Prioritizing network security vulnerabilities using accessibility
First Claim
1. A method of prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
- profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space using a first device profiler located in a first threat zone of the network to identify vulnerabilities of the hosts accessible from the first threat zone;
profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler located in a second threat zone of the network to identify vulnerabilities of the hosts accessible from the second threat zone;
assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone, and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
for an identified vulnerability accessible from both the first and second threat zones, calculating a risk associated with the identified vulnerability using the first and second threat level metrics;
for a service affected by the identified vulnerability, calculating a risk associated with the service using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and
prioritizing the identified vulnerability relative to other vulnerabilities using the calculated risk.
9 Assignments
0 Petitions
Accused Products
Abstract
An enterprise network includes hosts running services. Some of the services have security vulnerabilities. There are one or more threat zones associated with the network. For example, a firewall may create two threat zones, one internal to the firewall and one external to it. A device profiler in the first threat zone profiles the hosts on the network and identifies the vulnerabilities that are present. A device profiler in the second threat zone determines which of the identified vulnerabilities are accessible from its zone. A risk module calculates the risk associated with a vulnerability based on the vulnerability'"'"'s severity, threat level metrics for the threat zones, and an asset value of the host with the vulnerability. A reporting module prioritizes the vulnerabilities based on their risks.
-
Citations
21 Claims
-
1. A method of prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
-
profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space using a first device profiler located in a first threat zone of the network to identify vulnerabilities of the hosts accessible from the first threat zone; profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler located in a second threat zone of the network to identify vulnerabilities of the hosts accessible from the second threat zone; assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone, and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone; for an identified vulnerability accessible from both the first and second threat zones, calculating a risk associated with the identified vulnerability using the first and second threat level metrics; for a service affected by the identified vulnerability, calculating a risk associated with the service using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and prioritizing the identified vulnerability relative to other vulnerabilities using the calculated risk. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
-
a first device profiler located in a first threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the first threat zone; a second device profiler located in a second threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the second threat zone; a risk module for;
(1) assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
(2) for calculating a risk associated with an identified vulnerability accessible from the first and second threat zones using the first and second threat level metrics; and
(3) for calculating a risk associated with a service affected by the identified vulnerability using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; anda reporting module for prioritizing the vulnerability relative to other vulnerabilities responsive to the calculated risk. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product stored on a non-transitory computer readable storage medium, the computer program product for prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
-
a first vulnerability detection module adapted to be located in a first threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the first threat zone; a second vulnerability detection module adapted to be located in a second threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the second threat zone; a risk module;
(1) for assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
(2) for calculating a risk associated with an the identified vulnerability accessible from the first and second threat zones using the first and second threat level metrics; and
(3) for calculating a risk associated with a service affected by the identified vulnerability using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; anda reporting module for prioritizing the vulnerability relative to other vulnerabilities responsive to the calculated risk. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification