Identifying vulnerabilities of computing assets based on breach data

US 9,270,695 B2
Filed: 03/09/2015
Issued: 02/23/2016
Est. Priority Date: 02/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a first source, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network;

receiving, from one or more second sources that are different than the first source, breach data that indicates a set of successful exploits that occurred outside the customer network;

identifying, based on the breach data, a subset of the set of vulnerabilities that are most vulnerable to a successful exploit;

causing result data that identifies the subset to be displayed on a screen of a computing device;

wherein the method is performed by one or more computing devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for ranking a set of vulnerabilities of a computing asset and set of remediations for a computing asset, and determining a risk score for one or more computing assets are provided. In one technique, vulnerabilities of computing assets in a customer network are received at a vulnerability intelligence platform. Breach data indicating set of breaches that occurred outside customer network is also received. A subset of the set of vulnerabilities that are most vulnerable to a breach is identified based on the breach data. In another technique, multiple vulnerabilities of a computing asset are determined. A risk score is generated for the computing asset based on the vulnerabilities. In another technique, multiple remediations associated with a risk score and multiple vulnerabilities are identified. The remediations are ordered based on the remediations that would reduce the risk score the most if those remediations were applied to remove the corresponding vulnerabilities.

Citations

21 Claims

1. A method comprising:
- receiving, from a first source, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network;
  
  receiving, from one or more second sources that are different than the first source, breach data that indicates a set of successful exploits that occurred outside the customer network;
  
  identifying, based on the breach data, a subset of the set of vulnerabilities that are most vulnerable to a successful exploit;
  
  causing result data that identifies the subset to be displayed on a screen of a computing device;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - for a first vulnerability, a first number of successful exploits that occurred outside the customer network for the first vulnerability;
      
      for a second vulnerability, a second number of successful exploits that occurred outside the customer network for the second vulnerability;
      
      identifying the first vulnerability within the set of vulnerabilities;
      
      identifying the second vulnerability within the set of vulnerabilities;
      
      determining that the first vulnerability is more vulnerable to a successful exploit than the second vulnerability based on the first number of successful exploits and the second number of successful exploits.
  - 3. The method of claim 1, further comprising:
    - based on a frequency of each successful exploit associated with the subset of the set of vulnerabilities, assigning a ranking to each vulnerability in the subset;
      
      wherein causing the result data to be displayed comprises causing the result data to be displayed based on the ranking of each vulnerability in the subset.
  - 4. The method of claim 1, further comprising:
    - receiving, from a third source that is different than the first source and the one or more second sources, second breach data that indicates a second set of successful exploits that have occurred outside the customer network.
  - 5. The method of claim 1, wherein each computing asset of the computing assets in the customer network is one of a database, an operating system, an application, a desktop computer, a server, or source code.
  - 6. The method of claim 1, further comprising:
    - receiving, from a third source that is different than the first source and the one or more second sources, exploit data that indicates a number of exploits for each vulnerability in the set of vulnerabilities;
      
      wherein identifying comprises identifying, based on the breach data and the exploit data, the subset of the set of vulnerabilities that are most vulnerable to a breach.
  - 7. The method of claim 1, further comprising:
    - receiving, from a third source that is different than the first source and the one or more second sources, vulnerability data that indicates a score for each vulnerability in the set of vulnerabilities;
      
      wherein identifying comprises identifying, based on the breach data and the vulnerability data, the subset of the set of vulnerabilities that are most vulnerable to a breach.

8. One or more non-transitory computer-readable media storing instructions which, when executed by one or more processors, cause:
- receiving, from a first source, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network;
  
  receiving, from one or more second sources that are different than the first source, breach data that indicates a set of successful exploits that occurred outside the customer network;
  
  identifying, based on the breach data, a subset of the set of vulnerabilities that are most vulnerable to a successful exploit;
  
  causing result data that identifies the subset to be displayed on a screen of a computing device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The one or more non-transitory computer-readable media of claim 8, wherein the instructions, when executed by the one or more processors, further cause:
    - for a first vulnerability, a first number of successful exploits that occurred outside the customer network for the first vulnerability;
      
      for a second vulnerability, a second number of successful exploits that occurred outside the customer network for the second vulnerability;
      
      identifying the first vulnerability within the set of vulnerabilities;
      
      identifying the second vulnerability within the set of vulnerabilities;
      
      determining that the first vulnerability is more vulnerable to a successful exploit than the second vulnerability based on the first number of successful exploits and the second number of successful exploits.
  - 10. The one or more non-transitory computer-readable media of claim 9, wherein the instructions, when executed by the one or more processors, further cause:
    - based on a frequency of each successful exploit associated with the subset of the set of vulnerabilities, assigning a ranking to each vulnerability in the subset;
      
      wherein causing the result data to be displayed comprises causing the result data to be displayed based on the ranking of each vulnerability in the subset.
  - 11. The one or more non-transitory computer-readable media of claim 8, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, second breach data that indicates a second set of successful exploits that have occurred outside the customer network.
  - 12. The one or more non-transitory computer-readable media of claim 8, wherein each computing asset of the computing assets in the customer network is one of a database, an operating system, an application, a desktop computer, a server, or source code.
  - 13. The one or more non-transitory computer-readable media of claim 8, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, exploit data that indicates a number of exploits for each vulnerability in the set of vulnerabilities;
      
      wherein identifying comprises identifying, based on the breach data and the exploit data, the subset of the set of vulnerabilities that are most vulnerable to a breach.
  - 14. The one or more non-transitory computer-readable media of claim 8, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, vulnerability data that indicates a score for each vulnerability in the set of vulnerabilities;
      
      wherein identifying comprises identifying, based on the breach data and the vulnerability data, the subset of the set of vulnerabilities that are most vulnerable to a breach.

15. An apparatus comprising:
- one or more processors;
  
  one or more computer-readable media storing instructions which, when executed by the one or more processors, cause;
  
  receiving, from a first source, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network;
  
  receiving, from one or more second sources that are different than the first source, breach data that indicates a set of successful exploits that occurred outside the customer network;
  
  identifying, based on the breach data, a subset of the set of vulnerabilities that are most vulnerable to a successful exploit;
  
  causing result data that identifies the subset to be displayed on a screen of a computing device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the instructions, when executed by the one or more processors, further cause:
    - for a first vulnerability, a first number of successful exploits that occurred outside the customer network for the first vulnerability;
      
      for a second vulnerability, a second number of successful exploits that occurred outside the customer network for the second vulnerability;
      
      identifying the first vulnerability within the set of vulnerabilities;
      
      identifying the second vulnerability within the set of vulnerabilities;
      
      determining that the first vulnerability is more vulnerable to a successful exploit than the second vulnerability based on the first number of successful exploits and the second number of successful exploits.
  - 17. The apparatus of claim 16, wherein the instructions, when executed by the one or more processors, further cause:
    - based on a frequency of each successful exploit associated with the subset of the set of vulnerabilities, assigning a ranking to each vulnerability in the subset;
      
      wherein causing the result data to be displayed comprises causing the result data to be displayed based on the ranking of each vulnerability in the subset.
  - 18. The apparatus of claim 15, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, second breach data that indicates a second set of successful exploits that have occurred outside the customer network.
  - 19. The apparatus of claim 15, wherein each computing asset of the computing assets in the customer network is one of a database, an operating system, an application, a desktop computer, a server, or source code.
  - 20. The apparatus of claim 15, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, exploit data that indicates a number of exploits for each vulnerability in the set of vulnerabilities;
      
      wherein identyfying comprises identifying, based on the breach data and the exploit data, the subset of the set of vulnerabilities that are most vulnerable to a breach.
  - 21. The apparatus of claim 15, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving, from a third source that is different than the first source and the one or more second sources, vulnerability data that indicates a score for each vulnerability in the set of vulnerabilities;
      
      wherein identifying comprises identifying, based on the breach data the and vulnerability data, the subset of the set of vulnerabilities that are most vulnerable to a breach.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kenna Security LLC (Cisco Systems, Inc.)
Original Assignee
Risk I/O, Inc.
Inventors
Roytman, Michael, Bellis, Edward T., Heuer, Jeffrey
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US14/642,620
Publication Number

US 20150237065A1
Time in Patent Office

351 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/06311   Scheduling, planning or tas...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Identifying vulnerabilities of computing assets based on breach data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying vulnerabilities of computing assets based on breach data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links