Systems and methods of network security and threat management
First Claim
1. A method, comprising:
- performing, by one or more computer systems;
receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, each of the plurality of enterprise assets coupled to at least one of a plurality of distinct computer networks;
receiving vulnerability information generated based, at least in part, upon a scan of the plurality of distinct computer networks, the scan configured to detect vulnerabilities associated with one or more of the plurality of enterprise assets;
receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets;
continuously correlating;
the received traffic information, vulnerability information, and vendor alert information; and
each of at least one security threat of one or more security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat;
assigning threat points to the one or more security threats based, at least in part, upon the continuous correlation;
dynamically adjusting a priority of each of the one or more security threats and threat points associated with each of the one or more security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation,wherein escalating the security threat with the highest potential to be successful comprises;
identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat,wherein a potential for the security threat to be successful against the enterprise asset is based on a degree of vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat;
associating different security threats of the one or more security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the one or more security threats; and
providing the at least one security threat of the one or more security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat.
13 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure generally provides systems and methods of network security and threat management. An exemplary system includes detection and prevention modules (DPM) designed specifically to collect and transmit suspicious binary network packet data. The collected network packets are sent to a behavioral correlation module to perform automatic behavioral correlation: (1) within each DPM, (2) across all DPMs installed on a network, and (3) across all DPMs installed on all networks. The results of the behavioral correlation are sent to a security dashboard module (SDM), which generally acts as a fully integrated Security Event Management system and collects, correlates, and prioritizes global network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise assets. The SDM could display the results in a user-friendly graphical user interface and has the ability to perform geographic mapping of externally generated threats.
21 Citations
17 Claims
-
1. A method, comprising:
- performing, by one or more computer systems;
receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, each of the plurality of enterprise assets coupled to at least one of a plurality of distinct computer networks; receiving vulnerability information generated based, at least in part, upon a scan of the plurality of distinct computer networks, the scan configured to detect vulnerabilities associated with one or more of the plurality of enterprise assets; receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets; continuously correlating; the received traffic information, vulnerability information, and vendor alert information; and each of at least one security threat of one or more security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat; assigning threat points to the one or more security threats based, at least in part, upon the continuous correlation; dynamically adjusting a priority of each of the one or more security threats and threat points associated with each of the one or more security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation, wherein escalating the security threat with the highest potential to be successful comprises; identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat, wherein a potential for the security threat to be successful against the enterprise asset is based on a degree of vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat; associating different security threats of the one or more security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the one or more security threats; and providing the at least one security threat of the one or more security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- performing, by one or more computer systems;
-
10. A network security and threat management system, comprising:
a computer configured to; receive traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, wherein the traffic information includes a resource violation message reporting an unknown client'"'"'s attempt to use an unknown protocol; receive vulnerability information generated based, at least in part, upon an analysis of one or more of the plurality of enterprise assets; receive vendor alert information provided by one or more third-party vendors; continuously correlate; the received traffic information, vulnerability information, and vendor alert information; and each of at least one security threat of a plurality of security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat to reduce false positives and to enhance threat relevance of the at least one security threat; assign threat points to each of the plurality of security threats based, at least in part, upon the continuous correlation, wherein to assign the threat points the computer is further configured to; upgrade the threat points associated with the given security threat in response to the traffic information being correlated with the vulnerability information; upgrade the threat points associated with the given security threat in response to the traffic information being correlated with the vendor alert information; and upgrade the threat points associated with the given security threat in response to the vulnerability information being correlated with the vendor alert information; dynamically adjust a priority of a given one of the plurality of security threats and threat points associated with the given one of the plurality of security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation and upon an age of the given one of the plurality of security threats, wherein escalating the security threat with the highest potential to be successful comprises; identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat and the age of the vulnerability information with respect to the security threat, wherein a potential for the security threat to be successful against the enterprise asset is directly proportional to a degree of vulnerability of the enterprise asset with respect to the security threat; associate different security threats of the plurality of security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the plurality of security threats; and provide the at least one security threat of the plurality of security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat. - View Dependent Claims (11)
-
12. A method, comprising:
- performing, by one or more computer systems;
receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, wherein the traffic information includes a resource violation message reporting an unknown client'"'"'s attempt to use an unknown protocol; receiving vulnerability information generated based, at least in part, upon vulnerabilities detected in one or more of the plurality of enterprise assets; receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets; increasing a security threat level associated with a given one of a plurality of security threats in response to; the traffic information being correlated with the vulnerability information, the traffic information being correlated with the vendor alert information, and the vulnerability information being correlated with the vendor alert information; and each of at least one security threat of the plurality of security threats occurring within a first period of time being correlated with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat; dynamically adjusting a priority of each of the plurality of security threats and threat points associated with each of the plurality of security threats by escalating a security threat of the plurality of security threats with highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlations, wherein escalating the security threat with the highest potential to be successful comprises; identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat, wherein a potential for the security threat to be successful against the enterprise asset is based on a vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat; associating different security threats of the plurality of security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the plurality of security threats; and providing the at least one security threat of the plurality of security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat. - View Dependent Claims (13, 14, 15, 16, 17)
- performing, by one or more computer systems;
Specification