Systems and methods for dynamic network security control and configuration

US 9,509,660 B2
Filed: 06/01/2015
Issued: 11/29/2016
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, in at least one database, data regarding a plurality of logical zones, each logical zone associated with a grouping of assets;

identifying, by at least one processor, an asset associated with a first logical zone;

storing, in the at least one database, data regarding the asset, the data comprising attribute data for the asset;

detecting a change in an attribute of the asset; and

in response to detecting the change in the attribute of the asset;

modifying, by the at least one processor, a configuration setting for a firewall, andmoving the asset from the first logical zone to a second logical zone, the moving comprising updating information in the at least one database to indicate that the asset is a member of the second logical zone.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method according to one embodiment of the present disclosure includes identifying, by a computer system, an asset associated with a logical zone; detecting a change in an attribute of the asset; and in response to detecting the change in the attribute of the asset, modifying, by the computer system, a configuration setting for a firewall. Among other things, the embodiments of the present disclosure can perform dynamically configure and control security features in response to changes in the computing environment, including asset attribute changes, security events, operational events, user input and environmental changes. Embodiments of the present disclosure thereby help to quickly maintain or change the security posture of a system and maintain the level of compliance with set of predefined security benchmarks or codified best practices.

Citations

19 Claims

1. A computer-implemented method comprising:
- storing, in at least one database, data regarding a plurality of logical zones, each logical zone associated with a grouping of assets;
  
  identifying, by at least one processor, an asset associated with a first logical zone;
  
  storing, in the at least one database, data regarding the asset, the data comprising attribute data for the asset;
  
  detecting a change in an attribute of the asset; and
  
  in response to detecting the change in the attribute of the asset;
  
  modifying, by the at least one processor, a configuration setting for a firewall, andmoving the asset from the first logical zone to a second logical zone, the moving comprising updating information in the at least one database to indicate that the asset is a member of the second logical zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the asset includes one or more of a physical component and a virtual component.
  - 3. The method of claim 1, further comprising:
    - identifying a plurality of assets associated with the first logical zone;
      
      detecting a change in an attribute for a first asset in the plurality of assets;
      
      detecting a change in an attribute for a second asset in the plurality of assets; and
      
      in response to the detected attribute changes for the first asset and the second asset, modifying the configuration setting for the firewall.
  - 4. The method of claim 1, further comprising:
    - establishing a connection with an asset management component configured to manage functionality of the asset, wherein the change in the attribute for the asset is detected via communication with the asset management component; and
      
      establishing a connection with a firewall management component configured to manage functionality of the firewall, wherein the configuration setting for the firewall is modified via communication with the firewall management component.
  - 5. The method of claim 1, further comprising:
    - identifying a plurality of assets associated with the first logical zone, wherein identifying the plurality of assets includes;
      
      establishing a connection with an asset management component configured to manage functionality of the plurality of assets; and
      
      querying the asset management component to identify each of the plurality of assets.
  - 6. The method of claim 5, wherein detecting the change in the attribute for the asset includes periodically querying the asset management component to identify the change in the asset.
  - 7. The method of claim 5, wherein detecting the change in the attribute for the asset includes receiving a communication regarding the change from the asset management component.
  - 8. The method of claim 1, further comprising:
    - associating a security policy with the first logical zone, wherein modifying the configuration setting for the firewall is performed in accordance with the security policy.
  - 9. The method of claim 1, wherein detecting the change in the attribute of the asset includes detecting a change in an internet protocol address for the asset.
  - 10. The method of claim 1, wherein detecting the change in the attribute of the asset includes detecting a move of the asset from the first logical zone to another logical zone.
  - 11. The method of claim 1, wherein modifying the configuration setting of the firewall includes allowing communication between the asset and a second asset.
  - 12. The method of claim 1, wherein modifying the configuration setting of the firewall includes preventing communication between the asset and a second asset.
  - 13. The method of claim 1, further comprising:
    - detecting a security vulnerability associated with the asset;
      
      in response to detecting the security vulnerability, moving the asset from the first logical zone to a predefined logical zone, wherein the asset has less access to other assets than it had in the first logical zone;
      
      detecting a correction to the security vulnerability with the asset; and
      
      in response to detecting the correction to the security vulnerability, moving the asset from the predefined logical zone to the first logical zone.
  - 14. The method of claim 1, further comprising:
    - associating a compliance policy with the first logical zone;
      
      analyzing the modification of the configuration setting for the firewall based on the compliance policy; and
      
      determining a level of compliance based on the comparison.
  - 15. The method of claim 14, wherein determining the level of compliance includes determining a compliance score for one or more of the asset, the firewall, and the first logical zone.
  - 16. The method of claim 15, further comprising displaying, via a user interface in communication with a computer system comprising the at least one processor, a graphical representation of the compliance score.
  - 17. The method of claim 16, further comprising displaying a plurality of compliance scores that correspond to a respective plurality of security controls in the compliance policy.

18. A non-transitory, computer-readable medium storing instructions that, when executed, cause a computing device to:
- store, in at least one database, data regarding a plurality of logical zones, each logical zone associated with a grouping of assets;
  
  identify, by at least one processor, an asset associated with a first logical zone;
  
  store, in the at least one database, data regarding the asset, the data comprising attribute data for the asset;
  
  detect a change in an attribute of the asset; and
  
  in response to detecting the change in the attribute of the asset;
  
  modify, by the at least one processor, a configuration setting for a firewall, andmove the asset from the first logical zone to a second logical zone, the moving comprising updating information in the at least one database to indicate that the asset is a member of the second logical zone.

19. A system comprising:
- at least one database;
  
  at least one processor; and
  
  memory in communication with the at least one processor and storing instructions that, when executed by the processor, cause the system to;
  
  store, in the at least one database, data regarding a plurality of logical zones, each logical zone associated with a grouping of assets;
  
  identify an asset associated with a first logical zone;
  
  store, in the at least one database, data regarding the asset, the data comprising attribute data for the asset;
  
  detect a change in an attribute of the asset; and
  
  in response to detecting the change in the attribute of the asset;
  
  modify a configuration setting for a firewall, andmove the asset from the first logical zone to a second logical zone, the moving comprising updating information in the at least one database to indicate that the asset is a member of the second logical zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Catbird Networks, Inc.
Original Assignee
Catbird Networks, Inc.
Inventors
Rieke, Malcolm, Dennis, James Sebastian, Berman, Michael
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/727,623
Publication Number

US 20150264012A1
Time in Patent Office

547 Days
Field of Search

726/1, 726/11
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for dynamic network security control and configuration

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for dynamic network security control and configuration

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links