Automated responses to security threats

US 9,712,555 B2
Filed: 03/31/2015
Issued: 07/18/2017
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:

in a processing system of the advisement system, identifying a security incident for an asset in the computing environment, wherein the computing environment comprises a plurality of computing assets;

in response to identifying the security incident, identifying enrichment information about the security incident from one or more databases;

determining a rule set for the security incident based on the enrichment information;

identifying an action response for the security incident based on the rule set;

identifying a time period for the action response to be implanted in the computing environment;

initiating implementation of the action response for the security incident in the computing environment;

identifying one or more action recommendations for an administrator based on the rule set;

providing the one or more action recommendations to the administrator of the computing environment;

using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations;

determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period;

if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and

if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

61 Citations

View as Search Results

14 Claims

1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:
- in a processing system of the advisement system, identifying a security incident for an asset in the computing environment, wherein the computing environment comprises a plurality of computing assets;
  
  in response to identifying the security incident, identifying enrichment information about the security incident from one or more databases;
  
  determining a rule set for the security incident based on the enrichment information;
  
  identifying an action response for the security incident based on the rule set;
  
  identifying a time period for the action response to be implanted in the computing environment;
  
  initiating implementation of the action response for the security incident in the computing environment;
  
  identifying one or more action recommendations for an administrator based on the rule set;
  
  providing the one or more action recommendations to the administrator of the computing environment;
  
  using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations;
  
  determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period;
  
  if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and
  
  if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident.
- View Dependent Claims (3, 4, 5, 6, 7)
- - 3. The method of claim 1 wherein initiating the supplemental automated action in the computing environment comprises initiating removal of the action response for the security incident in the computing environment.
  - 4. The method of claim 1 wherein initiating the supplemental automated action in the computing environment comprises initiating a replacement of the action response with a second action response in the computing environment.
  - 5. The method of claim 1 wherein initiating implementation of the selection in the computing environment comprises initiating implementation of the selection in place of the action response.
  - 6. The method of claim 1 further comprising:
    - identifying whether the security incident is no longer active within the computing environment after implementing the action response; and
      
      if the security incident is no longer active, initiating removal of the action response for the security incident in the computing environment.
  - 7. The method of claim 1 wherein identifying the enrichment information about the security incident from one or more databases comprises inquiring the one or more databases and one or more websites to determine the enrichment information for the security incident.

2. The method of claim wherein identifying the time period for the action response to be implemented in the computing environment comprises identifying the time period for the action response to be implemented in the computing environment based on at least one of a criticality rating of the asset or a severity rating for the security incident.

8. A non-transitory computer readable storage medium having instructions stored thereon, that when executed by an advertisement computing system, direct the advertisement computing system to perform a method of providing default security actions in a computing environment comprising a plurality of assets, the method comprising:
- identifying a security incident for an asset in the computing environment;
  
  in response to in identifying the security incident, identifying enrichment information about the security incident from one or more databases;
  
  determining a rule set for the security incident based on the enrichment information;
  
  identifying an action response for the security incident based on the rule set;
  
  identifying a time period for the action response to be implemented in the computing environment;
  
  initiating implementation of the action response for the security incident in the computing environment;
  
  identifying one or more action recommendations for an administrator based on the rule set;
  
  providing the one or more action recommendations to the administrator of the computing environment;
  
  using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations;
  
  determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period;
  
  if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and
  
  if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8 , wherein identifying the time period for the action response to be implemented in the computing environment comprises identifying the time period for the action response to be implemented in the computing environment based on a criticality rating of the asset or a severity rating for the security incident.
  - 10. The non-transitory computer readable storage medium of claim 8, wherein initiating the supplemental automated action in the computing environment comprises initiating removal of the action response for the security incident in the computing environment.
  - 11. The non-transitory computer readable storage medium of claim 8, wherein initiating the supplemental automated action in the computing environment comprises initiating a replacement of the action response with a second action response in the computing environment.
  - 12. The non-transitory computer readable storage medium of claim 8, wherein initiating implementation of the selection in the computing environment comprises initiating implementation of the selection in place of the action response.
  - 13. The non-transitory computer readable storage medium of claim 8, wherein the method further comprises:
    - identifying whether the security incident is no longer active within the computing environment after implementing the action, response; and
      
      if the security incident is no longer active, initiating removal of the action response for the security incident in the computing environment.
  - 14. The non-transitory computer readable storage medium of claim 8, wherein identifying the enrichment information about the security incident from one or more databases comprises inquiring the one or more databases and one or more websites to determine the enrichment information for the security incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Phantom Cyber Corporation (Splunk Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US14/674,679
Publication Number

US 20160164916A1
Time in Patent Office

840 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Automated responses to security threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Automated responses to security threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links