Incident triage engine

US 8,732,840 B2
Filed: 10/07/2011
Issued: 05/20/2014
Est. Priority Date: 10/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:

receiving, by the computer processor, attributes of a plurality of linked assets within a system;

receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;

generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by;

calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents, the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model;

calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and

calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and

prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.

Citations

27 Claims

1. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:
- receiving, by the computer processor, attributes of a plurality of linked assets within a system;
  
  receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by;
  
  calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents, the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model;
  
  calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, the receiving further including:
    - receiving attributes of the system, the attributes of the system including an environmental factors attribute; and
      
      receiving attributes of courses of action to be taken as responses to the incidents;
      
      wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the system and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 3. The method according to claim 1, wherein the receiving, generating, and prioritizing are repeated after one or more of the following:
    - a new incident entering the system, or an existing incident in the system being resolved.
  - 4. The method according to claim 1, wherein:
    - the system is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.

5. A non-transitory computer-readable storage medium storing computer program instructions for prioritizing responses to a plurality of incidents according to a method, the method comprising:
- receiving attributes of a plurality of linked assets within a system;
  
  receiving attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  generating, for each incident, a cumulative loss forecast for the incident by;
  
  calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model;
  
  calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  prioritizing the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents.
- View Dependent Claims (6, 7, 8)
- - 6. The non-transitory computer-readable storage medium according to claim 5, the receiving further including:
    - receiving attributes of the system, the attributes of the system including an environmental factors attribute; and
      
      receiving attributes of courses of action to be taken as responses to the incidents;
      
      wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the system and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 7. The non-transitory computer-readable storage medium according to claim 5, wherein the receiving, generating, and prioritizing are repeated after one or more of the following:
    - a new incident entering the system, or an existing incident in the system being resolved.
  - 8. The non-transitory computer-readable storage medium according to claim 5, wherein:
    - the system is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.

9. A system including a processor and a memory, the memory storing instructions operable with the processor for prioritizing responses to a plurality of incidents, the instructions associated with a plurality of devices, the devices comprising:
- a receiving device that (1) receives attributes of a plurality of linked assets within an environment, and (2) receives attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  a cumulative loss forecast generating device that generates, for each incident, a cumulative loss forecast for the incident by;
  
  calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model;
  
  calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  a prioritizing device that prioritizes the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents.
- View Dependent Claims (10, 11, 12, 14)
- - 10. The system according to claim 9, the receiving device further (3) receives attributes of the environment, the attributes of the environment including an environmental factors attribute, and (4) receives attributes of courses of action to be taken as responses to the incidents;
    - wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the environment and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 11. The system according to claim 9, wherein the receiving by the receiving device, the generating by the generating device, and the prioritizing by the prioritizing device are repeated after one or more of the following:
    - a new incident entering the environment, or an existing incident in the environment being resolved.
  - 12. The system according to claim 9, wherein:
    - the environment is a computer network;
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point; and
      
      the incidents include one or more of the following;
      
      a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.
  - 14. The method according to claim 11, wherein:
    - the first loss forecast calculations are further based on an incident impact over time on asset confidentiality loss model, an incident impact over time on asset integrity loss model, and an incident impact over time on asset availability loss model.

13. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:
- receiving, by the computer processor, attributes of a plurality of linked assets within a system;
  
  receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by;
  
  calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on attributes of the incidents and attributes of the assets;
  
  calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents,wherein the incidents include one or more of the following;
  
  a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.
- View Dependent Claims (15, 16, 17)
- - 15. The method according to claim 13, the receiving further including:
    - receiving attributes of the system, the attributes of the system including an environmental factors attribute; and
      
      receiving attributes of courses of action to be taken as responses to the incidents;
      
      wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the system and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 16. The method according to claim 13, wherein the receiving, generating, and prioritizing are repeated after one or more of the following:
    - a new incident entering the system, or an existing incident in the system being resolved.
  - 17. The method according to claim 13, wherein:
    - the system is a computer network; and
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point.

18. A non-transitory computer-readable storage medium storing computer program instructions for prioritizing responses to a plurality of incidents according to a method, the method comprising:
- receiving attributes of a plurality of linked assets within a system;
  
  receiving attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  generating, for each incident, a cumulative loss forecast for the incident by;
  
  calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets;
  
  calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  prioritizing the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents,wherein the incidents include one or more of the following;
  
  a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer-readable storage medium according to claim 18, wherein:
    - the first loss forecast calculations are further based on an incident impact over time on asset confidentiality loss model, an incident impact over time on asset integrity loss model, and an incident impact over time on asset availability loss model.
  - 20. The non-transitory computer-readable storage medium according to claim 18, the receiving further including:
    - receiving attributes of the system, the attributes of the system including an environmental factors attribute; and
      
      receiving attributes of courses of action to be taken as responses to the incidents;
      
      wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the system and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 21. The non-transitory computer-readable storage medium according to claim 18, wherein the receiving, generating, and prioritizing are repeated after one or more of the following:
    - a new incident entering the system, or an existing incident in the system being resolved.
  - 22. The non-transitory computer-readable storage medium according to claim 18, wherein:
    - the system is a computer network; and
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point.

23. A system including a processor and a memory, the memory storing instructions operable with the processor for prioritizing responses to a plurality of incidents, the instructions associated with a plurality of devices, the devices comprising:
- a receiving device that (1) receives attributes of a plurality of linked assets within an environment, and (2) receives attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
  
  a cumulative loss forecast generating device that generates, for each incident, a cumulative loss forecast for the incident by;
  
  calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets;
  
  calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
  
  calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
  
  a prioritizing device that prioritizes the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents,wherein the incidents include one or more of the following;
  
  a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system according to claim 23, wherein:
    - the first loss forecast calculations are further based on an incident impact over time on asset confidentiality loss model, an incident impact over time on asset integrity loss model, and an incident impact over time on asset availability loss model.
  - 25. The system according to claim 23, the receiving device further (3) receives attributes of the environment, the attributes of the environment including an environmental factors attribute, and (4) receives attributes of courses of action to be taken as responses to the incidents;
    - wherein;
      
      the attributes of the incidents include one or more of the following;
      
      an incident morbidity attribute or an incident infectiousness attribute, where the incident morbidity attribute includes one or more of the following;
      
      a confidentiality impact of the incident, an integrity impact of the incident, an availability impact of the incident, a progression speed of the incident, or an incubation time of the incident, and where the incident infectiousness attribute includes one or more of the following;
      
      a potency of the incident, a transmission mode of the incident, or a latency period of the incident; and
      
      the attributes of the assets include one or more of the following;
      
      a value attribute or an immunity attribute, where the value attribute includes one or more of the following;
      
      a confidentiality value of the asset, an integrity value of the asset, an availability value of the asset, or a substitutability value of the asset, and where the immunity attribute includes a susceptibility value of the asset;
      
      the first loss forecast calculations are further based on the attributes of the environment and the attributes of the courses of action; and
      
      the additional loss forecast calculations are further based on the potency of the incident, the transmission mode of the incident, and the latency period of the incident.
  - 26. The system according to claim 23, wherein the receiving by the receiving device, the generating by the generating device, and the prioritizing by the prioritizing device are repeated after one or more of the following:
    - a new incident entering the environment, or an existing incident in the environment being resolved.
  - 27. The system according to claim 23, wherein:
    - the environment is a computer network; and
      
      the plurality of linked assets includes one or more of the following;
      
      a database server, an application server, a firewall, an intrusion detection system, a router, a switch, a bridge, a repeater, or an end point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Howes, Joshua Z., Negm, Walid, Solderitsch, James J., Jotwani, Ashish, Carver, Matthew
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/269,275
Publication Number

US 20130091574A1
Time in Patent Office

956 Days
Field of Search

726/25, 726 22- 24, 713187-188
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/10   Office automation; Time man...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Incident triage engine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Incident triage engine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links