Security infrastructure

US 8,624,720 B2
Filed: 12/26/2009
Issued: 01/07/2014
Est. Priority Date: 12/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for operating a security infrastructure, comprising:

receiving, via a processor, data in response to a first event in the security infrastructure;

formatting, via the processor, the data into an event-message having a common format within the security infrastructure; and

distributing, via the processor, the event-message to a processing entity of a plurality processing entities of the security infrastructure, wherein the processing entity is assigned to analyze a topic of the event-message, wherein at least two of the plurality processing entities are assigned to a different security issue, wherein each of the processing entities comprises a computing device and comprises a security agent that uses an inference engine for analyzing a security issue, wherein the analyzing the security issue comprises identifying a pattern in a plurality of event-messages.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated security infrastructure is disclosed that includes security agents that are designed to analyze security issues. The security agents process events received from event-messages, and records data associated with a security issue in a ticket. Security and management personnel are kept informed based on notification subscription lists. Assigned security personnel'"'"'s progress in resolving outstanding security issues is monitored until those issues are resolved.

13 Citations

View as Search Results

20 Claims

1. A method for operating a security infrastructure, comprising:
- receiving, via a processor, data in response to a first event in the security infrastructure;
  
  formatting, via the processor, the data into an event-message having a common format within the security infrastructure; and
  
  distributing, via the processor, the event-message to a processing entity of a plurality processing entities of the security infrastructure, wherein the processing entity is assigned to analyze a topic of the event-message, wherein at least two of the plurality processing entities are assigned to a different security issue, wherein each of the processing entities comprises a computing device and comprises a security agent that uses an inference engine for analyzing a security issue, wherein the analyzing the security issue comprises identifying a pattern in a plurality of event-messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - searching a ticket repository for an associated ticket, wherein the associated ticked is a ticket that is associated with the event-message when the event-message corresponds to the security issue; and
      
      updating information in the associated ticket based on the event-message.
  - 3. The method of claim 2, further comprising:
    - opening a new ticket based on the event-message when the associated ticket is not found in the ticket repository; and
      
      initializing a parameter of the new ticket based on the security issue.
  - 4. The method of claim 3, further comprising:
    - collecting further events occurring after the first event.
  - 5. The method of claim 4, further comprising:
    - identifying a containment action when the security issue is identified in analyzing the security issue; and
      
      performing the containment action, when the containment action is identified.
  - 6. The method of claim 5, further comprising:
    - assessing an impact of the first event when no containment action is identified; and
      
      updating information in the ticket associated with the event-message.
  - 7. The method of claim 4, further comprising:
    - analyzing a ticket history of the associated ticket to identify the pattern, wherein the pattern is associated with a dribble attack;
      
      identifying a containment action when the dribble attack is identified in the analyzing of the ticket history;
      
      performing the containment action that is identified; and
      
      updating information in the associated ticket.
  - 8. The method of claim 3, further comprising:
    - notifying first personnel when the new ticket is opened;
      
      notifying the first personnel when information of the associated ticket is updated;
      
      closing the associated ticket when the associated ticket has a lowest priority; and
      
      closing the new ticket when the new ticket has a lowest priority.
  - 9. The method of claim 8, further comprising:
    - sending the new ticket to a security personnel based on the parameter of the new ticket; and
      
      monitoring to confirm a receipt of the new ticket by the security personnel.
  - 10. The method of claim 9, further comprising:
    - escalating the new ticket by alerting other personnel until the receipt of the new ticket is confirmed; and
      
      monitoring the new ticket until a status of the new ticket indicates that the new ticket is resolved.
  - 11. The method of claim 10, wherein the escalating and the monitoring comprise:
    - a. delaying a predetermined amount of time, wherein the predetermined amount of time is for alerting the other personnel when the new ticket is not received;
      
      b. checking if the security personnel has received the new ticket;
      
      c. alerting the other personnel when the new ticket is not received by the security personnel; and
      
      d. repeating steps a-c until the new ticket is received by the security personnel.
  - 12. The method of claim 11, whereinthe predetermined amount of time is changed for each iteration;
    - andalerting the other personnel comprises alerting different ones of the other personnel for each iteration.
  - 13. The method of claim 10, wherein the escalating and the monitoring further comprise:
    - a. delaying a predetermined amount of time, wherein the predetermined amount of time is for alerting the other personnel when the new ticket is not resolved;
      
      b. checking if the new ticket has been resolved;
      
      c. alerting the other personnel when the new ticket is not resolved; and
      
      d. repeating steps a-c until the new ticket is resolved.
  - 14. The method of claim 13, whereinthe predetermined amount of time is changed for each iteration;
    - andalerting the other personnel comprises alerting different ones of the other personnel for each iteration.

15. A computer readable medium storing a plurality of instructions which, when executed by a processor, cause the processor to perform operations for a security infrastructure, the operations comprising:
- receiving data in response to a first event in the security infrastructure;
  
  formatting the data into an event-message having a common format within the security infrastructure; and
  
  distributing the event-message to a processing entity of a plurality processing entities of the security infrastructure, wherein the processing entity is assigned to analyze a topic of the event-message, wherein at least two of the plurality processing entities are assigned to a different security issue, wherein each of the processing entities comprises a computing device and comprises a security agent that uses an inference engine for analyzing a security issue, wherein the analyzing the security issue comprises identifying a pattern in a plurality of event-messages.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer readable medium of claim 15, further comprising:
    - searching a ticket repository for an associated ticket, wherein the associated ticket is a ticket that is associated with the event-message when the event-message corresponds to the security issue;
      
      updating information in the associated ticket based on the event-message;
      
      opening a new ticket based on the event-message when the associated ticket is not found in the ticket repository; and
      
      initializing a parameter of the new ticket based on the security issue.
  - 17. The computer readable medium of claim 16, further comprising:
    - collecting further events occurring after the first event;
      
      analyzing the first event and the further events to identify the pattern, wherein the pattern is associated with a known security issue;
      
      identifying a containment action when the known security issue is identified in the analyzing the first event;
      
      performing the containment action, when the containment action is identified;
      
      assessing an impact of the first event when no containment action is identified; and
      
      updating information in the ticket associated with the event-message.
  - 18. The computer readable medium of claim 17, further comprising:
    - analyzing a ticket history of the associated ticket to identify the pattern, wherein the pattern is associated with a dribble attack;
      
      identifying a containment action when the dribble attack is identified in the analyzing of the ticket history;
      
      performing the containment action that is identified; and
      
      updating information in the associated ticket.
  - 19. The computer readable medium of claim 17, further comprising:
    - notifying first personnel when the new ticket is opened;
      
      notifying the first personnel when information of the associated ticket is updated;
      
      closing the associated ticket when the associated ticket has a lowest priority;
      
      closing the new ticket when the new ticket has a lowest priority;
      
      sending the new ticket to a security personnel based on the parameter of the new ticket;
      
      monitoring to confirm a receipt of the new ticket by the security personnel;
      
      escalating the new ticket by alerting other personnel until the receipt of the new ticket is confirmed; and
      
      monitoring the new ticket until a status of the new ticket indicates that the new ticket is resolved.

20. A security infrastructure, comprising:
- a processor; and
  
  a computer readable medium storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  receiving data in response to a first event in the security infrastructure;
  
  formatting the data into an event-message having a common format within the security infrastructure; and
  
  distributing the event-message to a processing entity of a plurality processing entities of the security infrastructure, wherein the processing entity is assigned to analyze a topic of the event-message, wherein at least two of the plurality processing entities are assigned to a different security issue, wherein each of the processing entities comprises a computing device and comprises a security agent that uses an inference engine for analyzing a security issue, wherein the analyzing the security issue comprises identifying a pattern in a plurality of event-messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property II LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property II LP (AT&T, Inc.)
Inventors
Bajpay, Paritosh, Bienfait, Roberta, Cast, Ginny, Chiang, Wan-Ping, Hanechak, Kim, Liu, Jackson, Stokes, Denise
Primary Examiner(s)
CROSLAND, DONNIE L

Application Number

US12/647,465
Publication Number

US 20100097213A1
Time in Patent Office

1,473 Days
Field of Search

340/506
US Class Current

340/506
CPC Class Codes

G08B 25/08 using communication transmi...

Security infrastructure

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security infrastructure

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links