System and method employing structured intelligence to verify and contain threats at endpoints
First Claim
1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:
- via a threat monitor;
monitoring network data,extracting at least one set of network data, andprocessing the at least one set of network data to generate a report;
via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and
processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information,wherein the verification information is processed via the verifier by comparing the verification information to at least one of (a) data obtained from another endpoint, and (b) data obtained from a security information and event management module (SIEM).
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method are a departure from and an improvement over conventional systems in that, among other things, the system and method allow an investigator to determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically.
166 Citations
43 Claims
-
1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:
-
via a threat monitor; monitoring network data, extracting at least one set of network data, and processing the at least one set of network data to generate a report; via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information, wherein the verification information is processed via the verifier by comparing the verification information to at least one of (a) data obtained from another endpoint, and (b) data obtained from a security information and event management module (SIEM). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
-
a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report; and a verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report; wherein, the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information, and the endpoint agent includes a containment agent operable to perform a containment action based on the verification information. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
-
a controller configured to manage, a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report, and a verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report, wherein, the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information, and the verifier includes a report analyzer operable to generate the at least one of (i) instructions and (ii) indicators. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
Specification