Distributive security investigation
First Claim
1. At a computer system, the computer system including a monitoring system and a case management system, the monitoring system configured to collect security information for one or more other devices, the case management system configured to investigate detected security state changes that occur at the one or more other devices, a method for investigating a security related issue, the method comprising:
- receiving a security alert for a device, the device included in the one or more other devices, the security alert identifying an security related issue that occurred during operation of the device;
determining that the security related issue is of a sufficient priority to investigate by analyzing the security alert in view of collected security information for the one or more devices;
investigating the security related issue, including;
opening an investigation for the security related issue;
creating a case object for the investigation, the case object being a storage object configured to store information associated with the security related issue;
formulating a request to send to at least one device from among the one or more devices to request additional information associated with the security related issue, including;
identifying a plurality of assets related to the investigation;
adding a modifier to the request to request that additional information be returned with a specified level of detail;
sending the formulated request to the at least one device to request the additional information about the plurality of assets be returned to the computer system with the specified level of detail;
receiving one or more responses from the at least one device, the one or more responses responsive to the formulated request, the one or more responses including the additional information about the plurality of assets, the additional information related to the investigation and having the specified level of detail;
updating the case object by storing the additional information received in the one or more responses in the case object;
drawing a conclusion with respect to the security related issue by analyzing the updated case object;
automatically and iteratively refining the updated case object by;
analyzing the updated case object;
based on the analysis, automatically and without user intervention, issuing one or more additional requests for further information to the at least one device, the one or more additional requests changing the modifier to request that the requested further information have a different specified level of detail;
receiving the further information from the at least one device; and
refining the case object by consolidating the further information along with the additional information in the case object; and
drawing a further conclusion with respect to the security related issue by analyzing the consolidated information in the refined case object.
2 Assignments
0 Petitions
Accused Products
Abstract
A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information.
-
Citations
20 Claims
-
1. At a computer system, the computer system including a monitoring system and a case management system, the monitoring system configured to collect security information for one or more other devices, the case management system configured to investigate detected security state changes that occur at the one or more other devices, a method for investigating a security related issue, the method comprising:
-
receiving a security alert for a device, the device included in the one or more other devices, the security alert identifying an security related issue that occurred during operation of the device; determining that the security related issue is of a sufficient priority to investigate by analyzing the security alert in view of collected security information for the one or more devices; investigating the security related issue, including; opening an investigation for the security related issue; creating a case object for the investigation, the case object being a storage object configured to store information associated with the security related issue; formulating a request to send to at least one device from among the one or more devices to request additional information associated with the security related issue, including; identifying a plurality of assets related to the investigation; adding a modifier to the request to request that additional information be returned with a specified level of detail; sending the formulated request to the at least one device to request the additional information about the plurality of assets be returned to the computer system with the specified level of detail; receiving one or more responses from the at least one device, the one or more responses responsive to the formulated request, the one or more responses including the additional information about the plurality of assets, the additional information related to the investigation and having the specified level of detail; updating the case object by storing the additional information received in the one or more responses in the case object; drawing a conclusion with respect to the security related issue by analyzing the updated case object; automatically and iteratively refining the updated case object by; analyzing the updated case object; based on the analysis, automatically and without user intervention, issuing one or more additional requests for further information to the at least one device, the one or more additional requests changing the modifier to request that the requested further information have a different specified level of detail; receiving the further information from the at least one device; and refining the case object by consolidating the further information along with the additional information in the case object; and drawing a further conclusion with respect to the security related issue by analyzing the consolidated information in the refined case object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a database, the database storing security states for each of a plurality of monitored devices; a monitoring system, the monitoring system configured to; receive a security alert for a device, the device included in the plurality of devices, the security alert identifying an security related threat that occurred during operation of the device; and determine that the security related threat is of a sufficient priority to investigate by analyzing the security alert in view of stored security states; a case management system, the case management system configured to investigate security related threats the occur during operation of the plurality of devices, including; open an investigation for a security related threat; create a case object for the investigation, the case object being a storage object configured to store information associated with the security related threat; formulating a request to send to at least one device from among the one or more devices to request additional information associated with the security related threat, including; identify a plurality of assets related to the investigation; add a modifier to the request to request that additional information be returned with a specified level of detail; send the formulated request to the at least one device to request the additional information about the plurality of assets be returned to the computer system with the specified level of detail; receive one or more responses from the at least one device, the one or more responses responsive to the formulated request, the one or more responses including the additional information about the plurality of assets, the additional information related to the investigation and having the specified level of detail; update the case object by storing the additional information received in the one or more responses in the case object; draw a conclusion with respect to the security related issue by analyzing the updated case object; automatically and iteratively refine the updated case object by; analyzing the updated case object; based on the analysis, automatically and without user intervention, issuing one or more additional requests for further information to the at least one device, the one or more additional requests changing the modifier to request that the further information have a different specified level of detail; receiving the further information from the at least one device; and refining the case object by consolidating the further information along with the additional information in the case object; and draw a further conclusion with respect to the security related issue by analyzing the consolidated information in the refined case object. - View Dependent Claims (12, 13, 14)
-
-
15. A computer program product for use at a computer system, the computer program product for implementing a method for investigating a security related issue, the computer program product comprising one or more computer storage devices having stored thereon computer executable instructions that, when executed, cause the computer system to perform the method including the following:
-
receive a selection of a security alert for a device, the device included in the plurality of devices, the security alert identifying an security related threat that occurred during operation of the device; investigate the security related issue in response receiving the selection of the security alert, including; open an investigation for the security related issue; create a case object for the investigation, the case object being a storage object configured to store information associated with the security related issue; formulate a request to send to at least one device from among the one or more devices to request additional information associated with the security related issue, including; identify a plurality of assets related to the investigation; add a modifier to the request to request that additional information be returned with a specified level of detail; send the formulated request to the at least one device to request the additional information about the plurality of assets be returned to the computer system with the specified level of detail; receive one or more responses from the at least one device, the one or more responses responsive to the formulated request, the one or more responses including the additional information about the plurality of assets, the additional information related to the investigation and having the specified level of detail; update the case object by storing the additional information received in the one or more responses in the case object; present at least a portion of the updated case object on a user interface to help a user draw a conclusion with respect to the security related issue; automatically and iteratively refine the updated case object by; analyzing the updated case object; based on the analysis, automatically and without user intervention, issuing one or more additional requests for further information to the at least one device, the one or more additional requests changing the modifier to request that the further information have a different specified level of detail; receiving the further information from the at least one device; and refining the case object by consolidating the further information along with the additional information in the case object; and draw a further conclusion with respect to the security related issue by analyzing the consolidated information in the refined case object. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification