Method and system to prioritize vulnerabilities based on contextual correlation

US 9,692,778 B1
Filed: 11/11/2014
Issued: 06/27/2017
Est. Priority Date: 11/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method for prioritizing vulnerabilities of a specific asset deployed by an organization in a specific virtual computing environment, performed by a processor-based contextual vulnerabilities prioritization system, comprising:

determining a vulnerability score for the specific asset, based on a CVSS (common vulnerability scoring system) score or other base vulnerability score or temporal vulnerability score, wherein the specific asset is a virtual machine or virtual application that is implemented using physical computing components in the specific virtual computing environment;

receiving information about a threat;

correlating the information about the threat with information about the specific asset based upon environmental factors of the specific asset to determine a threat score for the specific asset, wherein the environmental factors include characteristics of a customer associated with the specific asset, characteristics of the specific asset relative to the threat, and characteristics of a workload distribution relative to the threat;

determining a contextual score for the specific asset based on at least one tag of the specific asset; and

deriving a prioritization score for the specific asset, the prioritization score a combination of the vulnerability score, the threat score and the contextual score, the prioritization score representing a prioritizing, specific to the specific asset, of a context-dependent vulnerability of the specific asset to the threat.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for prioritizing vulnerabilities of an asset in a virtual computing environment is provided. The method includes determining a vulnerability score for the asset, based on at least one of a base vulnerability score or a temporal vulnerability score and receiving information about a threat. The method includes correlating the information about the threat with information about the open vulnerabilities on the asset and also about the asset to determine a threat score for the asset and determining a contextual score for the asset based on at least one tag of the asset. The method includes deriving a prioritization score for the asset, the prioritization score a combination of the vulnerability score, the threat score and the contextual score, wherein at least one method action is performed by a processor.

70 Citations

View as Search Results

20 Claims

1. A method for prioritizing vulnerabilities of a specific asset deployed by an organization in a specific virtual computing environment, performed by a processor-based contextual vulnerabilities prioritization system, comprising:
- determining a vulnerability score for the specific asset, based on a CVSS (common vulnerability scoring system) score or other base vulnerability score or temporal vulnerability score, wherein the specific asset is a virtual machine or virtual application that is implemented using physical computing components in the specific virtual computing environment;
  
  receiving information about a threat;
  
  correlating the information about the threat with information about the specific asset based upon environmental factors of the specific asset to determine a threat score for the specific asset, wherein the environmental factors include characteristics of a customer associated with the specific asset, characteristics of the specific asset relative to the threat, and characteristics of a workload distribution relative to the threat;
  
  determining a contextual score for the specific asset based on at least one tag of the specific asset; and
  
  deriving a prioritization score for the specific asset, the prioritization score a combination of the vulnerability score, the threat score and the contextual score, the prioritization score representing a prioritizing, specific to the specific asset, of a context-dependent vulnerability of the specific asset to the threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining a remediation to apply to the specific asset, responsive to the prioritization score meeting a threshold.
  - 3. The method of claim 1, wherein:
    - the vulnerability score assesses vulnerability of the specific asset relative to threats in general and relative to a specific vulnerability;
      
      the threat score assesses vulnerability of the specific asset to the threat, relative to the specific vulnerability; and
      
      the contextual score assesses a workload context of the specific asset relative to static aspects of the specific asset, from at least one static tag, and relative to security events, from at least one dynamic tag.
  - 4. The method of claim 1, wherein correlating the information about the threat with the information about the specific asset comprises determining one of:
    - whether the threat has an impact on the specific asset, whether the threat is associated with the customer, whether the threat utilizes positioning of a workload associated with the specific asset to impact the specific asset, whether the specific asset has an operating system targeted by the threat, whether the specific asset has an application targeted by the threat, whether the specific asset has a vulnerability associated with a common vulnerabilities and exposures identifier (CVE ID) that is associated with the threat, or severity of impact the threat poses to the application.
  - 5. The method of claim 1, wherein the contextual score is based on one of:
    - whether the specific asset has sensitive data, whether the specific asset has a critical server, whether the specific asset is Web-connected, whether there is a virus found in the specific asset, whether there is a detected intrusion to the specific asset, whether there is suspect data transferred to the specific asset, or whether there is suspect data transferred from the specific asset.
  - 6. The method of claim 1, wherein:
    - the vulnerability score is on a first predetermined scale;
      
      the threat score is on a second predetermined scale;
      
      the contextual score is on a third predetermined scale; and
      
      the prioritization score is proportional to the product of the vulnerability score, the threat score and the contextual score.
  - 7. The method of claim 1, wherein the vulnerability score is based on a common vulnerability scoring system (CVSS) score.
  - 8. The method of claim 1, wherein correlating the information about the threat with the information about the specific asset is based on one of threat impact, operating system supported, application supported, or threat type.

9. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:
- obtaining one of a base common vulnerability scoring system (CVSS) score or a temporal common vulnerability scoring system score, concerning a specific asset deployed by an organization in a specific virtual computing environment, wherein the specific asset is a virtual machine or a virtual application that is implemented using physical computing components in the specific virtual computing environment;
  
  receiving threat information;
  
  generating a threat score for the specific asset, based on applicability of the threat information to the specific asset relative to environmental factors of the specific asset, wherein the environmental factors include characteristics of a customer associated with the specific asset, characteristics of the specific asset relative to the threat, and characteristics of the workload distribution relative to the threat;
  
  generating a contextual score for the specific asset, based on information on at least one tag of the specific asset; and
  
  generating a prioritization score for the specific asset, based on a multiplication of the contextual score, the threat score and the one of the base common vulnerability scoring system score or the temporal common vulnerability scoring system score, the prioritization score representing a prioritizing, specific to the specific asset, of a context-dependent vulnerability of the specific asset to the threat.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-readable media of claim 9, wherein the threat information indicates one of existence of a threat, a target operating system of the threat, a target application of the threat, information about an attack, a common vulnerabilities and exposures identifier (CVE ID), or a severity of the threat.
  - 11. The computer-readable media of claim 9, wherein obtaining includes generating the one of the base common vulnerability scoring system score or the temporal common vulnerability scoring system score, or receiving from a scanner the one of the base common vulnerability scoring system score or the temporal common vulnerability scoring system score.
  - 12. The computer-readable media of claim 9, wherein:
    - the contextual score is based on information on at least one static tag indicating one of;
      
      whether the specific asset has sensitive data, whether the specific asset has a critical server, or whether the specific asset is Web-based; and
      
      the contextual score is further based on information on at least one dynamic tag indicating one of;
      
      whether a virus is found on the specific asset, whether an intrusion to the specific asset is detected, whether suspect data is transferred to the specific asset, or whether suspect data is transferred from the specific asset.
  - 13. The computer-readable media of claim 9, wherein the threat score is based on one of:
    - impact a threat referenced in the threat information has on the specific asset, association between the threat and the customer, impact of positioning of workload associated with the specific asset on the threat, an operating system of the specific asset matching a target operating system of the threat, an application of the specific asset matching a target application of the threat, a common vulnerabilities and exposures identifier (CVE ID), or a severity of impact on the application posed by the threat.
  - 14. The computer-readable media of claim 9, wherein:
    - the specific asset includes a virtual machine or a virtual application, based on physical computing resources;
      
      the threat information is received from a source external to the specific asset; and
      
      the threat score is based on a correlation of the threat information and information about the specific asset derived from the at least one tag of the specific asset.

15. A processor-based contextual vulnerabilities prioritization system for prioritizing vulnerabilities of a specific asset deployed by an organization in a specific virtual computing environment, comprising:
- a vulnerability module that obtains a vulnerability score for the specific asset, based on a CVSS (common vulnerability scoring system) score or other base or temporal vulnerability score, wherein the specific asset is a virtual machine or a virtual application that is implemented using physical computing components in the specific virtual computing environment;
  
  a threat module that generates a threat score assessing vulnerability of the specific asset to a threat, based on environmental factors of the specific asset relative to threat information and based on information about the specific asset from at least one tag of the specific asset, wherein the environmental factors include characteristics of a customer associated with the specific asset, characteristics of the specific asset relative to the threat, and characteristics of a workload distribution relative to the threat;
  
  a contextual module that generates a contextual score based on workload context of the specific asset relative to static aspects of the specific asset from the at least one tag and dynamic aspects of the specific asset from the at least one tag;
  
  a prioritization module that multiplies together the threat score, the contextual score and the vulnerability score to generate a prioritization score for the specific asset, the prioritization score representing a prioritizing, specific to the specific asset, of a context-dependent vulnerability of the specific asset to the threat; and
  
  a processor coupled to the vulnerability module, the threat module, the contextual module and the prioritization module, which are implemented using the processor, hardware, or firmware, or combination thereof.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - the vulnerability module configured to couple to an external source from which the vulnerability module obtains a base common vulnerability scoring system (CVSS) score or a temporal common vulnerability scoring system score, as the vulnerability score.
  - 17. The system of claim 15, wherein:
    - the threat module is configured to couple to an external source from which the threat module receives the threat information;
      
      the at least one tag includes information about at least one of an operating system of the specific asset, or an application of the specific asset; and
      
      the threat module correlates the threat information and the information about the specific asset from the at least one tag.
  - 18. The system of claim 15, wherein:
    - the contextual module is configured to couple to the at least one tag of the specific asset;
      
      the at least one tag includes security tags, which have information about the dynamic aspects of the specific asset; and
      
      the at least one tag includes static tags, which have information about the static aspects of the specific asset.
  - 19. The system of claim 15, wherein each of the threat score, the vulnerability score, the contextual score, and the prioritization score is specific to the specific asset and specific to a vulnerability identified by a CVE ID (common vulnerabilities and exposures identifier).
  - 20. The system of claim 15, wherein the threat module, in order to generate the threat score, correlates one of:
    - a customer targeted by the threat, positioning of a workload associated with the specific asset relative to the threat, an operating system targeted by the threat, and an operating system of the specific asset, an application targeted by the threat, and an application of the specific asset, or an impact the threat poses on the application, and a severity of the impact.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Mohanty, Shubhabrata
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/538,599
Time in Patent Office

959 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/1433   Vulnerability analysis

Method and system to prioritize vulnerabilities based on contextual correlation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system to prioritize vulnerabilities based on contextual correlation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others