Cyber risk analysis and remediation using network monitored sensors and methods of use

US 10,404,748 B2
Filed: 03/28/2016
Issued: 09/03/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more computing systems that are subject to a cyber risk policy, the cyber risk policy comprising breach parameters defining one or more events that are indicative of a cyber security breach, the breach parameters being associated with a remediation provision in a policy for the computing systems and a network;

one or more data collecting devices deployed within the network that collect entity information and monitor network traffic of the network that is related to security information;

a processor configured to;

utilize the entity information and the network traffic to calculate a composite score from a motivation score and a sophistication score, wherein the motivation score is indicative of a desire level of a malicious actor to cause a cyber security risk for the entity and the sophistication score is indicative of a cyber security sophistication of the entity;

automatically detect occurrence of one or more of the events that are indicative of a cyber security breach based on the network traffic;

automatically determine the breach parameters that apply for the one or more events that occurred;

generate a remediation of cyber security parameters for the network based on the applicable breach parameters determined and the associated remediation provision, wherein the remediation of cyber security parameters at least includes modifying a password requirement associated with the one or more computer systems; and

perform the remediation based on the breach parameters, wherein the remediation causes network changes that selectively reduce the motivation score for the entity or selectively increase the sophistication score of the entity, wherein at least one of the network changes includes increasing a password complexity associated with the system and prompting a user associated with the entity to create an associated password that complies with the password complexity; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for cyber risk analysis and remediation using network monitored sensors are provided herein. An example system includes one or more data collecting devices deployed within a network that collect entity information and monitor network traffic of the network that is related to security information. The network includes computing systems that are subject to a cyber risk policy having breach parameters defining one or more events that are indicative of a cyber security breach. A cyber security risk assessment and management system is used to automatically detect occurrence of one or more of the events that are indicative of a cyber security breach, automatically determine the breach parameters that apply for the one or more events that occurred, and generates a remediation of cyber security parameters for the network.

121 Citations

20 Claims

1. A system, comprising:
- one or more computing systems that are subject to a cyber risk policy, the cyber risk policy comprising breach parameters defining one or more events that are indicative of a cyber security breach, the breach parameters being associated with a remediation provision in a policy for the computing systems and a network;
  
  one or more data collecting devices deployed within the network that collect entity information and monitor network traffic of the network that is related to security information;
  
  a processor configured to;
  
  utilize the entity information and the network traffic to calculate a composite score from a motivation score and a sophistication score, wherein the motivation score is indicative of a desire level of a malicious actor to cause a cyber security risk for the entity and the sophistication score is indicative of a cyber security sophistication of the entity;
  
  automatically detect occurrence of one or more of the events that are indicative of a cyber security breach based on the network traffic;
  
  automatically determine the breach parameters that apply for the one or more events that occurred;
  
  generate a remediation of cyber security parameters for the network based on the applicable breach parameters determined and the associated remediation provision, wherein the remediation of cyber security parameters at least includes modifying a password requirement associated with the one or more computer systems; and
  
  perform the remediation based on the breach parameters, wherein the remediation causes network changes that selectively reduce the motivation score for the entity or selectively increase the sophistication score of the entity, wherein at least one of the network changes includes increasing a password complexity associated with the system and prompting a user associated with the entity to create an associated password that complies with the password complexity; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 20)
- - 2. The system according to claim 1, wherein the network traffic comprises data collected regarding employees using the one or more computing systems or the network.
  - 3. The system according to claim 1, wherein the network traffic comprises data collected regarding websites visited by employees using the network and the one or more computing systems.
  - 4. The system according to claim 1, wherein the processor is configured to evaluate the network traffic on one or more network layers.
  - 5. The system according to claim 4, wherein the network traffic is evaluated for any of dynamic host protocol (DHCP) information, classless inter-domain routing (CIDR) blocks, and domain name system (DNS) information included in the network traffic.
  - 6. The system according to claim 5, wherein the processor is further configured to:
    - create a fingerprint of the network traffic from the DHCP information; and
      
      store the fingerprint in a database.
  - 7. The system according to claim 1, wherein the processor comprises a first set of sensors that operate on a data link layer of the network.
  - 8. The system according to claim 7, wherein the processor further comprises a second set of sensors that operate on an Internet Protocol Address layer of the network to evaluate address resolution (ARP) protocol information from the network traffic.
  - 9. The system according to claim 8, wherein the second set of sensors transmits the ARP protocol information to the first set of sensors for storage in a database along with DNS information.
  - 10. The system according to claim 1, wherein the remediation comprises recommendations for improvement for the breached entity based on a nature of the one or more events that occurred.
  - 11. The system according to claim 1, wherein the processor is further configured to query the entity or the network for information, scrape available online sources;
    - retrieve corporate filings, and query news sources and public record databases.
  - 12. The system according to claim 1, wherein the processor is further configured to:
    - evaluate a plurality of networks to generate a plurality of risk scores and a plurality of motivation scores, the plurality of networks comprising the network; and
      
      plot the plurality of risk scores and the plurality of motivation scores graphically as a peer group.
  - 13. The system according to claim 1, wherein the entity information and the network traffic are evaluated for any of visibility, value, hacker sentiment, employee sentiment, company sentiment, customer sentiment, and combinations thereof.
  - 14. The system according to claim 1, wherein the entity information and the network traffic are evaluated for any of traffic, usage, in-links, page views, duration, traffic volume, links, page rank, market value, stock trade volume, exporting/importing information, and combinations thereof.
  - 20. The system of claim 1, wherein the motivation score is based in part on at least one of a frequency of mention on a social media site, a frequency of website visits, or a press release related to one or more particular triggered events.

15. A method, comprising:
- establishing breach parameters for one or more computer systems and a network, the breach parameters defining one or more events that are indicative of a cyber security breach, the breach parameters being associated with a remediation provision in a cyber security policy of the one or more computer systems and a network;
  
  collecting entity information and monitoring network traffic of the network that is related to security information;
  
  utilizing the entity information and the network traffic to calculate a composite score from a motivation score and a sophistication score, wherein the motivation score is indicative of a desire level of a malicious actor to cause a cyber security risk for the entity and the sophistication score is indicative of a cyber security sophistication of the entity;
  
  automatically detecting occurrence of one or more of the events that are indicative of a cyber security breach based on the network traffic;
  
  automatically determining the breach parameters that apply for the one or more events that occurred;
  
  generating a remediation of cyber security parameters for a network based on the applicable breach parameters determined and the associated remediation provision, wherein the remediation at least includes modifying a password requirement associated with the one or more computer systems; and
  
  performing the remediation based on the breach parameters, wherein the remediation causes network changes that selectively reduce the motivation score for the entity or selectively increase the sophistication score of the entity, wherein at least one of the network changes includes increasing a password complexity associated with the system and prompting a user associated with the entity to create an associated password that complies with the password complexity.
- View Dependent Claims (16, 17, 18)
- - 16. The method according to claim 15, further comprising providing recommendations for improvement for the breached entity based on the nature of the one or more events that occurred.
  - 17. The method according to claim 16, further comprising tying at least one of sophistication scores and changes in sophistication scores to remediation adjustments.
  - 18. The method according to claim 15, wherein the remediation comprises a change to a hosting infrastructure, network or website topology, vulnerability scanning, content distribution networks, shared hosting, cloud services, patching, updating, default passwords, and any combinations thereof.

19. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising instructions for:
- establishing breach parameters for one or more computer systems and a network, the breach parameters defining one or more events that are indicative of a cyber security breach, the breach parameters being associated with a remediation provision in a cyber security policy of the one or more computer systems and a network;
  
  collecting entity information and monitoring network traffic of the network that is related to security information;
  
  utilizing the entity information and the network traffic to calculate a composite score from a motivation score and a sophistication score, wherein the motivation score is indicative of a desire level of a malicious actor to cause a cyber security risk for the entity and the sophistication score is indicative of a cyber security sophistication of the entity;
  
  automatically detecting occurrence of one or more events that are indicative of a cyber security breach based on the network traffic;
  
  automatically determining one or more breach parameters that apply for the one or more events that occurred, wherein the one or more breach parameters define the one or more events that are indicative of the cyber security breach, wherein the one or more breach parameters are associated with a remediation provision in a policy for one or more computing systems;
  
  generating a remediation of cyber security parameters for the network based on the applicable breach parameters determined and the associated remediation provision, wherein the remediation of the cyber security parameters at least includes modifying a password requirement associated with the one or more computing systems; and
  
  performing the remediation based on the breach parameters, wherein the remediation causes network changes that selectively reduce the motivation score for the entity or selectively increase the sophistication score of the entity, wherein at least one of the network changes includes increasing a password complexity associated with the system and prompting a user associated with the entity to create an associated password that complies with the password complexity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyence LLC. (Guidewire Software Incorporated)
Original Assignee
Guidewire Software Incorporated
Inventors
Parthasarathi, Arvind, Ng, George Y., Honea, Matthew
Primary Examiner(s)
Leung, Robert B
Assistant Examiner(s)
Ho, Thomas

Application Number

US15/082,890
Publication Number

US 20160294854A1
Time in Patent Office

1,254 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/20 for managing network securi...

Cyber risk analysis and remediation using network monitored sensors and methods of use

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber risk analysis and remediation using network monitored sensors and methods of use

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links