Classifying kill-chains for security incidents
First Claim
1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
- in a processing system of the advisement system, identifying a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets;
in response to identifying the security threat, receiving state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;
determining a current state for the security threat within the computing environment based on the state information;
obtaining enrichment information for the security threat; and
determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
55 Citations
18 Claims
-
1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
-
in a processing system of the advisement system, identifying a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets; in response to identifying the security threat, receiving state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat; determining a current state for the security threat within the computing environment based on the state information; obtaining enrichment information for the security threat; and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus to manage security actions for a computing environment comprising a plurality of assets, the apparatus comprising:
-
one or more non-transitory computer readable media; and processing instructions stored on the one or more computer readable media that, when executed by a processing system, direct the processing system to; identify a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets; in response to identifying the security threat, receive state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat in with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat; determine a current state for the security threat within the computing environment based on the state information; obtain enrichment information for the security threat; and determine one or more security actions for the security threat based on the enrichment information and the current state for the security threat. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An advisement system to manage security actions for a computing environment comprising a plurality of assets, the advisement system comprising:
-
a communication interface configured to receive a notification of a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets; and a processing system, communicatively coupled to the communication interface, configured to; in response to the notification of the security threat, receive state information for the security threat from the asset and one or more additional assets of the plurality of computing assets;
wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;determine a current state for the security threat within the computing environment based on the state information; obtain enrichment information for the security threat; and determine one or more security actions for the security threat based on the enrichment information and the current state for the security threat. - View Dependent Claims (18)
-
Specification