System for tracking data security threats and method for same

US 9,832,219 B2
Filed: 06/18/2015
Issued: 11/28/2017
Est. Priority Date: 09/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method for tracking data security incidents in an enterprise network, the method comprising:

creating, in an incident manager (IM), incident objects that include information for the data security incidents and incident artifacts (IAs) that include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA;

looking up the IAs in one or more external threat intelligence sources (TIS(s)) to obtain knowledge information concerning the IAs, wherein at least one external TIS is a file accessible via a software interface, and wherein looking up the IAs comprises querying one or more first level TIS(s) to identify whether the IAs are associated with known threats, and querying one or more second level TIS(s) to provide metadata and/or usage data for the IAs;

augmenting the IAs with the knowledge information concerning the IAs obtained from the TIS(s); and

executing rules associated with the known threats to provide an incident response to the data security incidents.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.

Citations

20 Claims

1. A method for tracking data security incidents in an enterprise network, the method comprising:
- creating, in an incident manager (IM), incident objects that include information for the data security incidents and incident artifacts (IAs) that include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA;
  
  looking up the IAs in one or more external threat intelligence sources (TIS(s)) to obtain knowledge information concerning the IAs, wherein at least one external TIS is a file accessible via a software interface, and wherein looking up the IAs comprises querying one or more first level TIS(s) to identify whether the IAs are associated with known threats, and querying one or more second level TIS(s) to provide metadata and/or usage data for the IAs;
  
  augmenting the IAs with the knowledge information concerning the IAs obtained from the TIS(s); and
  
  executing rules associated with the known threats to provide an incident response to the data security incidents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein creating the incident objects and the incident artifacts is accomplished by the IM in response to receiving messages sent from devices in the enterprise network, wherein the messages include the information for the data security incidents.
  - 3. The method of claim 1, wherein creating the incident objects and the incident artifacts, is accomplished by receiving information from Incident Response Team (IRT) personnel of the enterprise network in response to the data security incidents.
  - 4. The method of claim 1, further comprising receiving information from Incident Response Team (IRT) personnel of the enterprise network augmenting the IAs to include information concerning the IAs.
  - 5. The method of claim 1, further comprising correlating the created incident objects and the augmented IAs, with other incident objects and IAs stored in the IM associated with other data security incidents, to identify potential trends in the correlated data.
  - 6. The method of claim 5, further comprising executing rules associated with the identified potential trends to provide an incident response to the data security incidents.
  - 7. The method of claim 1, further comprising storing the incident objects and the IAs in an incident database included within the IM.
  - 8. The method of claim 1, wherein the data resources identified within the incident objects include Internet Protocol (IP) addresses, file hashes associated with malware, domain names, names of files, user account IDs, registry keys, email addresses, and/or protocol port numbers.
  - 9. The method of claim 1, wherein the external TIS(s) include first level TIS(s) of known threats including IP address blacklist and malware hash information.
  - 10. The method of claim 1, wherein the external TIS(s) include second level TIS(s) including whois, geolocation, and traceroute information.

11. An incident response system for tracking data security incidents in an enterprise network, comprising:
- one or more external threat intelligence sources (TIS(s)) that respond to queries with knowledge information concerning requested data resources, wherein at least one external TIS is a file accessible via a software interface; and
  
  an incident manager (IM) that;
  
  stores incident objects and incident artifacts (IAs) created in response to the data security incidents, wherein the incident objects include information for the data security incidents and the lAs include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, and wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA;
  
  provides the IAs as the requested data resources in queries to the one or more external threat information sources to obtain knowledge information concerning the IAs, wherein the external TIS(s) include one or more first level TIS(s) that provide an indication whether the IAs are associated with known threats, and one or more second level TIS(s) that provide metadata and/or usage data for the IAs;
  
  augments the IAs with the knowledge information concerning the IAs obtained from the one or more external threat information sources; and
  
  execute rules associated with the known threats to provide an incident response to the data security incidents.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the information for the data security incidents are included within messages sent from devices in the enterprise network, and wherein the IM creates the incident objects and the IAs in response to receiving the messages.
  - 13. The system of claim 11, wherein the IM receives information from Incident Response Team (IRT) personnel of the enterprise network create the incident objects and the IAs in response to the data security incidents.
  - 14. The system of claim 11, further comprising the IM receiving information from Incident Response Team (IRT) personnel of the enterprise network augmenting the IAs with information concerning the IAs.
  - 15. The system of claim 11, wherein the IM includes a correlation engine that correlates the stored incident objects and the augmented IAs with other incident objects and IAs stored in the IM to identify potential trends in the correlated data.
  - 16. The system of claim 11, wherein the IM includes a rules engine including rules, and wherein the rules engine executes rules associated with the identified potential trends to provide an incident response to the data security incidents.
  - 17. The system of claim 11, wherein the IM includes an incident database that stores the incident objects and the IAs.
  - 18. The system of claim 11, wherein the data resources identified within the incident objects include Internet Protocol (IP) addresses, file hashes associated with malware, domain names, names of files, user account IDs, registry keys, email addresses, and/or protocol port numbers.
  - 19. The system of claim 11, wherein the external TIS(s) include first level TIS(s) including IP address blacklist and malware hash information.
  - 20. The system of claim 11, wherein the external TIS(s) include second level TIS(s) including whois, geolocation, and traceroute information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hadden, Allen, Rogers, Kenneth Allen
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/743,399
Publication Number

US 20160072836A1
Time in Patent Office

894 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System for tracking data security threats and method for same

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for tracking data security threats and method for same

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links