Method and device for managing security events

US 8,806,620 B2
Filed: 12/26/2009
Issued: 08/12/2014
Est. Priority Date: 12/26/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

establishing a security event manager on a mobile computing device;

receiving security event data with the security event manager, the security event data being generated on the mobile computing device by at least one security event source of the mobile computing device;

transmitting the security event data to an enterprise security event manager server in response to determining that the mobile computing device is communicatively coupled to the enterprise security event manager server; and

responding to the security event on the mobile computing device with the security event manager if the mobile computing device is not communicatively coupled to the enterprise security event manager server, wherein responding to the security event comprises;

(i) retrieving security policy data with the security event manager, the security policy data defining a set of security event rules for determining the occurrence of a security event; and

(ii) determining an occurrence of a security event with the security event manager based on the security event data and the security policy data by;

normalizing, on the mobile computing device, the security event data to generate normalized security event data, the normalized security event data having a predetermined data format;

aggregating, on the mobile computing device, the normalized security event data to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and

correlating, on the mobile computing device, the aggregated security event data to determine an occurrence of a security event based on the security policy data and on context data associated with the mobile computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for managing security events includes establishing a security event manager on a mobile computing device. The security event manager may be embodied as software and/or hardware components. The security event manager receives security event data from a plurality of security event sources of the mobile computing device and correlates the security event data based on a security policy to determine whether a security event has occurred. The security event manager responds to the security event based on the security policy.

Citations

22 Claims

1. A method comprising:
- establishing a security event manager on a mobile computing device;
  
  receiving security event data with the security event manager, the security event data being generated on the mobile computing device by at least one security event source of the mobile computing device;
  
  transmitting the security event data to an enterprise security event manager server in response to determining that the mobile computing device is communicatively coupled to the enterprise security event manager server; and
  
  responding to the security event on the mobile computing device with the security event manager if the mobile computing device is not communicatively coupled to the enterprise security event manager server, wherein responding to the security event comprises;
  
  (i) retrieving security policy data with the security event manager, the security policy data defining a set of security event rules for determining the occurrence of a security event; and
  
  (ii) determining an occurrence of a security event with the security event manager based on the security event data and the security policy data by;
  
  normalizing, on the mobile computing device, the security event data to generate normalized security event data, the normalized security event data having a predetermined data format;
  
  aggregating, on the mobile computing device, the normalized security event data to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and
  
  correlating, on the mobile computing device, the aggregated security event data to determine an occurrence of a security event based on the security policy data and on context data associated with the mobile computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein establishing the security event manager comprises establishing the security event manager in a secured boot environment.
  - 3. The method of claim 1, wherein receiving security event data comprises receiving security event data generated on the mobile computing device by a plurality of security event sources of the mobile computing device.
  - 4. The method of claim 1, wherein receiving the security event data comprises receiving security event data generated from at least one of a firmware of the mobile computing device, an operating system of the mobile computing device, and a software application executed on the mobile computing device.
  - 5. The method of claim 1, wherein the context data comprises data indicative of at least one of a location of a user of the mobile computing device, an activity of the user, an aspect of the environment in which the user is located, and biometric data related to the user.
  - 6. The method of claim 1, further comprising:
    - retrieving the context data with the security event manager from a context database stored on the mobile computing device if the mobile computing device is not communicatively coupled to the enterprise security event manager server.
  - 7. The method of claim 1, wherein responding to the security event comprises performing at least one of the following actions on the mobile computing device:
    - changing a connectivity state of the mobile computing device, modifying access to a software application on the mobile computing device, modifying an event data filter of the security event manager, denying access to data, rebooting the mobile computing device, modifying a power state of the mobile computing device, and quarantining a software application or service executed on the mobile computing device.
  - 8. The method of claim 1, further comprising:
    - receiving sensor data generated from a sensor of the mobile computing device; and
      
      updating a context database stored on the mobile computing device with the sensor data.
  - 9. The method of claim 1, further comprising:
    - displaying a user interface on the mobile computing device to receive user input data; and
      
      updating the security policy data based on the user input data.
  - 10. The method of claim 1, further comprising:
    - establishing a network communication connection with an enterprise security event manager server; and
      
      transmitting the security event data from the mobile computing device to the enterprise security event manager server.
  - 11. The method of claim 1, wherein the context data identifies a location of the mobile computing device.
  - 12. The method of claim 11, wherein the context data identifies a building in which the mobile computing device is located.
  - 13. The method of claim 11, wherein the context data identifies global positioning system coordinates at which the mobile computing device is located.

14. A mobile computing device comprising:
- a security event manager;
  
  a processor; and
  
  a memory device having stored therein a plurality of instructions, which when executed by the processor, cause the security event manager to;
  
  receive security event data generated on the mobile computing device from a plurality of security event sources of the mobile computing device;
  
  transmit the security event data to an enterprise security event manager server in response to a determination that the mobile computing device is communicatively coupled to the enterprise security event manager server; and
  
  respond to a security event on the mobile computing device with the security event manager if the mobile computing device is not communicatively coupled to the enterprise security event manager server, wherein to respond to the security event comprises to;
  
  normalize, on the mobile computing device, the security event data to generate normalized security event data, the normalized security event data having a predetermined data format;
  
  aggregate, on the mobile computing device, the normalized security event data to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and
  
  correlate, on the mobile computing device, the aggregated security event data based on a security policy and on context data associated with the mobile computing device to determine an occurrence of a security event, the security policy being stored on the mobile computing device and defining a set of security event rules for determining the occurrence of a security event.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The mobile computing device of claim 14, wherein to correlate the security event data comprises to determine an occurrence of a security event in response to the security event data having a predetermined relationship with at least one security event rule of the security policy.
  - 16. The mobile computing device of claim 14, wherein the context data is related to a user of the mobile computing device, and wherein the plurality of instructions further cause the security event manager to retrieve the context data from a context database stored on the mobile computing device.
  - 17. The method of claim 16, wherein the context data identifies at least one of an activity being performed by the user or biometric data of the user.
  - 18. The mobile computing device of claim 14, further comprising a sensor and wherein the plurality of instructions further cause the security event manager to:
    - receive sensor data generated from the sensor, andupdate a context database stored on the mobile computing device with the sensor data.
  - 19. The mobile computing device of claim 14, wherein the plurality of instructions further cause the security event manager to:
    - establish a network communication connection with an enterprise security event manager server; and
      
      transmit the security event data from the mobile computing device to the enterprise security event manager server.

20. A non-transitory machine-readable storage medium comprising a plurality of instructions, that in response to being executed, result in a mobile computing device:
- establishing a security event manager on the mobile computing device;
  
  receiving security event data with the security event manager, the security event data being generated on the mobile computing device by a plurality of security event sources of the mobile computing device;
  
  transmitting the security event data to an enterprise security event manager server in response to determining that the mobile computing device is communicatively coupled to the enterprise security event manager server; and
  
  responding to a security event on the mobile computing device with the security event manager if the mobile computing device is not communicatively coupled to the enterprise security event manager server, wherein responding to the security event comprises;
  
  (i) normalizing the security event data, using the security event manager on the mobile computing device, to generate normalized security event data, the normalized security event data having a predetermined data format;
  
  (ii) aggregating the normalized security event data, using the security event manager on the mobile computing device, to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and
  
  (iii) correlating the aggregated security event data based on a predetermined security policy and on context data associated with the mobile computing device, using the security event manager on the mobile computing device, to determine whether a security event has occurred.
- View Dependent Claims (21, 22)
- - 21. The non-transitory machine-readable storage medium of claim 20, wherein correlating the aggregated security event data comprises determining whether the security event data has a predetermined relationship with at least one security event rule defined by the predetermined security policy.
  - 22. The non-transitory machine-readable storage medium of claim 20, wherein the plurality of instructions further result in the computing device responding to a security event based on the predetermined security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Purcell, Stacy P., Ross, Alan D., Baca, Jim S., Aissi, Selim, Kohlenberg, Tobias M., Morgan, Dennis M.
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US12/647,447
Publication Number

US 20110161848A1
Time in Patent Office

1,690 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/04   specially adapted for termi...

Method and device for managing security events

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for managing security events

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links