Policy-based selection of remediation

US 8,776,170 B2
Filed: 08/31/2013
Issued: 07/08/2014
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a first computer system, information regarding a program-code-based operational state of a second computer system at a particular time;

determining whether the program-code-based operational state of the second computer system represents a violation of one or more security policies that have been applied to or are active in regard to the second computer system by evaluating, by the first computer system, the received information with respect to the one or more security policies, wherein each security policy of the one or more security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the second computer system or manipulation of the second computer system to make the second computer system vulnerable to attack; and

when a result of the determining is affirmative, then;

identifying, by the first computer system, a remediation that can be applied to the second computer system to address the violation; and

causing, by the first computer system, the remediation to be deployed to the second computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information is received by one computer system regarding a program-code-based operational state of another computer system at a particular time. It is determined whether the program-code-based operational state represents a violation of security policies that have been applied to or are active in regard to the computer system at issue by evaluating the received information with respect to the security policies. Each security policy defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation to make the computer system at issue vulnerable to attack. When a security policy violation is detected, then a remediation is identified that can address the violation; and the remediation is caused to be deployed to the computer system at issue.

56 Citations

View as Search Results

23 Claims

1. A computer-implemented method comprising:
- receiving, by a first computer system, information regarding a program-code-based operational state of a second computer system at a particular time;
  
  determining whether the program-code-based operational state of the second computer system represents a violation of one or more security policies that have been applied to or are active in regard to the second computer system by evaluating, by the first computer system, the received information with respect to the one or more security policies, wherein each security policy of the one or more security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the second computer system or manipulation of the second computer system to make the second computer system vulnerable to attack; and
  
  when a result of the determining is affirmative, then;
  
  identifying, by the first computer system, a remediation that can be applied to the second computer system to address the violation; and
  
  causing, by the first computer system, the remediation to be deployed to the second computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, further comprising prior to said causing, by the first computer system, the remediation to be deployed to the second computer system, determining whether the remediation has been configured for automatic deployment.
  - 3. The method of claim 1, further comprising maintaining, by the first computer system, a policy database having stored therein a plurality of security policies, including the one or more security policies.
  - 4. The method of claim 1, further comprising maintaining, by the first computer system, a remediation database having stored therein information regarding a plurality of remediations including the remediation.
  - 5. The method of claim 1, wherein the violation relates to presence of an unknown application or a rogue application on the second computer system.
  - 6. The method of claim 1, wherein the violation relates to existence or non-existence of a particular application on the second computer system.
  - 7. The method of claim 6, wherein the violation is based at least in part on the particular application being present on a list of prohibited applications.
  - 8. The method of claim 6, wherein the violation is based at least in part on a version of the particular application.
  - 9. The method of claim 6, wherein the violation is based at least in part on a status of the particular application.
  - 10. The method of claim 9, wherein the status is indicative of whether a patch associated with the particular application has been installed the second computer system.
  - 11. The method of claim 1, wherein the violation is based at least in part on an operating system test relating to an operating system being run by the second computer system.
  - 12. The method of claim 10, wherein violation is based at least in part on a version of the operating system or a type of the operating system.
  - 13. The method of claim 1, wherein the first computer system comprises a remote server coupled in communication with the second computer system via a public network, wherein the second computer system comprises a host asset of a plurality of monitored host assets within an enterprise and wherein the method further comprises receiving, by the remote server, information indicative of one or more files stored on the host asset.
  - 14. The method of claim 13, wherein the violation relates to existence or non-existence of a particular file on the host asset.
  - 15. The method of claim 14, wherein the violation is based at least in part on a location of the particular file on the host asset.
  - 16. The method of claim 14, wherein the violation is based at least in part on one or more permissions associated with the particular file.
  - 17. The method of claim 1, wherein the information regarding a program-code-based operational state comprises information indicative of one or more drivers installed on the second computer system.
  - 18. The method of claim 17, wherein the violation relates to existence or non-existence of a particular type of driver on the second computer system.
  - 19. The method of claim 18, wherein the particular type of driver comprises a universal serial bus (USB) driver.
  - 20. The method of claim 1, wherein the violation relates to whether a removable storage device is connected to the second computer system.
  - 21. The method of claim 1, wherein the violation relates to whether a particular process is running on the second computer system.
  - 22. The method of claim 1, the information regarding a program-code-based operational state comprises information indicative of one or more ports of the second computer system that are in use.
  - 23. The method of claim 22, wherein the violation relates to a state associated with the one or more ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Bezilla, Daniel B., Immordino, John L., Ogura, James Le
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US14/016,091
Publication Number

US 20140013385A1
Time in Patent Office

311 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Policy-based selection of remediation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others