Incident response automation engine

US 9,762,607 B2
Filed: 04/17/2015
Issued: 09/12/2017
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating a processing system of an advisement system to implement security actions for a computing environment comprising a plurality of computing assets, the method comprising:

providing security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;

in response to providing the security incident information, identifying a user generated security action in a command language for the computing environment;

identifying one or more computing assets related to the security action;

obtaining hardware and software characteristics for the one or more computing assets;

translating the security action in the command language to one or more action procedures based on the hardware and software characteristics; and

initiating implementation of the one or more action procedures in the one or more computing assets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Citations

14 Claims

1. A method of operating a processing system of an advisement system to implement security actions for a computing environment comprising a plurality of computing assets, the method comprising:
- providing security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identifying a user generated security action in a command language for the computing environment;
  
  identifying one or more computing assets related to the security action;
  
  obtaining hardware and software characteristics for the one or more computing assets;
  
  translating the security action in the command language to one or more action procedures based on the hardware and software characteristics; and
  
  initiating implementation of the one or more action procedures in the one or more computing assets.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the computing assets comprise host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 3. The method of claim 1 wherein identifying the user generated security action in the command language comprises receiving the user generated security action from an administration console associated with an administrator.
  - 4. The method of claim 1 wherein the security action comprises an action to block at least one internet protocol (IP) address, an action to remove a process on the one or more computing assets, or an action to enter the one or more computing assets into a virtual local area network (VLAN).
  - 5. The method of claim 1 wherein the command language comprises a visual programming language.

6. An apparatus to manage security actions for a computing environment comprising a plurality of computing assets, the apparatus comprising:
- one or more non-transitory computer readable media; and
  
  processing instructions stored on the one or more non-transitory computer readable media that, when executed by a processing system, direct the processing system to;
  
  provide security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identify a user generated security action in a command language for the computing environment;
  
  identify one or more computing assets related to the security action;
  
  obtain hardware and software characteristics for the one or more computing assets;
  
  translate the security action in the command language to one or more action procedures based on the hardware and software characteristics; and
  
  initiate implementation of the one or more action procedures in the one or more computing assets.
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6 wherein the command language comprises a visual programming language.
  - 8. The apparatus of claim 6 wherein the computing assets comprise host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 9. The apparatus of claim 6 wherein the processing instructions further direct the processing system to identify the security incident within the computing environment, and wherein the processing instructions to provide the security incident information to the administrator direct the processing system to provide the security incident information to the administrator in response to identifying the security incident.

10. A computing apparatus to manage security actions for a computing environment comprising a plurality of computing assets, the apparatus comprising:
- one or more non-transitory computer readable media;
  
  a processing system operatively coupled to the one or more non-transitory computer readable media; and
  
  processing instructions stored on the one or more non-transitory computer readable media that, when executed by the processing system, direct the processing system to at least;
  
  provide security incident information to an administrator associated with the computing environment, wherein the security incident information comprises asset identifiers for assets related to a security incident and enrichment information for the security incident obtained from internal or external sources;
  
  in response to providing the security incident information, identify a user generated security action in a command language for the computing environment;
  
  identify one or more computing assets related to the security action;
  
  obtain hardware and software characteristics for the one or more computing assets;
  
  translate the security action in the command language to one or more action procedures based on the hardware and software characteristics; and
  
  initiate implementation of the one or more action procedures in the one or more computing assets.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computing apparatus of claim 10 wherein the processing instructions further direct the processing system to identify the security incident within the computing environment, and wherein the processing instructions to provide the security incident information to the administrator direct the processing system to provide the security incident information to the administrator in response to identifying the security incident.
  - 12. The computing apparatus of claim 10 wherein the command language comprises a visual programming language.
  - 13. The computing apparatus of claim 10 wherein the computing assets comprises host computing systems, end user computing systems, routers, switches, or virtual processing systems.
  - 14. The computing apparatus of claim 10 wherein the program instructions to identify the user generated security action in the command language direct the processing system to receive the user generated security action from an administration console associated with an administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Phantom Cyber Corporation (Cisco Systems, Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Song, Hosuk

Application Number

US14/689,973
Publication Number

US 20160164919A1
Time in Patent Office

879 Days
Field of Search

726 1, 726 11- 15, 726 22- 24, 713153-154, 709223-225, 709229
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Incident response automation engine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Incident response automation engine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links