System and method employing structured intelligence to verify and contain threats at endpoints

US 9,413,781 B2
Filed: 03/17/2014
Issued: 08/09/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:

via a threat monitor;

monitoring network data,extracting at least one set of network data, andprocessing the at least one set of network data to generate a report;

via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and

processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information,wherein the verification information is processed via the verifier by comparing the verification information to at least one of (a) data obtained from another endpoint, and (b) data obtained from a security information and event management module (SIEM).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method are a departure from and an improvement over conventional systems in that, among other things, the system and method allow an investigator to determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically.

166 Citations

43 Claims

1. A computerized method to identify potentially malicious code at an endpoint in a network, the method comprising the steps of:
- via a threat monitor;
  
  monitoring network data,extracting at least one set of network data, andprocessing the at least one set of network data to generate a report;
  
  via a verifier including an agent coordinator, issuing at least one of (i) instructions, and (ii) indicators to an endpoint agent based on the report; and
  
  processing, via the endpoint agent, the at least one of (i) instructions, and (ii) indicators to generate verification information,wherein the verification information is processed via the verifier by comparing the verification information to at least one of (a) data obtained from another endpoint, and (b) data obtained from a security information and event management module (SIEM).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computerized method according to claim 1, wherein the verification information includes audit data.
  - 3. The computerized method according to claim 2, wherein the audit data includes hit data.
  - 4. The computerized method according to claim 1, further comprising the step of:
    - providing the verification information to the verifier.
  - 5. The computerized method according to claim 4, further comprising the step of:
    - processing, via the verifier, the verification information to determine whether it indicates a verified threat.
  - 6. The computerized method according to claim 1, further comprising the step of:
    - changing the configuration of the threat monitor based on the verification information.
  - 7. The computerized method according to claim 1, wherein the report includes structured threat intelligence.
  - 8. The computerized method according to claim 1, further comprising the step of:
    - providing the verification information to at least one of (a) the verifier, (b) the SIEM, and (c) the threat monitor.
  - 9. The computerized method according to claim 1, wherein the processing of the at least one set of network data is performed by an analyzer of the threat monitor, the analyzer includes software executed by a hardware processor of the endpoint.
  - 10. The computerized method according to claim 9, wherein the analyzer is a static analyzer.
  - 11. The computerized method according to claim 9, wherein the analyzer is a dynamic analyzer.
  - 12. The computerized method according to claim 1, further comprising the step of:
    - processing the report via a report analyzer of the verifier to generate the at least one of (i) instructions and (ii) indicators.
  - 13. The computerized method according to claim 1, wherein the processing of the at least one of (i) instructions and (ii) indicators is performed via an audit module that generates audit data, the audit module being software executed by a hardware processor of the endpoint.
  - 14. The computerized method according to claim 13, further comprising the step of:
    - storing the audit data in a buffered storage module.
  - 15. The computerized method according to claim 13, wherein the audit data is processed by an indicator matcher to produce the verification information.
  - 16. The computerized method according to claim 1, further comprising the step of:
    - performing a containment action on the endpoint via the endpoint agent based on the verification information.
  - 17. The computerized method according to claim 16, wherein the containment action is taken by a containment agent of the endpoint agent.
  - 18. The computerized method according to claim 17, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator.

19. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
- a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report; and
  
  a verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report;
  
  wherein,the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information, andthe endpoint agent includes a containment agent operable to perform a containment action based on the verification information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The system according to claim 19, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator based on the verification information.
  - 21. The system according to claim 19, wherein the verifier is operable to process the verification information to determine whether it indicates a verified threat.
  - 22. The system according to claim 19,wherein,the report includes structured threat intelligence, andthe verifier is operable to process the structured threat intelligence to issue the at least one of (i) instructions and (ii) indicators.
  - 23. The system according to claim 19, wherein the threat monitor includes an analyzer configured to process the at least one set of network data, the analyzer includes software executed by a hardware processor of the endpoint.
  - 24. The system according to claim 23, wherein the analyzer is a static analyzer.
  - 25. The system according to claim 23, wherein the analyzer is a dynamic analyzer.
  - 26. The system according to claim 19, wherein the verifier includes a report analyzer operable to generate the at least one of (i) instructions and (ii) indicators.
  - 27. The system according to claim 19, wherein the endpoint agent includes an audit module operable to process the at least one of (i) instructions and (ii) indicators to generate audit data, the audit module being software executed by a hardware processor of the endpoint.
  - 28. The system according to claim 27, wherein the endpoint agent includes a buffered storage module operable to store the audit data.
  - 29. The system according to claim 27, wherein the endpoint agent includes an indicator matcher operable to process audit data to produce the verification information.

30. A system operable to identify potentially malicious code on an endpoint in a network, the system comprising:
- a controller configured to manage,a threat monitor operable to monitor network data, to extract at least one set of network data, and to process the at least one set of network data to generate a report, anda verifier including an agent coordinator operable to issue at least one of (i) instructions and (ii) indicators to an endpoint agent based on the report,wherein,the endpoint agent is operable to process the at least one of (i) instructions and (ii) indicators to generate verification information, andthe verifier includes a report analyzer operable to generate the at least one of (i) instructions and (ii) indicators.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 31. The system according to claim 30, further comprising:
    - an agent coordinator of the verifier,wherein,at least one of (i) the threat monitor and (ii) the agent coordinator is stored at a memory location on the endpoint.
  - 32. The system according to claim 30, further comprising:
    - an agent coordinator of the verifier,wherein,at least one of (i) the threat monitor and (ii) the agent coordinator is stored at a middleware layer communicatively coupled to a communication network.
  - 33. The system according to claim 30, wherein the verifier is operable to process the verification information to determine whether the verification information indicates a verified threat associated with the endpoint.
  - 34. The system according to claim 30,wherein,the report includes structured threat intelligence, andthe verifier is operable to process the structured threat intelligence to issue the at least one of (i) instructions and (ii) indicators.
  - 35. The system according to claim 30, wherein the threat monitor includes an analyzer configured to process the at least one set of network data, the analyzer includes software executed by a hardware processor of the endpoint.
  - 36. The system according to claim 35, wherein the analyzer is a static analyzer.
  - 37. The system according to claim 35, wherein the analyzer is a dynamic analyzer.
  - 38. The system according to claim 30,wherein,the controller is communicatively coupled to the threat monitor and the verifier via a communication network, andthe system further includes a SIEM managed by the controller that correlates verification information with intelligence gathered from at least one of (i) the endpoint agent, (ii) other endpoints, and (iii) other threat monitoring systems.
  - 39. The system according to claim 30, wherein the endpoint agent includes an audit module operable to process the at least one of (i) instructions and (ii) indicators to generate audit data, the audit module being software executed by a hardware processor of the endpoint.
  - 40. The system according to claim 39, wherein the endpoint agent includes a buffered storage module operable to store the audit data.
  - 41. The system according to claim 39, wherein the endpoint agent includes an indicator matcher operable to process audit data to produce the verification information.
  - 42. The system according to claim 30, wherein the endpoint agent includes a containment agent operable to perform a containment action based on the verification information.
  - 43. The system according to claim 42, wherein the containment agent is installed on the endpoint pursuant to instructions contained in a containment package configured by the agent coordinator based on the verification information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Cunningham, Sean, Dana, Robert, Nardone, Joseph, Faber, Joseph, Arunski, Kevin
Primary Examiner(s)
Lim, Krisna

Application Number

US14/216,453
Publication Number

US 20140344926A1
Time in Patent Office

876 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

System and method employing structured intelligence to verify and contain threats at endpoints

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System and method employing structured intelligence to verify and contain threats at endpoints

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links