Policy-based selection of remediation

US 8,914,846 B2
Filed: 05/17/2014
Issued: 12/16/2014
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

periodically sampling, by a first computer system, information regarding a program-code-based operational state of a second computer system;

determining whether the program-code-based operational state of the second computer system represents a violation of one or more security policies of a network to which the second computer system is connected by causing to be evaluated, by the first computer system, the information with respect to the one or more security policies, wherein each security policy of the one or more security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the second computer system or manipulation of the second computer system to make the second computer system vulnerable to attack;

when a result of the determining is affirmative, then;

causing, by the first computer system, a remediation to be identified that can be applied to the second computer system to address the violation; and

causing, by the first computer system, the identified remediation to be deployed to the second computer system; and

wherein the violation is based at least in part on one or more of;

whether a particular process is running on the second computer system;

existence or non-existence of a particular application on the second computer system;

a version of the particular application installed on the second computer system;

a status of the particular application with respect to whether a patch associated with the particular application has been installed on the second computer system;

a version of an operating system installed on the second computer system;

a type of the operating system; and

a configuration of the operating system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a computer system is periodically sampled. A determination is made regarding whether the program-code-based operational state represents a violation of a security policy by evaluating the information with respect to multiple security policies each of with defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the computer system or manipulation of the computer system to make the computer system vulnerable to attack. When a violation exists then a remediation is identified and deployed to the computer system. The violation is based at least in part on one or more of: whether a particular process is running; the existence, version or status of a particular application; and a version, type or configuration of an operating system installed.

Citations

20 Claims

1. A computer-implemented method comprising:
- periodically sampling, by a first computer system, information regarding a program-code-based operational state of a second computer system;
  
  determining whether the program-code-based operational state of the second computer system represents a violation of one or more security policies of a network to which the second computer system is connected by causing to be evaluated, by the first computer system, the information with respect to the one or more security policies, wherein each security policy of the one or more security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the second computer system or manipulation of the second computer system to make the second computer system vulnerable to attack;
  
  when a result of the determining is affirmative, then;
  
  causing, by the first computer system, a remediation to be identified that can be applied to the second computer system to address the violation; and
  
  causing, by the first computer system, the identified remediation to be deployed to the second computer system; and
  
  wherein the violation is based at least in part on one or more of;
  
  whether a particular process is running on the second computer system;
  
  existence or non-existence of a particular application on the second computer system;
  
  a version of the particular application installed on the second computer system;
  
  a status of the particular application with respect to whether a patch associated with the particular application has been installed on the second computer system;
  
  a version of an operating system installed on the second computer system;
  
  a type of the operating system; and
  
  a configuration of the operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising maintaining a policy database having stored therein a plurality of security policies, including the one or more security policies.
  - 3. The method of claim 1, wherein the information regarding a program-code-based operational state comprises information indicative of one or more drivers installed on the second computer system.
  - 4. The method of claim 3, wherein the violation relates to existence or non-existence of a particular type of driver on the second computer system.
  - 5. The method of claim 4, wherein the particular type of driver comprises a universal serial bus (USB) driver.
  - 6. The method of claim 1, wherein the violation relates to whether a removable storage device is connected to the second computer system.
  - 7. The method of claim 1, wherein the first computer system comprises a remote server coupled in communication with the second computer system via a public network, wherein the second computer system comprises a host asset of a plurality of monitored host assets within an enterprise and wherein the method further comprises receiving, by the remote server, information indicative of one or more files stored on the host asset.
  - 8. The method of claim 7, wherein the violation relates to existence or non-existence of a particular file on the host asset.
  - 9. The method of claim 7, wherein the violation is based at least in part on a location of the particular file on the host asset.
  - 10. The method of claim 7, wherein the violation is based at least in part on one or more permissions associated with the particular file.
  - 11. The method of claim 1, wherein the identified remediation is deployed to the second computer system in a form of one or more automatically-machine-actionable actions.
  - 12. The method of claim 11, wherein each of the one or more automatically-machine-actionable actions are represented by a set of one or more Java byte codes.
  - 13. The method of claim 1, further comprising determining whether there has been a change in the program-code-based operational state relative to an immediately preceding sampling cycle.

14. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a first computer system, cause the one or more processors to perform a method comprising:
- periodically sampling information regarding a program-code-based operational state of a second computer system;
  
  determining whether the program-code-based operational state of the second computer system represents a violation of one or more security policies of a network to which the second computer system is connected by causing to be evaluated the information with respect to the one or more security policies, wherein each security policy of the one or more security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the second computer system or manipulation of the second computer system to make the second computer system vulnerable to attack;
  
  when a result of the determining is affirmative, then;
  
  causing a remediation to be identified that can be applied to the second computer system to address the violation; and
  
  causing the identified remediation to be deployed to the second computer system; and
  
  wherein the violation is based at least in part on one or more of;
  
  whether a particular process is running on the second computer system;
  
  existence or non-existence of a particular application on the second computer system;
  
  a version of the particular application installed on the second computer system;
  
  a status of the particular application with respect to whether a patch associated with the particular application has been installed on the second computer system;
  
  a version of an operating system installed on the second computer system;
  
  a type of the operating system; and
  
  a configuration of the operating system.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the method further comprises maintaining a policy database having stored therein a plurality of security policies, including the one or more security policies.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the information regarding a program-code-based operational state comprises information indicative of one or more drivers installed on the second computer system.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the violation relates to whether a removable storage device is connected to the second computer system.
  - 18. The method of claim 14, wherein the first computer system comprises a remote server coupled in communication with the second computer system via a public network, wherein the second computer system comprises a host asset of a plurality of monitored host assets within an enterprise and wherein the method further comprises receiving information indicative of one or more files stored on the host asset.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the violation relates to existence or non-existence of a particular file on the host asset.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the method further comprises determining whether there has been a change in the program-code-based operational state relative to an immediately preceding sampling cycle.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Bezilla, Daniel B., Immordino, John L., Ogura, James Le
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US14/280,586
Publication Number

US 20140304767A1
Time in Patent Office

213 Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based selection of remediation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links