System and method for coordinating network incident response activities
First Claim
1. A computer-implemented method for responding to an attack that occurred on a computer network, comprising:
- receiving a description of the attack that occurred;
accessing a description of a topology of the network;
determining, based on the attack description and the topology description, one or more devices or applications that are relevant to the attack that occurred;
determining, based on the one or more relevant devices or applications, a first set of actions that can be executed to respond to the attack that occurred;
automatically determining, from the first set of actions, a subset of actions to execute to respond to the attack that occurred;
executing the subset of actions; and
determining that the attack that occurred no longer presents a threat.
7 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a system and method to process information regarding a network attack through an automated workflow that actively reconfigures a plurality of heterogeneous network-attached devices and applications to dynamically counter the attack using the network'"'"'s own self-defense mechanisms. The present invention leverages the security capabilities present within existing and new network-attached devices and applications to effect a distributed defense that immediately quarantines and/or mitigates attacks from hostile sources at multiple points simultaneously throughout the network. In a preferred embodiment, deployed countermeasures are automatically lifted following remediation activities.
-
Citations
14 Claims
-
1. A computer-implemented method for responding to an attack that occurred on a computer network, comprising:
-
receiving a description of the attack that occurred; accessing a description of a topology of the network; determining, based on the attack description and the topology description, one or more devices or applications that are relevant to the attack that occurred; determining, based on the one or more relevant devices or applications, a first set of actions that can be executed to respond to the attack that occurred; automatically determining, from the first set of actions, a subset of actions to execute to respond to the attack that occurred; executing the subset of actions; and determining that the attack that occurred no longer presents a threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification