System and method for performing threat assessments using situational awareness

US 8,607,353 B2
Filed: 03/04/2011
Issued: 12/10/2013
Est. Priority Date: 07/29/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, performed by at least one processor, for performing threat assessments, comprising:

identifying, by the at least one processor, a first security breach at a first company;

determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach;

identifying, by the at least one processor, a first possible security breach at the first company;

determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach;

generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions;

storing, by the at least one processor, the one or more patterns of behavior in a pattern repository;

comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company;

notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company;

performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach;

receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries;

updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior;

comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and

notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products are provided for performing threat assessments. In one exemplary embodiment, the method may include generating one or more patterns of behavior corresponding to a security breach at a first company, and storing the generated one or more patterns in a pattern repository. In addition, the method may include comparing at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the behavior corresponding to the security breach. The method may also include processing at least one pattern of the one or more patterns with one or more standardized log files for a second company to identify log entries of the second company that indicate a possible security breach at the second company.

143 Citations

View as Search Results

21 Claims

1. A computer-implemented method, performed by at least one processor, for performing threat assessments, comprising:
- identifying, by the at least one processor, a first security breach at a first company;
  
  determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach;
  
  identifying, by the at least one processor, a first possible security breach at the first company;
  
  determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach;
  
  generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions;
  
  storing, by the at least one processor, the one or more patterns of behavior in a pattern repository;
  
  comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company;
  
  notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company;
  
  performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach;
  
  receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries;
  
  updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior;
  
  comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and
  
  notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further including:
    - notifying, when one or more log entries of the first company are identified, the first company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 3. The computer-implemented method of claim 1, further including:
    - notifying, when one or more log entries of the second company are identified, the second company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 4. The computer-implemented method of claim 1, further including:
    - processing, for the first company, log files of disparate devices of the first company to generate a standardized log file; and
      
      combining the log files to generate a unified log file for the first company.
  - 5. The computer-implemented method of claim 1, further including:
    - processing, for the second company, log files from disparate device of the second company to generate company standardized log files; and
      
      combining, for each of the one or more second companies, the company standardized log files to generate a company unified log file.
  - 6. The computer-implemented method of claim 1, wherein generating the one or more patterns includes:
    - identifying one or more actions or series of actions corresponding to the security breach, wherein the actions include at least one of downloading data, storing data, logging onto a computer network, entering a secured location, and using a device associated with the first company.
  - 7. The computer-implemented method of claim 1, further including:
    - collecting patterns of behavior from one or more third party sources; and
      
      storing the collected patterns of behavior in the pattern repository.

8. A non-transitory computer-readable medium storing a computer-executable program which, when executed by at least one processor, performs a method for performing threat assessments, comprising:
- identifying, by the at least one processor, a first security breach at a first company;
  
  determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach;
  
  identifying, by the at least one processor, a first possible security breach at the first company;
  
  determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach;
  
  generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions;
  
  storing, by the at least one processor, the one or more patterns of behavior in a pattern repository;
  
  comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company;
  
  notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company;
  
  performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach;
  
  receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries;
  
  updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior;
  
  comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and
  
  notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, further including:
    - notifying, when one or more log entries of the first company are identified, the first company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 10. The non-transitory computer-readable medium of claim 8, further including:
    - notifying, when one or more log entries of the second company are identified, the second company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 11. The non-transitory computer-readable recording medium of claim 8, further including:
    - processing, for the first company, log files of disparate devices of the first company to generate a standardized log file; and
      
      combining the log files to generate a unified log file for the first company.
  - 12. The non-transitory computer-readable recording medium of claim 8, further including:
    - processing, for each of the one or more second companies, company log files to generate company standardized log files; and
      
      combining, for each of the one or more second companies, the company standardized log files to generate a company unified log file.
  - 13. The non-transitory computer-readable recording medium of claim 8, wherein generating the one or more patterns includes:
    - identifying one or more actions or series of actions corresponding to the security breach, wherein the actions include at least one of downloading data, storing data, logging onto a computer network, entering a secured location, and using a device associated with the first company.
  - 14. The non-transitory computer-readable recording medium of claim 8, further including:
    - collecting patterns of behavior from one or more third party sources; and
      
      storing the collected patterns of behavior in the pattern repository.

15. A system for identifying patterns of actions for performing threat assessments, the system comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access the at least one memory and, when executing the instructions to;
  
  identify, by the at least one processor, a first security breach at a first company;
  
  determine, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach;
  
  identify, by the at least one processor, a first possible security breach at a first company;
  
  determine, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach;
  
  generate, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions;
  
  store, by the at least one processor, the one or more patterns of behavior in a pattern repository;
  
  compare, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns and the one or more standardized log files for the first company;
  
  notify, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company;
  
  perform, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach;
  
  receive, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries;
  
  update, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior;
  
  compare, by the at least one processor, at least one of the updated patterns with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and
  
  notify, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the at least one processor is further configured to:
    - notify, when one or more log entries of the first company are identified, the first company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 17. The system of claim 15, wherein the at least one processor is further configured to:
    - notify, when one or more log entries of the second company are identified, the second company of the results of the comparing of the at least one of the updated patterns of behavior with the one or more standardized log files for the second company.
  - 18. The system of claim 15, wherein the at least one processor is further configured to:
    - process, for the first company, log files of disparate devices of the first company to generate a standardized log file; and
      
      combine the log files to generate a unified log file for the first company.
  - 19. The system of claim 15, wherein the at least one processor is further configured to:
    - process, for each of the one or more second companies, company log files to generate company standardized log files; and
      
      combine, for each of the one or more second companies, the company standardized log files to generate a company unified log file.
  - 20. The system of claim 15, wherein when the at least one processor is configured to generate the one or more patterns, the at least one processor is further configured to:
    - identify one or more actions or series of actions corresponding to the security breach, wherein the actions include at least one of downloading data, storing data, logging onto a computer network, entering a secured location, and using a device associated with the first company.
  - 21. The system of claim 15, wherein the at least one processor is further configured to:
    - collect patterns of behavior from one or more third party sources; and
      
      store the collected patterns of behavior in the pattern repository.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services GmbH (Accenture PLC)
Inventors
Negm, Walid, Chahal, Taminder S., Checco, Christopher P., Rippert, Donald J. Jr.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US13/041,121
Publication Number

US 20120030767A1
Time in Patent Office

1,012 Days
Field of Search

726/25, 709/225, 709/203, 705/53
US Class Current

726/25
CPC Class Codes

G06Q 10/10 Office automation; Time man...

G06Q 99/00 Subject matter not provided...

System and method for performing threat assessments using situational awareness

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

143 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for performing threat assessments using situational awareness

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links