Security actions for computing assets based on enrichment information

US 9,954,888 B2
Filed: 12/02/2015
Issued: 04/24/2018
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of assets, the method comprising:

identifying a security incident for an asset in the computing environment;

identifying a criticality rating for the asset, wherein the criticality rating is based at least on data stored on the asset and an importance of the asset to one or more other assets in the computing environment;

obtaining enrichment information for the security incident from one or more internal or external sources;

identifying a severity rating for the security incident based on the enrichment information;

determining one or more security actions based on the enrichment information;

identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, wherein identifying the effects of the one or more security actions comprises determining whether the asset will be accessible to other assets for each of the one or more security actions;

identifying a subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions; and

initiating implementation of at least one security action in the subset of the one or more security actions in the computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

79 Citations

View as Search Results

18 Claims

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of assets, the method comprising:
- identifying a security incident for an asset in the computing environment;
  
  identifying a criticality rating for the asset, wherein the criticality rating is based at least on data stored on the asset and an importance of the asset to one or more other assets in the computing environment;
  
  obtaining enrichment information for the security incident from one or more internal or external sources;
  
  identifying a severity rating for the security incident based on the enrichment information;
  
  determining one or more security actions based on the enrichment information;
  
  identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, wherein identifying the effects of the one or more security actions comprises determining whether the asset will be accessible to other assets for each of the one or more security actions;
  
  identifying a subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions; and
  
  initiating implementation of at least one security action in the subset of the one or more security actions in the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the one or more internal or external sources comprise one or more databases or websites.
  - 3. The method of claim 1 wherein the asset comprises one of a router, a switch, a server computer, or a desktop computer.
  - 4. The method of claim 1 wherein identifying the security incident for the asset in the computing environment comprises receiving a user indication of the security incident.
  - 5. The method of claim 1 wherein identifying the security incident for the asset in the computing environment comprises receiving an indication of the security incident from a security information and event management (SIEM) system.
  - 6. The method of claim 1 wherein the criticality rating is further based on a user of the asset.
  - 7. The method of claim 1 wherein identifying the security incident for the asset in the computing environment comprises identifying traits related to the security incident, wherein the traits comprise an identifier for the asset, and at least one of an internet protocol (IP) address related to the security incident, Uniform Resource Locator (URL) related to the security incident, a user name related to the security incident, a computing system identifier for the asset, a file name related to the security incident, or a service name related to the security incident.
  - 8. The method of claim 1 wherein identifying the subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions comprises ranking actions in the subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions.
  - 9. The method of claim 1 further comprising:
    - providing the subset of the one or more security actions to an administrator of the computing environment; and
      
      receiving a selection of the at least one security action in the subset of the one or more security actions from the administrator.

10. An apparatus to provide security actions in a computing environment comprising a plurality of assets, the apparatus comprising:
- one or more non-transitory computer readable media;
  
  processing instructions stored on the one or more non-transitory computer readable media that, when executed by a processing system, direct the processing system to;
  
  identify a security incident for an asset in the computing environment;
  
  identify a criticality rating for the asset, wherein the criticality rating is based at least on data stored on the asset and an importance of the asset to one or more other assets in the computing environment;
  
  obtain enrichment information for the security incident from one or more internal or external sources;
  
  identify a severity rating for the security incident based on the enrichment information;
  
  determine one or more security actions based on the enrichment information;
  
  identify effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, wherein identifying the effects of the one or more security actions comprises determining whether the asset will be accessible to other assets for each of the one or more security actions;
  
  identify a subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions; and
  
  initiate implementation of at least one security action in the subset of the one or more security actions in the computing environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10 wherein the one or more internal or external sources comprise one or more databases or websites.
  - 12. The apparatus of claim 10 wherein the asset comprises one of a router, a switch, a firewall, an operating system, a virtual private network, or an application.
  - 13. The apparatus of claim 10 wherein the processing instructions to identify the security incident for the asset in the computing environment direct the processing system to:
    - receive a user indication of the security incident;
      
      orreceive an indication of the security incident from a security information and event management (SIEM) system.
  - 14. The apparatus of claim 10 wherein the criticality rating is further based on a user of the asset.
  - 15. The apparatus of claim 10 wherein the processing instructions to identify the security incident for the asset in the computing environment direct the processing system to identify traits related to the security incident, wherein the traits comprise an identifier for the asset, and at least one of an internet protocol (IP) address related to the security incident, Uniform Resource Locator (URL) related to the security incident, a user name related to the security incident, a computing system identifier for the asset, a file name related to the security incident, or a service name related to the security incident.
  - 16. The apparatus of claim 10 wherein the processing instructions to identify the subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions comprises ranking actions in the subset of the one or more security actions to respond to the security incident based on the effects of the one or more security actions.
  - 17. The apparatus of claim 10 wherein the processing instructions further direct the processing system to:
    - provide the subset of the one or more security actions to an administrator of the computing environment; and
      
      receive a selection of the at least one security action in the subset of the one or more security actions from the administrator.
  - 18. The apparatus of claim 17 wherein the processing instructions to receive the selection of at least one security action in the subset of the one or more security actions from the administrator comprises receiving a command in a first programming language to implement the at least one security action in the subset of the one or more security actions, and wherein the processing instructions to initiate implementation of the at least one security action in the computing environment comprises:
    - identifying a software and hardware configuration associated with the asset;
      
      translating the command in the first programming language to a set of commands associated with the software and hardware configuration; and
      
      providing the set of commands to the asset in the computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Phantom Cyber Corporation (Splunk Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey

Application Number

US14/956,615
Publication Number

US 20160164907A1
Time in Patent Office

874 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Security actions for computing assets based on enrichment information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security actions for computing assets based on enrichment information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links