Prioritizing network security vulnerabilities using accessibility

US 8,918,883 B1
Filed: 06/14/2006
Issued: 12/23/2014
Est. Priority Date: 06/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method of prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:

profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space using a first device profiler located in a first threat zone of the network to identify vulnerabilities of the hosts accessible from the first threat zone;

profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler located in a second threat zone of the network to identify vulnerabilities of the hosts accessible from the second threat zone;

assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone, and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;

for an identified vulnerability accessible from both the first and second threat zones, calculating a risk associated with the identified vulnerability using the first and second threat level metrics;

for a service affected by the identified vulnerability, calculating a risk associated with the service using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and

prioritizing the identified vulnerability relative to other vulnerabilities using the calculated risk.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise network includes hosts running services. Some of the services have security vulnerabilities. There are one or more threat zones associated with the network. For example, a firewall may create two threat zones, one internal to the firewall and one external to it. A device profiler in the first threat zone profiles the hosts on the network and identifies the vulnerabilities that are present. A device profiler in the second threat zone determines which of the identified vulnerabilities are accessible from its zone. A risk module calculates the risk associated with a vulnerability based on the vulnerability'"'"'s severity, threat level metrics for the threat zones, and an asset value of the host with the vulnerability. A reporting module prioritizes the vulnerabilities based on their risks.

Citations

21 Claims

1. A method of prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
- profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space using a first device profiler located in a first threat zone of the network to identify vulnerabilities of the hosts accessible from the first threat zone;
  
  profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler located in a second threat zone of the network to identify vulnerabilities of the hosts accessible from the second threat zone;
  
  assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone, and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
  
  for an identified vulnerability accessible from both the first and second threat zones, calculating a risk associated with the identified vulnerability using the first and second threat level metrics;
  
  for a service affected by the identified vulnerability, calculating a risk associated with the service using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and
  
  prioritizing the identified vulnerability relative to other vulnerabilities using the calculated risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein prioritizing the vulnerability relative to other vulnerabilities of the hosts comprises:
    - prioritizing the vulnerability of the host accessible from the first and second threat zones over a second vulnerability of the host that is inaccessible from the second threat zone;
      
      generating a ranked list of the vulnerabilities responsive to the priorities of the vulnerability and the second vulnerability; and
      
      sending the ranked list of the vulnerabilities to a network security device, the network security device adapted to prioritize processing of the vulnerabilities based on the ranked list.
  - 3. The method of claim 1, wherein profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler comprises:
    - identifying a service on a host in the first threat zone of the network with which the vulnerability is associated;
      
      attempting to connect to the service on the host by the second device profiler in the second threat zone; and
      
      responsive to connecting to the service of the host with which the vulnerability is associated, determining that the vulnerability is accessible from the second threat zone of the network.
  - 4. The method of claim 1, wherein calculating the risk associated with the identified vulnerability comprises:
    - assigning a threat level metric to each threat zone from which the vulnerability of the host is accessible;
      
      assigning an asset value metric to the host;
      
      assigning a severity metric to the vulnerability; and
      
      calculating the risk associated with the vulnerability responsive to the threat level metrics, the asset value metric, and the severity metric.
  - 5. The method of claim 1, further comprising:
    - analyzing a configuration of a network traffic device by reading the configuration directly from the device to identify vulnerabilities of the hosts accessible from the second threat zone.
  - 6. The method of claim 1, further comprising:
    - identifying hop information describing a path from the second threat zone to the identified vulnerability of the host; and
      
      graphically representing the hop information.
  - 7. The method of claim 1, wherein the method further comprises, for the identified vulnerability accessible from both the first and second threat zones, calculating a third threat level metric that is a function of the first threat level and the second threat level and represents a combined threat level for the first and second threat zones, and wherein the calculating the risk associated with the identified vulnerability accessible from the first and second threat zones comprises using the third threat level metric.

8. A system for prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
- a first device profiler located in a first threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the first threat zone;
  
  a second device profiler located in a second threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the second threat zone;
  
  a risk module for;
  
  (1) assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
  
  (2) for calculating a risk associated with an identified vulnerability accessible from the first and second threat zones using the first and second threat level metrics; and
  
  (3) for calculating a risk associated with a service affected by the identified vulnerability using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and
  
  a reporting module for prioritizing the vulnerability relative to other vulnerabilities responsive to the calculated risk.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the reporting module is further configured for:
    - prioritizing the vulnerability of the host accessible from the first and second threat zones over a second vulnerability of the host inaccessible from the second threat zone;
      
      generating a ranked list of the vulnerabilities responsive to the priorities of the vulnerability and the second vulnerability; and
      
      sending the ranked list of the vulnerabilities to a network security device, the network security device adapted to prioritize processing of the vulnerabilities based on the ranked list.
  - 10. The system of claim 8, wherein profiling the hosts in the address space of the enterprise computer network by sending packets to the addresses within the address space using a second device profiler comprises:
    - identifying a service on a host in the first threat zone of the network with which the vulnerability is associated;
      
      attempting to connect to the service on the host; and
      
      responsive to connecting to the service on the host with which the vulnerability is associated, determining that the vulnerability is accessible from the second threat zone of the network.
  - 11. The system of claim 8, wherein calculating the risk associated with the identified vulnerability comprises:
    - assigning a threat level metric to each threat zone from which the vulnerability of the host is accessible;
      
      assigning an asset value metric to the host;
      
      assigning a severity metric to the vulnerability; and
      
      calculating the risk associated with the vulnerability responsive to the threat level metrics, the asset value metric, and the severity metric.
  - 12. The system of claim 8, further comprising:
    - a configuration analysis module for analyzing a configuration of a network traffic device by reading the configuration directly from the device to identify vulnerabilities of the hosts accessible from the second threat zone.
  - 13. The system of claim 8, wherein the reporting module is further adapted to receive hop information describing a path from the second threat zone to the identified vulnerability of the host and to graphically represent the hop information.
  - 14. The system of claim 8, wherein the risk module is further for calculating a third threat level metric when an identified vulnerability is accessible from the first and second threat zones, the third threat level being a function of the first threat level and the second threat level and representing a combined threat level for the first and second threat zones, and calculating the risk associated with the identified vulnerability accessible from the first and second threat zones using the third threat level.

15. A computer program product stored on a non-transitory computer readable storage medium, the computer program product for prioritizing security vulnerabilities in an enterprise computer network having an address space accessible from a plurality of threat zones, comprising:
- a first vulnerability detection module adapted to be located in a first threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the first threat zone;
  
  a second vulnerability detection module adapted to be located in a second threat zone of the network for profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the second threat zone;
  
  a risk module;
  
  (1) for assigning a first threat level metric to the first threat zone and a second threat level metric to the second threat zone, the first threat level metric indicating a relative likelihood that a threat will emanate from the first threat zone and the second threat level indicating a relative likelihood that a threat will emanate from the second threat zone;
  
  (2) for calculating a risk associated with an the identified vulnerability accessible from the first and second threat zones using the first and second threat level metrics; and
  
  (3) for calculating a risk associated with a service affected by the identified vulnerability using the risk associated with the identified vulnerability and one or more risks associated with other vulnerabilities that affect the service; and
  
  a reporting module for prioritizing the vulnerability relative to other vulnerabilities responsive to the calculated risk.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15, wherein the reporting module is further configured for:
    - prioritizing the vulnerability of the host accessible from the first and second threat zones over a second vulnerability of the host inaccessible from the second threat zone;
      
      generating a ranked list of the vulnerabilities responsive to the priorities of the vulnerability and the second vulnerability; and
      
      sending the ranked list of the vulnerabilities to a network security device, the network security device adapted to prioritize processing of the vulnerabilities based on the ranked list.
  - 17. The computer program product of claim 15, wherein profiling hosts in the address space of the enterprise computer network by sending packets to addresses within the address space to identify vulnerabilities of the hosts accessible from the second threat zone comprises:
    - identifying a service on a host in the first threat zone of the network with which the vulnerability is associated;
      
      attempting to connect to the service on the host; and
      
      responsive to connecting to the service on the host with which the vulnerability is associated, determining that the vulnerability is accessible from the second threat zone of the network.
  - 18. The computer program product of claim 15, wherein calculating the risk associated with the identified vulnerability comprises:
    - assigning a threat level metric to each threat zone from which the vulnerability of the host is accessible;
      
      assigning an asset value metric to the host;
      
      assigning a severity metric to the vulnerability; and
      
      calculating a risk associated with the vulnerability responsive to the threat level metrics, the asset value metric, and the severity metric.
  - 19. The computer program product of claim 15, further comprising:
    - a configuration analysis module for analyzing a configuration of a network traffic device by reading the configuration directly from the device to identify vulnerabilities of the hosts accessible from the second threat zone.
  - 20. The computer program product of claim 15, wherein the reporting module is further adapted to receive hop information describing a path from the second threat zone to the identified vulnerability of the host and to graphically represent the hop information.
  - 21. The computer program product of claim 15, wherein the risk module is further for calculating a third threat level metric when an identified vulnerability is accessible from the first and second threat zones, the third threat level being a function of the first threat level and the second threat level and representing a combined threat level for the first and second threat zones, and calculating the risk associated with the identified vulnerability accessible from the first and second threat zones using the third threat level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Keanini, Timothy D., Boyle, Joe B., Wittenberg, Mark, Perrenoud, Yves
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US11/424,088
Time in Patent Office

3,114 Days
Field of Search

726/25, 726/11
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2149   Restricted operating enviro...

H04L 63/1433   Vulnerability analysis

Prioritizing network security vulnerabilities using accessibility

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritizing network security vulnerabilities using accessibility

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links