Policy-based selection of remediation

US 9,602,550 B2
Filed: 05/16/2016
Issued: 03/21/2017
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

collecting, by a light weigh sensor (LWS) running on a host asset of a plurality of monitored, networked host assets of an enterprise network, survey data, which collectively characterize a program-code-based operational state of the host asset, from a survey tool installed on the host asset;

transmitting, by the LWS, the survey data to a remote server that is in a client-server relationship with the LWS via an external network coupling the enterprise network and the remote server in communication; and

enforcing, by the remote server, a plurality of security policies with respect to the host asset based on the survey data including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies of the plurality of security policies, by evaluating, the survey data with reference to the plurality of security policies, wherein each security policy of the plurality of security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a host asset is collected by a light weight sensor (LWS) running on the host asset via a survey tool. The information is transmitted by the LWS to a remote server via an external network. Multiple security policies are enforced by the remote server with respect to the host asset based on the received information including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies, by evaluating, the received information with respect to the security policies, each of which define at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack.

135 Citations

19 Claims

1. A method comprising:
- collecting, by a light weigh sensor (LWS) running on a host asset of a plurality of monitored, networked host assets of an enterprise network, survey data, which collectively characterize a program-code-based operational state of the host asset, from a survey tool installed on the host asset;
  
  transmitting, by the LWS, the survey data to a remote server that is in a client-server relationship with the LWS via an external network coupling the enterprise network and the remote server in communication; and
  
  enforcing, by the remote server, a plurality of security policies with respect to the host asset based on the survey data including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies of the plurality of security policies, by evaluating, the survey data with reference to the plurality of security policies, wherein each security policy of the plurality of security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the host asset comprises a network-attached storage (NAS) device, a router, a switch, a personal computer or a printer.
  - 3. The method of claim 2, further comprising when a result of the determining is affirmative, then causing, by the remote server, the host asset to perform one or more remediation actions.
  - 4. The method of claim 2, further comprising when a result of the determining is affirmative, then causing, by the remote server, one or more selected remediations to be deployed to the host asset based on the violation.
  - 5. The method of claim 2, further comprising when a result of the determining is affirmative, then causing, by the remote server, one or more actions or operations to be carried out on the host asset.
  - 6. The method of claim 5, wherein the one or more actions or operations at least in part implement a precautionary measure to improve reliability, availability or survivability of the host asset.
  - 7. The method of claim 5, wherein the one or more actions or operations are suited to remediating circumstances of the violation.
  - 8. The method of claim 2, wherein the violation relates to existence or non-existence of a particular application on the host asset.
  - 9. The method of claim 2, wherein the violation is based at least in part on a version of a particular application on the host asset.
  - 10. The method of claim 2, wherein the violation is based at least in part on whether a patch associated with a particular application has been installed on the host asset.
  - 11. The method of claim 2, wherein the violation is based at least in part on a version of an operating system or a type of the operating system running on the host asset.
  - 12. The method of claim 2, wherein the violation relates to whether a particular process is running on the host asset.
  - 13. The method of claim 4, further comprising prior to said causing, by the remote server, the remediation to be deployed to the host asset, determining whether the remediation has been configured for automatic deployment.
  - 14. The method of claim 2, wherein the violation relates to one or more of:
    - presence of an unknown application or a rogue application on the host asset;
      
      an operating system test relating to an operating system being run by the host asset;
      
      whether a removable storage device is connected to the host asset;
      
      a particular process is running on the host asset; and
      
      a state associated with one or more ports of the host asset.
  - 15. The method of claim 2, wherein the violation relates to one or more of:
    - existence or non-existence of a particular file on the host asset;
      
      a location of a particular file on the host asset; and
      
      one or more permissions associated with the particular file.
  - 16. The method of claim 2, wherein the information regarding the program-code-based operational state comprises information indicative of one or more drivers installed on the host asset.
  - 17. The method of claim 16, wherein the violation relates to existence or non-existence of a particular type of driver on the host asset.
  - 18. The method of claim 17, wherein the particular type of driver comprises a universal serial bus (USB) driver.

19. A system comprising:
- a survey data collection and reporting means of a host asset of a plurality of monitored, networked host assets of an enterprise network, for collecting survey data, which collectively characterize a program-code-based operational state of the host asset, from a survey tool installed on the host asset and for reporting the survey data to a remote server that is in a client-server relationship with the survey data collection and reporting means via an external network coupling the enterprise network and the remote server in communication; and
  
  a policy enforcement means within the remote server for enforcing a plurality of security policies with respect to the host asset based on the survey data including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies of the plurality of security policies, by evaluating, the survey data with reference to the plurality of security policies, wherein each security policy of the plurality of security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Bezilla, Daniel B., Immordino, John L., Ogura, James Le
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US15/156,004
Publication Number

US 20160269444A1
Time in Patent Office

309 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based selection of remediation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links