Incident triage engine
First Claim
1. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:
- receiving, by the computer processor, attributes of a plurality of linked assets within a system;
receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time;
generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by;
calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents, the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model;
calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and
calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and
prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents.
1 Assignment
0 Petitions
Accused Products
Abstract
An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.
-
Citations
27 Claims
-
1. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:
-
receiving, by the computer processor, attributes of a plurality of linked assets within a system; receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by; calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents, the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model; calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer-readable storage medium storing computer program instructions for prioritizing responses to a plurality of incidents according to a method, the method comprising:
-
receiving attributes of a plurality of linked assets within a system; receiving attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; generating, for each incident, a cumulative loss forecast for the incident by; calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model; calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and prioritizing the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents. - View Dependent Claims (6, 7, 8)
-
-
9. A system including a processor and a memory, the memory storing instructions operable with the processor for prioritizing responses to a plurality of incidents, the instructions associated with a plurality of devices, the devices comprising:
-
a receiving device that (1) receives attributes of a plurality of linked assets within an environment, and (2) receives attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; a cumulative loss forecast generating device that generates, for each incident, a cumulative loss forecast for the incident by; calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets, and an incident impact over time on an asset confidentiality loss model, an incident impact over time on an asset integrity loss model, and an incident impact over time on an asset availability loss model; calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and a prioritizing device that prioritizes the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents. - View Dependent Claims (10, 11, 12, 14)
-
-
13. A method of prioritizing responses to a plurality of incidents, the method being performed by a computer processor connected to a memory, the method comprising:
-
receiving, by the computer processor, attributes of a plurality of linked assets within a system; receiving, by the computer processor, attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; generating, by the computer processor, for each incident, a cumulative loss forecast for the incident by; calculating, by the computer processor, a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on attributes of the incidents and attributes of the assets; calculating, by the computer processor, additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating, by the computer processor, the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and prioritizing, by the computer processor, the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents, wherein the incidents include one or more of the following;
a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium storing computer program instructions for prioritizing responses to a plurality of incidents according to a method, the method comprising:
-
receiving attributes of a plurality of linked assets within a system; receiving attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; generating, for each incident, a cumulative loss forecast for the incident by; calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets; calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and prioritizing the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents, wherein the incidents include one or more of the following;
a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A system including a processor and a memory, the memory storing instructions operable with the processor for prioritizing responses to a plurality of incidents, the instructions associated with a plurality of devices, the devices comprising:
-
a receiving device that (1) receives attributes of a plurality of linked assets within an environment, and (2) receives attributes of a plurality of incidents, each incident of the plurality of incidents being initially associated with an initial asset at an initial time; a cumulative loss forecast generating device that generates, for each incident, a cumulative loss forecast for the incident by; calculating a first loss forecast for the incident with respect to the corresponding initial asset, the first loss forecast calculations being based on the attributes of the incidents and the attributes of the assets; calculating additional loss forecasts for the incident with respect to each of the remaining assets of the plurality of assets, the additional loss forecasts being based on the attributes of the incidents, the attributes of the assets, and a time duration from the initial time to a time of incident inception at each of the remaining assets; and calculating the cumulative loss forecast by combining the first loss forecast and the additional loss forecasts for the incident; and a prioritizing device that prioritizes the responses to the plurality of incidents based on the cumulative loss forecasts generated for each of the plurality of incidents, wherein the incidents include one or more of the following;
a denial of service attack, a virus, a worm, a trojan horse, a backdoor, or a cookie tracker. - View Dependent Claims (24, 25, 26, 27)
-
Specification