Systems and methods for implementing modular computer system security solutions

US 9,817,978 B2
Filed: 10/10/2014
Issued: 11/14/2017
Est. Priority Date: 10/11/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory; and

a control chain processor operatively coupled to the memory, the control chain processor configured to automatically discover a hardware asset in response to the hardware asset being operatively coupled to the control chain processor via a network, the control chain processor configured to automatically identify, in response to automatically discovering the hardware asset, a first plurality of hardware asset attributes for the hardware asset and automatically define, based on the first plurality of hardware asset attributes, an asset data structure for the hardware asset,the control chain processor configured to select, from a control database and in response to automatically discovering the hardware asset, a security guideline control data structure to be implemented with respect to the hardware asset, the security guideline control data structure (1) including requirements to satisfy a human-readable security guideline associated with the security guideline control data structure, (2) being generated during runtime operation by translating the human-readable security guideline into the security guideline control data structure and (3) including a second plurality of hardware asset attributes, the control chain processor configured to select the security guideline control data structure based on the first plurality of hardware asset attributes being associated with the second plurality of hardware asset attributes,the control chain processor configured to select, based on the security guideline control data structure and the first plurality of hardware asset attributes, a security implementation control data structure from a plurality of implementation control data structures and to be associated with the hardware asset, the security implementation control data structure including instructions to interpret information encoded in the security guideline control data structure during runtime operation so as to perform security actions at the hardware asset,the control chain processor configured to select, based on the security implementation control data structure and the security guideline control data structure, a computer-implemented control assessor including computer-readable instructions to execute a computer-implemented automated test to monitor the hardware asset during runtime operation based on the security implementation control data structure to determine compliance of the hardware asset with the security guideline control data structure, the control chain processor configured to define a control chain including the security guideline control data structure, the security implementation control data structure, and the computer-implemented control assessor,the control chain processor configured to send an instruction to apply the control chain to the hardware asset such that the security implementation control data structure is implemented at the hardware asset to improve a security function of the hardware asset and the computer-implemented control assessor monitors the hardware asset based on the security implementation control data structure for compliance with the security guideline.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, an apparatus includes a control chain generation module is configured to receive, from a control database, a security guideline control to be implemented with respect to a hardware asset. The control chain generation module is configured to select, based on requirements to satisfy the security guideline and attributes of the hardware asset, a security implementation control. The control chain generation module is configured to select a control assessor to monitor the compliance of the hardware asset with the security guideline and is configured to define a control chain including the security guideline control, the security implementation control, and the control assessor. The control chain generation module is configured to send an instruction to apply the control chain to the hardware asset such that the control assessor monitors the hardware asset for compliance with the security guideline.

Citations

24 Claims

1. An apparatus, comprising:
- a memory; and
  
  a control chain processor operatively coupled to the memory, the control chain processor configured to automatically discover a hardware asset in response to the hardware asset being operatively coupled to the control chain processor via a network, the control chain processor configured to automatically identify, in response to automatically discovering the hardware asset, a first plurality of hardware asset attributes for the hardware asset and automatically define, based on the first plurality of hardware asset attributes, an asset data structure for the hardware asset,the control chain processor configured to select, from a control database and in response to automatically discovering the hardware asset, a security guideline control data structure to be implemented with respect to the hardware asset, the security guideline control data structure (1) including requirements to satisfy a human-readable security guideline associated with the security guideline control data structure, (2) being generated during runtime operation by translating the human-readable security guideline into the security guideline control data structure and (3) including a second plurality of hardware asset attributes, the control chain processor configured to select the security guideline control data structure based on the first plurality of hardware asset attributes being associated with the second plurality of hardware asset attributes,the control chain processor configured to select, based on the security guideline control data structure and the first plurality of hardware asset attributes, a security implementation control data structure from a plurality of implementation control data structures and to be associated with the hardware asset, the security implementation control data structure including instructions to interpret information encoded in the security guideline control data structure during runtime operation so as to perform security actions at the hardware asset,the control chain processor configured to select, based on the security implementation control data structure and the security guideline control data structure, a computer-implemented control assessor including computer-readable instructions to execute a computer-implemented automated test to monitor the hardware asset during runtime operation based on the security implementation control data structure to determine compliance of the hardware asset with the security guideline control data structure, the control chain processor configured to define a control chain including the security guideline control data structure, the security implementation control data structure, and the computer-implemented control assessor,the control chain processor configured to send an instruction to apply the control chain to the hardware asset such that the security implementation control data structure is implemented at the hardware asset to improve a security function of the hardware asset and the computer-implemented control assessor monitors the hardware asset based on the security implementation control data structure for compliance with the security guideline.
- View Dependent Claims (2, 3, 4, 5, 6, 21, 22, 23, 24)
- - 2. The apparatus of claim 1, wherein the control chain includes Plan of Action and Milestone (POAM) instructions, the control chain processor configured to:
    - alter, based on the POAM instructions, a health evaluation score action performed by the computer-implemented control assessor for the security implementation control data structure in the control chain.
  - 3. The apparatus of claim 1, wherein the control chain processor is configured to:
    - store the control chain in an aggregated control catalogue;
      
      receive a request, from a private control catalogue including user-specific control chains, to receive a copy of the control chain; and
      
      provide a representation of the copy of the control chain to the private control catalogue.
  - 4. The apparatus of claim 1, wherein the control chain processor is configured to:
    - select the computer-implemented control assessor to monitor the hardware asset for compliance with the security guideline control data structure including performing a health evaluation score calculation for the security implementation control data structure, andmodify the security implementation control data structure when a health evaluation score value from the health evaluation score calculation does not meet a predetermined health evaluation criterion.
  - 5. The apparatus of claim 1, wherein the security implementation control data structure is a first security implementation control data structure from the plurality of implementation control data structures, the control chain processor configured to:
    - select the computer-implemented control assessor to monitor the hardware asset for compliance with the security guideline control data structure including performing a health evaluation score calculation for the first security implementation control data structure, andselect at least a second security implementation control data structure from the plurality of implementation control data structures and to include in the control chain when a health evaluation score value from the health evaluation score calculation does not meet a predetermined health evaluation score criterion.
  - 6. The apparatus of claim 1, wherein the control chain processor is configured to:
    - select the computer-implemented control assessor to monitor the hardware asset for compliance with the security guideline control data structure including performing a first health evaluation score calculation for the security implementation control data structure at a first time, andschedule a second health evaluation score calculation for the security implementation control data structure at a second time when a health evaluation score value from the first health evaluation score calculation meets a predetermined health evaluation score criterion.
  - 21. The apparatus of claim 1, wherein the computer-implemented control assessor monitors the compliance of the hardware asset with the security guideline control data structure by monitoring the security actions of the security implementation control data structure, andthe computer-implemented control assessor includes instructions to automatically change settings associated with the security implementation control data structure based on monitoring the compliance of the hardware asset.
  - 22. The apparatus of claim 1, wherein the control chain processor is configured to use a selected communication protocol to communicate with the control chain at the hardware asset to obtain status information associated with the hardware asset.
  - 23. The apparatus of claim 1, wherein the security implementation control data structure is implemented at the hardware asset to place the hardware asset in compliance with the human-readable security guideline.
  - 24. The apparatus of claim 1, wherein the computer-implemented automated test monitors the security implementation control data structure to determine that execution of the security implementation control data structure by the hardware asset places the hardware asset in compliance with the security guideline control data structure.

7. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- automatically discover a hardware asset in response to the hardware asset being operatively coupled to a control chain processor via a network;
  
  automatically identify, in response to automatically discovering the hardware asset, a first plurality of hardware asset attributes for the hardware asset and automatically define, based on the first plurality of hardware asset attributes, an asset data structure for the hardware asset;
  
  select, from a control database and in response to automatically discovering the hardware asset, a security guideline control data structure to be implemented with respect to the hardware an asset, the security guideline control data structure including requirements to satisfy a human-readable security guideline associated with the security guideline control data structure and being generated by translating the human-readable security guideline into the security guideline control data structure, the security guideline control data structure including a second plurality of hardware asset attributes, the selecting the security guideline control data structure being based on the first plurality of hardware asset attributes being associated with the second plurality of hardware asset attributes;
  
  select, based on the security guideline control data structure and the first plurality of hardware asset attributes, a security implementation control data structure from a plurality of implementation control data structures and to be associated with the hardware asset, the security implementation control data structure including instructions to interpret information encoded in the security guideline control data structure during runtime operation so as to perform security actions at the hardware asset;
  
  select, based on the security implementation control data structure and the security guideline control data structure, a computer-implemented control assessor including computer-readable instructions to execute a computer-implemented automated test to monitor the hardware asset during runtime operation based on the security implementation control data structure to determine compliance of the asset with the security guideline control data structure;
  
  define a control chain including the security guideline control data structure, the security implementation control data structure, and the computer-implemented control assessor; and
  
  send an instruction to apply the control chain to the hardware asset such that the security implementation control data structure is implemented with respect to the hardware asset and the computer-implemented control assessor monitors the hardware asset based on the security implementation control data structure for compliance with the security guideline control data structure.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 8. The non-transitory processor-readable medium of claim 7, wherein the control chain includes Plan of Action and Milestone (POAM) instructions, the code further comprising code to cause the processor to:
    - alter, based on the POAM instructions, a health evaluation score action performed by the computer-implemented control assessor for the security implementation control data structure in the control chain.
  - 9. The non-transitory processor-readable medium of claim 7, wherein the control chain includes Plan of Action and Milestone (POAM) instructions, the code further comprising code to cause the processor to:
    - disable, based on the POAM instructions, a scheduled health evaluation score calculation for the security implementation control data structure.
  - 10. The non-transitory processor-readable medium of claim 7, wherein the control chain includes Plan of Action and Milestone (POAM) instructions, the code further comprising code to cause the processor to:
    - disable, based on the POAM instructions, a scheduled health evaluation score modification by the computer-implemented control assessor, the scheduled health evaluation score modification is a modification of the control chain by the computer-implemented control assessor when a health evaluation score does not meet a pre-determined criterion.
  - 11. The non-transitory processor-readable medium of claim 7, the code further comprising code to cause the processor to:
    - store the control chain in an aggregated control catalogue;
      
      receive a request, from a private control catalogue including user-specific control chains, to receive a copy of the control chain; and
      
      provide a representation of the copy of the control chain to the private control catalogue.
  - 12. The non-transitory processor-readable medium of claim 7, wherein the security implementation control data structure is a first security implementation control data structure from the plurality of implementation control data structures, the code further comprising code to cause the processor to:
    - receive an indication of a modification of the requirements to satisfy the human-readable security guideline associated with the security guideline control data structure;
      
      select, based on the indication of the modification, a second security implementation control data structure from the plurality of implementation control data structures and to be associated with the hardware asset; and
      
      modify the control chain to include the second security implementation control data structure.
  - 13. The non-transitory processor-readable medium of claim 7, wherein the security implementation control data structure is a first security implementation control data structure from the plurality of implementation control data structures, the code further comprising code to cause the processor to:
    - receive an indication of a modification of the requirements to satisfy the human-readable security guideline associated with the security guideline control data structure;
      
      select, based on the indication of the modification, at least a second security implementation control data structure from the plurality of implementation control data structures and to be associated with the hardware asset; and
      
      modify the control chain to include the second security implementation control data structure but not the first security implementation control data structure.
  - 14. The non-transitory processor-readable medium of claim 7, wherein the computer-implemented control assessor is configured to monitor the compliance of the hardware asset with the security guideline control data structure by performing a health evaluation score calculation for the security implementation control data structure, the code further comprising code to cause the processor to:
    - perform, using the computer-implemented control assessor, a control chain modification action in response to the health evaluation score calculation.
  - 15. The non-transitory processor-readable medium of claim 7, wherein the computer-implemented control assessor is configured to monitor the compliance of the hardware asset with the security guideline control data structure by performing a health evaluation score calculation for the security implementation control data structure, the code further comprising code to cause the processor to:
    - modify the security implementation control data structure when a health evaluation score value from the health evaluation score calculation does not meet a predetermined health evaluation score criterion.
  - 16. The non-transitory processor-readable medium of claim 7, wherein the security implementation control data structure is a first security implementation control data structure from the plurality of implementation control data structures, the computer-implemented control assessor is configured to monitor the compliance of the hardware asset with the security guideline control data structure by performing a health evaluation score calculation for the first security implementation control data structure, the code further comprising code to cause the processor to:
    - select at least a second security implementation control data structure to include in the control chain when a health evaluation score value from the health evaluation score calculation does not meet a predetermined health evaluation score criterion.
  - 17. The non-transitory processor-readable medium of claim 7, wherein the computer-implemented control assessor is configured to monitor the compliance of the hardware asset with the security guideline control data structure by performing a first health evaluation score calculation for the security implementation control data structure at a first time, the code further comprising code to cause the processor to:
    - schedule a second health evaluation score calculation for the security implementation control data structure at a second time when a health evaluation score value from the first health evaluation score calculation meets a predetermined health evaluation score criterion.
  - 18. The non-transitory processor-readable medium of claim 7, wherein the security implementation control data structure is a first security implementation control data structure from the plurality of implementation control data structures and the computer-implemented control assessor is a first computer-implemented control assessor, the code further comprising code to cause the processor to:
    - select, based on the security guideline control data structure and the first plurality of hardware asset attributes, a second security implementation control data structure from the plurality of implementation control data structures and to be associated with the hardware asset;
      
      select, based on the second security implementation control data structure, a second computer-implemented control assessor; and
      
      define a modified control chain including the guideline control data structure, the first security implementation control data structure, the second security implementation control data structure, the first computer-implemented control assessor, and the second computer-implemented control assessor.
  - 19. The non-transitory processor-readable medium of claim 7, wherein the security implementation control data structure is selected in part based on a comparison of control attributes in the security guideline control data structure, and control attributes in the security implementation control data structure,the computer-implemented control assessor is selected in part based on a comparison of the control attributes in the security implementation control data structure, and control attributes in the computer-implemented control assessor.
  - 20. The non-transitory processor-readable medium of claim 7, the code further comprising code to cause the processor to:
    - receive a request from a user to receive a control chain report;
      
      retrieve control chain attribute data from a database in response to the request;
      
      generate the control chain report based on the control chain attribute data; and
      
      provide a representation of the control chain report to the user,the control chain attribute data includes at least one of a control chain performance indicator;
      
      a control chain health evaluation score;
      
      a control chain asset mapping;
      
      asset attributes associated with an asset in the control chain asset mapping;
      
      or control attributes associated with each of the security guideline control data structure, the security implementation control data structure, and the computer-implemented control assessor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ark Network Security Solutions, LLC
Original Assignee
Ark Network Security Solutions, LLC
Inventors
Marsh, Jacob J., Roney, Gregory D.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US14/511,866
Publication Number

US 20150106873A1
Time in Patent Office

1,131 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06Q 10/0635 Risk analysis of enterprise...

Systems and methods for implementing modular computer system security solutions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for implementing modular computer system security solutions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links