System and method for managing data and policies

US 8,667,121 B2
Filed: 03/25/2009
Issued: 03/04/2014
Est. Priority Date: 03/25/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

capturing a plurality of packet streams at a host device that is to centrally manage network security for a plurality of client devices to which it is coupled over a network;

recreating a plurality of flows from the packet streams;

analyzing the flows to identify one or more incidents, wherein the incidents identify one or more pieces of data, and wherein the packet streams are captured based on capture filters that remove certain network traffic that is not to be analyzed for the incidents; and

filtering the incidents based on a search request that initiated scanning for the incidents, and wherein at least one search parameter associated with the search request includes word patterns that form a concept for which triggers are provided for performing actions related to the concepts,wherein the host device includes a display, which includes a system monitor view that displays details about the client devices including patch history information and an operating system version for each of the client devices, and wherein the system monitor view allows an end user of the host device to view existing alerts that are reported to a database and that are polled periodically,wherein the host device includes a case management view that displays particular cases, which are for particular incidents previously discovered during scanning activities, and wherein the case management view allows the end user to assign a priority for the particular cases, to assign an owner to each of the particular cases, and to assign individual responsibility to other users for helping resolve the particular cases.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method is provided and includes capturing a plurality of packet streams, recreating a plurality of flows from the packet streams, and analyzing the flows to identify one or more incidents. The incidents identify one or more pieces of data. The incidents are filtered and the incidents are rendered on a display for an end user that initiated the filtering operation. In other embodiments, the display allows the end user to view a selected one of a group of attributes for the incidents. The display allows the end user to open a captured object associated with a specific incident. In still other embodiments, the display allows a user to filter the incidents using a selected one of a group of group options such as content, destination IP, destination location, destination port, filename, host IP, etc.

418 Citations

24 Claims

1. A method, comprising:
- capturing a plurality of packet streams at a host device that is to centrally manage network security for a plurality of client devices to which it is coupled over a network;
  
  recreating a plurality of flows from the packet streams;
  
  analyzing the flows to identify one or more incidents, wherein the incidents identify one or more pieces of data, and wherein the packet streams are captured based on capture filters that remove certain network traffic that is not to be analyzed for the incidents; and
  
  filtering the incidents based on a search request that initiated scanning for the incidents, and wherein at least one search parameter associated with the search request includes word patterns that form a concept for which triggers are provided for performing actions related to the concepts,wherein the host device includes a display, which includes a system monitor view that displays details about the client devices including patch history information and an operating system version for each of the client devices, and wherein the system monitor view allows an end user of the host device to view existing alerts that are reported to a database and that are polled periodically,wherein the host device includes a case management view that displays particular cases, which are for particular incidents previously discovered during scanning activities, and wherein the case management view allows the end user to assign a priority for the particular cases, to assign an owner to each of the particular cases, and to assign individual responsibility to other users for helping resolve the particular cases.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the display allows the end user to view a selected one of a group of attributes for the incidents.
  - 3. The method of claim 2, wherein the selected attribute is part of a group of attributes, the group consisting of:
    - content, a source associated with an incident, a destination associated with an incident, a protocol associated with an incident, timestamp associated with an incident, a status of an incident, and a priority of an incident.
  - 4. The method of claim 1, further comprising:
    - developing a policy based on the incidents, wherein the policy identifies how one or more data segments are permitted to traverse a network.
  - 5. The method of claim 4, wherein enforcement of the policy includes prohibiting at least one of the data segments from being transmitted over the network.
  - 6. The method of claim 1, wherein the display allows the end user to open a captured object associated with a specific incident.
  - 7. The method of claim 1, wherein the display allows a user to filter the incidents using a selected one of a group of group options, the group of group options consisting of:
    - content, destination IP, destination location, destination port, filename, host IP, host name, policy, protocol, reviewer, rule, sender, severity, source IP, source location, source port, status, user ID, user city, user company, user country, user department, user groups, user email, user manager, user name, user title, and user zip code.
  - 8. The method of claim 1, wherein the display allows the end user to export a report associated with the incidents.
  - 9. The method of claim 1, wherein the display allows the end user to:
    - enter group options for the incidents; and
      
      view a breakdown of file types of captured objects resulting from grouping the incidents according to the entered group options.
  - 10. The method of claim 1, wherein the incidents are used as a basis for a case that identifies additional details about the incidents, and wherein the display allows the end user to view existing cases and to export the new case and the existing cases to a next destination.
  - 11. The method of claim 1, wherein the display allows the end user to initiate a scan for new incidents, and to view existing scans.
  - 12. The method of claim 11, wherein the display allows the end user to schedule scans.

13. Logic encoded in one or more non-transitory tangible media for execution and when executed by a processor operable to:
- capture a plurality of packet streams at a host device that is to centrally manage network security for a plurality of client devices to which it is coupled over a network;
  
  recreate a plurality of flows from the packet streams;
  
  analyze the flows to identify one or more incidents, wherein the incidents identify one or more pieces of data, and wherein the packet streams are captured based on capture filters that remove certain network traffic that is not to be analyzed for the incidents; and
  
  filter the incidents based on a search request that initiated scanning for the incidents, and wherein at least one search parameter associated with the search request includes word patterns that form a concept for which triggers are provided for performing actions related to the concepts,wherein the host device includes a display, which includes a system monitor view that displays details about the client devices including patch history information and an operating system version for each of the client devices, and wherein the system monitor view allows an end user of the host device to view existing alerts that are reported to a database and that are polled periodically,wherein the host device includes a case management view that displays particular cases, which are for particular incidents previously discovered during scanning activities, and wherein the case management view allows the end user to assign a priority for the particular cases, to assign an owner to each of the particular cases, and to assign individual responsibility to other users for helping resolve the particular cases.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The media of claim 13, wherein the display allows the end user to view a selected one of a group of attributes for the incidents.
  - 15. The media of claim 14, wherein the selected attribute is part of a group of attributes, the group consisting of:
    - content, a source associated with an incident, a destination associated with an incident, a protocol associated with an incident, timestamp associated with an incident, a status of an incident, and a priority of an incident.
  - 16. The media of claim 13, wherein the code is further operable to:
    - develop a policy based on the incidents, wherein the policy identifies how one or more data segments are permitted to traverse a network.
  - 17. The media of claim 16, wherein enforcement of the policy includes prohibiting at least one of the data segments from being transmitted over the network.
  - 18. The media of claim 13, wherein the display allows the end user to open a captured object associated with a specific incident.
  - 19. The media of claim 13, wherein the display allows a user to filter the incidents using a selected one of a group of group options, the group of group options consisting of:
    - content, destination IP, destination location, destination port, filename, host IP, host name, policy, protocol, reviewer, rule, sender, severity, source IP, source location, source port, status, user ID, user city, user company, user country, user department, user groups, user email, user manager, user name, user title, and user zip code.
  - 20. The media of claim 13, wherein the display allows the end user to export a report associated with the incidents.
  - 21. The media of claim 13, wherein the display allows the end user to:
    - enter group options for the incidents; and
      
      view a breakdown of file types of captured objects resulting from grouping the incidents according to the entered group options.
  - 22. The media of claim 13, wherein the incidents are used as a basis for a case that identifies additional details about the incidents, and wherein the display allows the end user to view existing cases and to export the new case and the existing cases to a next destination.
  - 23. The media of claim 13, wherein the display allows the end user to initiate a scan for new incidents, and to view existing scans.

24. A host device, comprising:
- a processor; and
  
  a memory, wherein the host device is to centrally manage network security for a plurality of client devices to which it is coupled over a network, and wherein the host device is configured for;
  
  capturing a plurality of packet streams;
  
  recreating a plurality of flows from the packet streams;
  
  analyzing the flows to identify one or more incidents, wherein the incidents identify one or more pieces of data, and wherein the packet streams are captured based on capture filters that remove certain network traffic that is not to be analyzed for the incidents; and
  
  filtering the incidents based on a search request that initiated scanning for the incidents, and wherein at least one search parameter associated with the search request includes word patterns that form a concept for which triggers are provided for performing actions related to the concepts,wherein the host device includes a display, which includes a system monitor view that displays details about the client devices including patch history information and an operating system version for each of the client devices, and wherein the system monitor view allows an end user of the host device to view existing alerts that are reported to a database and that are polled periodically,wherein the host device includes a case management view that displays particular cases, which are for particular incidents previously discovered during scanning activities, and wherein the case management view allows the end user to assign a priority for the particular cases, to assign an owner to each of the particular cases, and to assign individual responsibility to other users for helping resolve the particular cases.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ahuja, Ratinder Paul Singh, Christener, Joel, Gaitonde, Jitendra, Ganti, Sirisha, Haridasa, Sridevi, Hegde, Damodar K., Jayaram, Chaitra, Kasim, Rahila, Lakhani, Faizel, Patil, Swati, Sandhu, Harsimran S.
Primary Examiner(s)
Blair, Douglas
Assistant Examiner(s)
AILES, BENJAMIN A

Application Number

US12/410,905
Publication Number

US 20130246925A1
Time in Patent Office

1,805 Days
Field of Search

709/224, 726/1, 726/13, 726/22, 715/736
US Class Current

709/224
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/20 for managing network securi...

System and method for managing data and policies

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

418 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing data and policies

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

418 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links