System for tracking data security threats and method for same
First Claim
1. A method for tracking data security incidents in an enterprise network, the method comprising:
- creating, in an incident manager (IM), incident objects that include information for the data security incidents and incident artifacts (IAs) that include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA;
looking up the IAs in one or more external threat intelligence sources (TIS(s)) to obtain knowledge information concerning the IAs, wherein at least one external TIS is a file accessible via a software interface, and wherein looking up the IAs comprises querying one or more first level TIS(s) to identify whether the IAs are associated with known threats, and querying one or more second level TIS(s) to provide metadata and/or usage data for the IAs;
augmenting the IAs with the knowledge information concerning the IAs obtained from the TIS(s); and
executing rules associated with the known threats to provide an incident response to the data security incidents.
5 Assignments
0 Petitions
Accused Products
Abstract
An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.
-
Citations
20 Claims
-
1. A method for tracking data security incidents in an enterprise network, the method comprising:
-
creating, in an incident manager (IM), incident objects that include information for the data security incidents and incident artifacts (IAs) that include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA; looking up the IAs in one or more external threat intelligence sources (TIS(s)) to obtain knowledge information concerning the IAs, wherein at least one external TIS is a file accessible via a software interface, and wherein looking up the IAs comprises querying one or more first level TIS(s) to identify whether the IAs are associated with known threats, and querying one or more second level TIS(s) to provide metadata and/or usage data for the IAs; augmenting the IAs with the knowledge information concerning the IAs obtained from the TIS(s); and executing rules associated with the known threats to provide an incident response to the data security incidents. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An incident response system for tracking data security incidents in an enterprise network, comprising:
-
one or more external threat intelligence sources (TIS(s)) that respond to queries with knowledge information concerning requested data resources, wherein at least one external TIS is a file accessible via a software interface; and an incident manager (IM) that; stores incident objects and incident artifacts (IAs) created in response to the data security incidents, wherein the incident objects include information for the data security incidents and the lAs include information for data resources identified within the incident objects, wherein an IA is distinct from an incident object, and wherein upon a determination that a newly-created incident object includes a data security incident associated with an existing data resource, an existing IA associated with that existing data resource is linked to the newly-created incident object, such that different incident objects can then refer to the same IA; provides the IAs as the requested data resources in queries to the one or more external threat information sources to obtain knowledge information concerning the IAs, wherein the external TIS(s) include one or more first level TIS(s) that provide an indication whether the IAs are associated with known threats, and one or more second level TIS(s) that provide metadata and/or usage data for the IAs; augments the IAs with the knowledge information concerning the IAs obtained from the one or more external threat information sources; and execute rules associated with the known threats to provide an incident response to the data security incidents. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification