Method for the continuous calculation of a cyber security risk index

US 10,212,184 B2
Filed: 10/27/2016
Issued: 02/19/2019
Est. Priority Date: 10/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method for assessing a cyber security risk, the method comprising the steps of:

obtaining cyber security precursor information from a plurality of sensors, wherein the cyber security precursor information is obtained from one or more online or offline sources;

normalizing the obtained cyber security precursor information from each sensor to a common information model based on a data source type identified for each sensor;

generating, from the normalized cyber security precursor information, a plurality of events;

computing, from the plurality of generated events, a plurality of facts, each fact comprising a reference to a set of events or facts that contributed to computing the fact;

calculating a plurality of risk indicators from the plurality of facts, each risk indicator calculated based on a time-series analysis of a type of the fact;

normalizing the plurality of risk indicators to a common model based on normalizing a plurality of facts used to calculate each risk indicator according to a data source type shared across events or analytic facts used to calculate each risk indicator;

calculating, using the plurality of normalized facts for each risk indicator, a plurality of cyber risk index component scores for each data source type; and

calculating, using the plurality cyber risk index component scores, a cyber risk indicator index.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for assessing a cyber security risk, the method comprising the steps of: obtaining cyber security precursor information from a plurality of sources, wherein the cyber security precursor information can be obtained from one or more online or offline sources; normalizing the obtained cyber security precursor information to a common information model; generating, from the normalized cyber security precursor information, one or more events; producing, from the one or more generated events, one or more facts; calculating a plurality of risk indicators from the one or more facts; normalizing the plurality of risk indicators to a common model; calculating, using the normalized plurality of risk indicators, one or more cyber risk index component scores; and calculating, using the one or more cyber risk index component scores, a cyber risk indicator index.

29 Citations

View as Search Results

29 Claims

1. A method for assessing a cyber security risk, the method comprising the steps of:
- obtaining cyber security precursor information from a plurality of sensors, wherein the cyber security precursor information is obtained from one or more online or offline sources;
  
  normalizing the obtained cyber security precursor information from each sensor to a common information model based on a data source type identified for each sensor;
  
  generating, from the normalized cyber security precursor information, a plurality of events;
  
  computing, from the plurality of generated events, a plurality of facts, each fact comprising a reference to a set of events or facts that contributed to computing the fact;
  
  calculating a plurality of risk indicators from the plurality of facts, each risk indicator calculated based on a time-series analysis of a type of the fact;
  
  normalizing the plurality of risk indicators to a common model based on normalizing a plurality of facts used to calculate each risk indicator according to a data source type shared across events or analytic facts used to calculate each risk indicator;
  
  calculating, using the plurality of normalized facts for each risk indicator, a plurality of cyber risk index component scores for each data source type; and
  
  calculating, using the plurality cyber risk index component scores, a cyber risk indicator index.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising the step of storing the plurality of generated events in an event database.
  - 3. The method of claim 1, further comprising the step of storing the plurality of generated facts in a fact database.
  - 4. The method of claim 1, further comprising the step of storing the plurality of generated risk indicators in a risk indicator database.
  - 5. The method of claim 1, wherein the step of computing the plurality of facts comprises one or more of performing a mathematical analysis, pattern detection, anomaly detection, and rule-based assessment of the plurality of events.
  - 6. The method of claim 1, wherein the cyber risk indicator index comprises a score between 0 and 100.
  - 7. The method of claim 1, further comprising the step of providing the cyber risk indicator index to a user.
  - 8. The method of claim 7, wherein the step of providing the cyber risk indicator index to a user comprises a user interface.
  - 9. The method of claim 8, wherein the user interface comprises a graph of cyber risk indicator index over time.
  - 10. The method of claim 1, further comprising the step of comparing the cyber risk indicator index to a pre-determined threshold.
  - 11. The method of claim 10, further comprising the step of notifying a user if the cyber risk indicator index exceeds the pre-determined threshold.
  - 12. The method of claim 10, further comprising the step of initiating an automated action if the cyber risk indicator index exceeds the pre-determined threshold.
  - 13. The method of claim 1, wherein normalizing the obtained cyber security precursor information from each sensor comprises:
    - weighting the cyber security precursor information from each sensor based on a percentage of network assets that are observed by each sensor and based on an operational impact of the observed network assets for each sensor.

14. A computerized system configured to assess a cyber security risk, the system comprising:
- a plurality of sensors, the plurality of sensors configured to obtain cyber security precursor information;
  
  an event database configured to store one or more events;
  
  a fact database configured to store one or more facts; and
  
  a processor programmed to perform the steps of;
  
  receiving the cyber security precursor information from the plurality of sensors;
  
  normalizing the obtained cyber security precursor information from each sensor to a common information model based on a data source type identified for each sensor;
  
  generating, from the normalized cyber security precursor information, the plurality of events;
  
  storing the plurality of generated events in the event database;
  
  computing, from the plurality of generated events, a plurality of facts, each fact comprising a reference to a set of events or facts that contributed to computing the fact;
  
  storing the plurality of facts in the facts database;
  
  calculating a plurality of risk indicators from the plurality of facts, each risk indicator calculated based on a time-series analysis of a type of the fact;
  
  normalizing the plurality of risk indicators to a common model based on normalizing a plurality of facts used to calculate each risk indicator according to a data source type shared across events or analytic facts used to calculate each risk indicator;
  
  calculating, using the plurality of normalized facts for each risk indicator, a plurality of cyber risk index component scores for each data source type; and
  
  calculating, using the plurality cyber risk index component scores, a cyber risk indicator index.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein the processor is configured to compute the plurality of facts using one or more of a mathematical analysis, pattern detection, anomaly detection, and rule-based assessment of the plurality of events.
  - 16. The system of claim 14, wherein the cyber risk indicator index comprises a score between 0 and 100.
  - 17. The system of claim 14, wherein the processor is further configured to provide the cyber risk indicator index to a user.
  - 18. The system of claim 14, further comprising a user interface.
  - 19. The system of claim 14, wherein the processor is further configured to compare the cyber risk indicator index to a pre-determined threshold.
  - 20. The system of claim 19, wherein the processor is further configured to notify a user if the cyber risk indicator index exceeds the pre-determined threshold.
  - 21. The system of claim 19, wherein the processor is further configured to initiate an automated action if the cyber risk indicator index exceeds the pre-determined threshold.

22. A computer system configured to assess a cyber security risk, the computer system comprising:
- a non-transitory computer-readable storage medium configured to store data collected by the computer system and comprising computer-executable instructions;
  
  a processor programmed to execute the computer-executable instructions resulting in the computer system performing the steps of;
  
  receiving cyber security precursor information from a plurality of sensors;
  
  normalizing the obtained cyber security precursor information from each sensor to a common information model based on a data source type identified for each sensor;
  
  generating, from the normalized cyber security precursor information, a plurality of events;
  
  storing the plurality of generated events in the non-transitory computer-readable storage medium;
  
  computing, from the plurality of generated events, a plurality of facts, each fact comprising a reference to a set of events or facts that contributed to computing the fact;
  
  storing the plurality of facts in the non-transitory computer-readable storage medium;
  
  calculating a plurality of risk indicators from the plurality of facts, each risk indicator calculated based on a time-series analysis of a type of the fact;
  
  normalizing the plurality of risk indicators to a common model based on normalizing a plurality of facts used to calculate each risk indicator according to a data source type shared across events or analytic facts used to calculate each risk indicator;
  
  calculating, using the plurality of normalized facts for each risk indicator, a plurality of cyber risk index component scores for each data source type; and
  
  calculating, using the plurality cyber risk index component scores, a cyber risk indicator index.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The computer system of claim 22, wherein the processor is further configured to compute the plurality of facts using one or more of a mathematical analysis, pattern detection, anomaly detection, and rule-based assessment of the plurality of events.
  - 24. The computer system of claim 22, wherein the cyber risk indicator index comprises a score between 0 and 100.
  - 25. The computer system of claim 22, wherein the processor is further configured to provide the cyber risk indicator index to a user.
  - 26. The computer system of claim 22, further comprising a user interface.
  - 27. The computer system of claim 22, wherein the processor is further configured to compare the cyber risk indicator index to a pre-determined threshold.
  - 28. The computer system of claim 27, wherein the processor is further configured to notify a user if the cyber risk indicator index exceeds the pre-determined threshold.
  - 29. The computer system of claim 27, wherein the processor is further configured to initiate an automated action if the cyber risk indicator index exceeds the pre-determined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
OPAQ Networks, Inc. (Fortinet Inc.)
Inventors
Sweeney, Matthew S., Pokines, Benjamin B.
Primary Examiner(s)
Zee, Edward

Application Number

US15/336,307
Publication Number

US 20180124091A1
Time in Patent Office

845 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Method for the continuous calculation of a cyber security risk index

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the continuous calculation of a cyber security risk index

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links