection data, and configuration data for each of one or more assets, wherein the vulnerability detection data for each asset identifies vulnerabilities applicable to the asset, the countermeasure detection data for each asset identifying one or more countermeasures protecting the asset, and the configuration data for each asset describes a configuration of the asset; and
  
  determining a respective risk metric for each of the one or more assets for each of the one or more vulnerabilities, wherein determining the risk metric includes, for each asset and each vulnerability;
  
  identifying a standardized vulnerability score for the vulnerability, wherein the standardized vulnerability score indicates a relative level of risk associated with the vulnerability relative to other vulnerabilities in the plurality of vulnerabilities;
  
  determining a vulnerability detection score for the asset from the vulnerability detection data for the asset;
  
  determining a vulnerability composite score for the asset to the vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  determining a countermeasure component score from the vulnerability definition data and the countermeasure detection data, wherein determining the countermeasure component score includes analyzing the level of protection afforded by each countermeasure identified in both the vulnerability definition data for the vulnerability and in the countermeasure data as protecting the asset; and
  
  determining the risk metric for the asset and the vulnerability from the vulnerability composite score and the countermeasure component score.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The method of claim 19, further comprising:
    - determining a respective risk metric for the asset and each of the plurality of vulnerabilities; and
      
      determining an aggregate risk metric for the asset from the respective risk metrics for the asset and each of the plurality of vulnerabilities.
  - 21. The method of claim 20, wherein the aggregate risk metric is one of:
    - a sum of the respective risk metrics, a mean of the respective risk metrics, a maximum of the respective risk metrics, a minimum of the respective risk metrics, or a mode of the respective risk metrics.
  - 22. The method of claim 20, further comprising:
    - selecting a group of assets including the asset;
      
      determining an aggregate risk metric for each asset in the group of assets; and
      
      determining an aggregate risk metric for the group of assets from the aggregate risk metric for each asset in the group of assets.
  - 23. The method of claim 19, further comprising:
    - determining a respective risk metric for each of a plurality of assets and the vulnerability; and
      
      determining an aggregate risk metric for the vulnerability from the respective risk metrics for each of the plurality of assets and the vulnerability.
  - 24. The method of claim 19, wherein the risk metric is a vulnerability-centric risk metric and the method further comprises:
    - receiving threat definition data, the threat definition data including, for each of a plurality of threats, an identification of the threat, an identification of one or more countermeasures that reduce a risk that the threat will affect an asset, protection data describing a protection score for each countermeasure for the threat, and applicability data describing one or more configurations of assets to which the threat applies; and
      
      determining a respective threat-centric risk metric, the determining including, for each asset and each threat;
      
      determining an applicability score for the asset and the threat from the applicability data and the configuration data, wherein the applicability score has a first applicability value when the threat is applicable to the configuration of the asset and a different second applicability value when the threat is not applicable to the configuration of the asset;
      
      determining a vulnerability score for the asset and the threat from the vulnerability detection data for the asset;
      
      determining a countermeasure score from the threat definition data and the countermeasure detection data, wherein the generating comprises analyzing the protection score for each countermeasure that is both identified in the threat definition data for the threat and identified in the countermeasure data as protecting the asset, wherein the countermeasure score has a value within a predefined range; and
      
      determining the threat-centric risk metric for the particular asset for the particular threat from the applicability score, the vulnerability score, and the countermeasure score.
  - 25. The method of claim 24, further comprising:
    - determining a respective vulnerability-centric risk metric for the asset and each of the plurality of vulnerabilities;
      
      determining an aggregate vulnerability-centric risk metric for the asset from the respective risk metrics for the asset and each of the plurality of vulnerabilities;
      
      determining a respective threat-centric risk metric for the asset and each of the plurality of threats; and
      
      determining an aggregate threat-centric risk metric for the asset from the respective risk metrics for the asset and each of the plurality of threats.

26. A system comprising:
- at least one processor device;
  
  at least one memory element, communicatively coupled to the processor device; and
  
  a network monitor, adapted when executed by the at least one processor device to;
  
  receive vulnerability definition data, using a hardware processor, including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies;
  
  receive vulnerability detection data, countermeasure detection data, and configuration data for each of one or more assets, wherein the vulnerability detection data for each asset identifies vulnerabilities applicable to the asset, the countermeasure detection data for each asset identifying one or more countermeasures protecting the asset, and the configuration data for each asset describes a configuration of the asset; and
  
  determine a respective risk metric for each of the one or more assets for each of the one or more vulnerabilities, wherein determining the risk metric includes, for each asset and each vulnerability;
  
  identifying a standardized vulnerability score for the vulnerability, wherein the standardized vulnerability score indicates a relative level of risk associated with the vulnerability relative to other vulnerabilities in the plurality of vulnerabilities;
  
  determining a vulnerability detection score for the asset from the vulnerability detection data for the asset;
  
  determining a vulnerability composite score for the particular asset to the particular vulnerability, wherein the vulnerability composite score is derived from the standardized vulnerability score and the vulnerability detection score;
  
  determining a countermeasure component score from the vulnerability definition data and the countermeasure detection data, wherein determining the countermeasure component score includes analyzing the level of protection afforded by each countermeasure identified in both the vulnerability definition data for the vulnerability and in the countermeasure data as protecting the asset; and
  
  determining the risk metric for the asset and the vulnerability from the vulnerability composite score and the countermeasure component score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Basavapatna, Prasanna Ganapathi, Kolingivadi, Deepakeshwaran, Schrecker, Sven
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/354,181
Publication Number

US 20130191919A1
Time in Patent Office

677 Days
Field of Search

726/1, 726/7, 726/11, 726/25, 713/168, 705/38
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Calculating quantitative asset risk

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Calculating quantitative asset risk

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others