Dynamic incident response

US 9,165,250 B2
Filed: 01/30/2013
Issued: 10/20/2015
Est. Priority Date: 01/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

at least one processor; and

memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to;

determine that a security incident has occurred, the security incident being a physical security incident or a cyber security incident;

load a predefined response template, the predefined response template comprising a plurality of parameters for responding to the security incident;

utilize a data platform to identify one or more potential responders for the security incident based on the predefined response template, wherein the data platform maintains physical access information, logical access information, hybrid access information, and availability information for an organization, and wherein the one or more potential responders are associated with the organization;

contact the one or more potential responders for the security incident identified based on the predefined response template;

monitor communications by the one or more potential responders for the security incident identified based on the predefined response template, the monitored communications being responsive to the contact;

update historical interaction data maintained by the data platform, based on the monitored communications by the one or more potential responders for the security incident identified based on the predefined response template; and

calculate, based on the historical interaction data maintained by the data platform, a response likelihood value for at least one potential responder of the one or more potential responders for the security incident identified based on the predefined response template, the response likelihood value for the at least one potential responder being indicative of a likelihood that the at least one potential responder will respond to a future security incident.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer-readable media, and apparatuses for providing dynamic incident response using advanced analytics are presented. In some embodiments, a computing device may determine that an incident has occurred. The computing device then may load a predefined response template that includes parameters for responding to the incident. Subsequently, the computing device may utilize a big data platform to identify one or more potential responders for the incident based on the predefined response template. In some additional embodiments, the computing device also may contact the identified potential responders and subsequently monitor communications by the identified potential responders that are responsive to the contact. The computing device may also update historical interaction data based on the monitoring, and this historical interaction data may be used to subsequently determine the likelihood that at least one potential responder will respond to a future incident.

28 Citations

View as Search Results

20 Claims

1. A computing device, comprising:
- at least one processor; and
  
  memory storing computer readable instructions that, when executed by the at least one processor, cause the computing device to;
  
  determine that a security incident has occurred, the security incident being a physical security incident or a cyber security incident;
  
  load a predefined response template, the predefined response template comprising a plurality of parameters for responding to the security incident;
  
  utilize a data platform to identify one or more potential responders for the security incident based on the predefined response template, wherein the data platform maintains physical access information, logical access information, hybrid access information, and availability information for an organization, and wherein the one or more potential responders are associated with the organization;
  
  contact the one or more potential responders for the security incident identified based on the predefined response template;
  
  monitor communications by the one or more potential responders for the security incident identified based on the predefined response template, the monitored communications being responsive to the contact;
  
  update historical interaction data maintained by the data platform, based on the monitored communications by the one or more potential responders for the security incident identified based on the predefined response template; and
  
  calculate, based on the historical interaction data maintained by the data platform, a response likelihood value for at least one potential responder of the one or more potential responders for the security incident identified based on the predefined response template, the response likelihood value for the at least one potential responder being indicative of a likelihood that the at least one potential responder will respond to a future security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the physical access information comprises records associated with visits to one or more physical sites associated with the organization by one or more employees of the organization, the logical access information comprises records associated with virtual access to one or more computer systems associated with the organization by the one or more employees of the organization, the hybrid access information comprises records associated with virtual access to one or more mobile devices associated with the organization by the one or more employees of the organization, the availability information comprises records associated with meeting schedules of the one or more employees of the organization, and the historical interaction data comprises records associated with responses to previous security incidents by the one or more employees of the organization.
  - 3. The computing device of claim 1, wherein determining that the security incident has occurred comprises determining that one or more causal events have occurred prior to an occurrence of a moment of impact.
  - 4. The computing device of claim 1, wherein the predefined response template defines one or more necessary skills for a potential responder, one or more preferred skills for the potential responder, one or more necessary security clearances for the potential responder, one or more preferred security clearances for the potential responder, one or more necessary associations for the potential responder, and one or more preferred associations for the potential responder.
  - 5. The computing device of claim 1, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining whether at least one potential responder is qualified to respond to the security incident.
  - 6. The computing device of claim 1, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining, for at least one potential responder, a likelihood that the at least one potential responder will respond to the security incident.
  - 7. The computing device of claim 1, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining, for at least one potential responder, an optimal way to contact the at least one potential responder.
  - 8. The computing device of claim 7, wherein determining the optimal way to contact the at least one potential responder comprises generating a call tree for the at least one potential responder based on information obtained from the data platform.
  - 9. The computing device of claim 1, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises:
    - calculating, for each of the identified potential responders, a qualification score, a likelihood of response score, and a location confidence score;
      
      calculating, for each of the identified potential responders, an aggregate score based on the corresponding qualification score, likelihood of response score, and location confidence score; and
      
      ranking the identified potential responders based on the aggregate score calculated for each of the identified potential responders.
  - 10. The computing device of claim 1, wherein the response likelihood value for the at least one potential responder of the one or more potential responders for the security incident identified based on the predefined response template is calculated further based on availability information and location information obtained from the data platform.

11. A method, comprising:
- determining, by a computing device, that a security incident has occurred, the security incident being a physical security incident or a cyber security incident;
  
  loading, by the computing device, a predefined response template, the predefined response template comprising a plurality of parameters for responding to the security incident;
  
  utilizing, by the computing device, a data platform to identify one or more potential responders for the security incident based on the predefined response template, wherein the data platform maintains physical access information, logical access information, hybrid access information, and availability information for an organization, and wherein the one or more potential responders are associated with the organization;
  
  contacting, by the computing device, the one or more potential responders for the security incident identified based on the predefined response template;
  
  monitoring, by the computing device, communications by the one or more potential responders for the security incident identified based on the predefined response template, the monitored communications being responsive to the contacting;
  
  updating, by the computing device, historical interaction data maintained by the data platform, based on the monitored communications by the one or more potential responders for the security incident identified based on the predefined response template; and
  
  calculating, by the computing device, based on the historical interaction data maintained by the data platform, a response likelihood value for at least one potential responder of the one or more potential responders for the security incident identified based on the predefined response template, the response likelihood value for the at least one potential responder being indicative of a likelihood that the at least one potential responder will respond to a future security incident.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein determining that the security incident has occurred comprises determining that one or more causal events have occurred prior to an occurrence of a moment of impact.
  - 13. The method of claim 12, wherein the security incident is a denial of service attack against one or more computer systems of the organization, and wherein the one or more causal events comprise receiving one or more data packets before a disruption in service occurs for the one or more computer systems of the organization.
  - 14. The method of claim 11, wherein determining that the security incident has occurred comprises classifying the security incident.
  - 15. The method of claim 11, wherein the predefined response template defines one or more necessary skills for a potential responder, one or more preferred skills for the potential responder, one or more necessary security clearances for the potential responder, one or more preferred security clearances for the potential responder, one or more necessary associations for the potential responder, and one or more preferred associations for the potential responder.
  - 16. The method of claim 11, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining whether at least one potential responder is qualified to respond to the security incident.
  - 17. The method of claim 11, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining, for at least one potential responder, a likelihood that the at least one potential responder will respond to the security incident.
  - 18. The method of claim 11, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises determining, for at least one potential responder, an optimal way to contact the at least one potential responder.

19. At least one non-transitory computer readable medium having instructions stored thereon that, when executed, cause at least one processor to:
- determine that a security incident has occurred, the security incident being a physical security incident or a cyber security incident;
  
  load a predefined response template, the predefined response template comprising a plurality of parameters for responding to the security incident;
  
  utilize a data platform to identify one or more potential responders for the security incident based on the predefined response template, wherein the data platform maintains physical access information, logical access information, hybrid access information, and availability information for an organization, and wherein the one or more potential responders are associated with the organization;
  
  contact the one or more potential responders for the security incident identified based on the predefined response template;
  
  monitor communications by the one or more potential responders for the security incident identified based on the predefined response template, the monitored communications being responsive to the contact;
  
  update historical interaction data maintained by the data platform, based on the monitored communications by the one or more potential responders for the security incident identified based on the predefined response template; and
  
  calculate, based on the historical interaction data maintained by the data platform, a response likelihood value for at least one potential responder of the one or more potential responders for the security incident identified based on the predefined response template, the response likelihood value for the at least one potential responder being indicative of a likelihood that the at least one potential responder will respond to a future security incident.
- View Dependent Claims (20)
- - 20. The at least one non-transitory computer readable medium of claim 19, wherein utilizing the data platform to identify the one or more potential responders for the security incident based on the predefined response template comprises:
    - calculating, for each of the identified potential responders, a qualification score, a likelihood of response score, and a location confidence score;
      
      calculating, for each of the identified potential responders, an aggregate score based on the corresponding qualification score, likelihood of response score, and location confidence score; and
      
      ranking the identified potential responders based on the aggregate score calculated for each of the identified potential responders.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Froelich, Craig
Primary Examiner(s)
Hill, Stanley K
Assistant Examiner(s)
OLUDE AFOLABI, OLATOYOSI

Application Number

US13/753,671
Publication Number

US 20140214744A1
Time in Patent Office

993 Days
Field of Search

706/12
US Class Current

1/1
CPC Class Codes

G06N 5/02 Knowledge representation; S...

G06Q 10/06 Resources, workflows, human...

Dynamic incident response

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic incident response

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links