Automated internet threat detection and mitigation system and associated methods
First Claim
1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:
- a centralized database;
a customer database operable with the centralized database;
a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources;
an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment;
a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem;
a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein;
the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and
the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system; and
a Honeytrap subsystem deployed within the customer network environment, wherein the Honeytrap subsystem monitors scams and cyber-attacks and analyzes suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers.
5 Assignments
0 Petitions
Accused Products
Abstract
A risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. A proactive, intelligence-driven and customized approach is taken to protect network users. Assessments of threats are made before and after a breach. Cyber threats are identified in advance of a resulting network problem, and automated analysis locates the threats and stops them from having an adverse effect. Humans can focus on the high-level view, instead of looking at every single potential problem area. Troubling patterns may be reviewed within the network environment to identify issues. Cyber analysis is conducted to provide a baseline over time via statistically proven, predictive models that anticipate vulnerabilities brought on by social-media usage, Web surfing and other behaviors that invite risk.
148 Citations
16 Claims
-
1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:
-
a centralized database; a customer database operable with the centralized database; a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources; an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment; a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem; a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein; the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system; and a Honeytrap subsystem deployed within the customer network environment, wherein the Honeytrap subsystem monitors scams and cyber-attacks and analyzes suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented method for automated internet threat detection and mitigation, the method comprising:
-
providing an analytics subsystem for identifying suspicious patterns of behavior in a customer network environment; providing a reader processor operable with the analytics subsystem for gathering threat intelligence data from a plurality of threat intelligence sources, including commercial and open-source feeds as well as suspicious patterns identified by the analytic subsystem or specified by an analysts through a portal connection; normalizing the data by the reader processor and providing a common format; providing an initial believability factor based only on past performance of the relevant source of the threat intelligence data; providing a gatekeeper processor operable with the reader processor and the analytics subsystem, the gatekeeper reviewing the normalized intelligence data and comparing the data to past incidents and rules operable by the analytics subsystem for refining the believability factor and severity of each indicator, wherein if the believability factor is too low, the gatekeeper processor will either ask a human to check the data or discard the believability factor indicated as unusable and overly likely to generate false positives; and deploying a Honeytrap subsystem within the customer network environment, the Honeytrap subsystem monitoring scams and cyber-attacks and analyzing suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers. - View Dependent Claims (15, 16)
-
Specification