Automated responses to security threats
First Claim
Patent Images
1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:
- in a processing system of the advisement system, identifying a security incident for an asset in the computing environment, wherein the computing environment comprises a plurality of computing assets;
in response to identifying the security incident, identifying enrichment information about the security incident from one or more databases;
determining a rule set for the security incident based on the enrichment information;
identifying an action response for the security incident based on the rule set;
identifying a time period for the action response to be implanted in the computing environment;
initiating implementation of the action response for the security incident in the computing environment;
identifying one or more action recommendations for an administrator based on the rule set;
providing the one or more action recommendations to the administrator of the computing environment;
using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations;
determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period;
if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and
if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.
61 Citations
14 Claims
-
1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:
-
in a processing system of the advisement system, identifying a security incident for an asset in the computing environment, wherein the computing environment comprises a plurality of computing assets; in response to identifying the security incident, identifying enrichment information about the security incident from one or more databases; determining a rule set for the security incident based on the enrichment information; identifying an action response for the security incident based on the rule set; identifying a time period for the action response to be implanted in the computing environment; initiating implementation of the action response for the security incident in the computing environment; identifying one or more action recommendations for an administrator based on the rule set; providing the one or more action recommendations to the administrator of the computing environment; using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations; determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period; if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident. - View Dependent Claims (3, 4, 5, 6, 7)
-
-
2. The method of claim wherein identifying the time period for the action response to be implemented in the computing environment comprises identifying the time period for the action response to be implemented in the computing environment based on at least one of a criticality rating of the asset or a severity rating for the security incident.
-
8. A non-transitory computer readable storage medium having instructions stored thereon, that when executed by an advertisement computing system, direct the advertisement computing system to perform a method of providing default security actions in a computing environment comprising a plurality of assets, the method comprising:
-
identifying a security incident for an asset in the computing environment; in response to in identifying the security incident, identifying enrichment information about the security incident from one or more databases; determining a rule set for the security incident based on the enrichment information; identifying an action response for the security incident based on the rule set; identifying a time period for the action response to be implemented in the computing environment; initiating implementation of the action response for the security incident in the computing environment; identifying one or more action recommendations for an administrator based on the rule set; providing the one or more action recommendations to the administrator of the computing environment; using the identified time period as a defined time period for which the administrator has to respond to the one or more action recommendations; determining whether a selection of the one or more action recommendations is provided by the administrator within the defined time period; if a selection is provided by the administrator within the defined time period, initiating implementation of the selection in the computing environment; and if a selection is not provided by the administrator within the defined time period, initiating a supplemental automated action in the computing environment for the security incident. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification