Distributive Security Investigation

US 20100031354A1
Filed: 04/05/2008
Published: 02/04/2010
Est. Priority Date: 04/05/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying a first security issue;

creating a first request comprising at least one asset identifier, said asset identifier referring to an asset related to said first security issue;

transmitting said first request to a plurality of devices;

receiving at least one response from at least one of said plurality of devices, said response comprising data relating to said first request;

creating a case object; and

storing at least a portion of said data in said case object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information.

Citations

20 Claims

1. A method comprising:
- identifying a first security issue;
  
  creating a first request comprising at least one asset identifier, said asset identifier referring to an asset related to said first security issue;
  
  transmitting said first request to a plurality of devices;
  
  receiving at least one response from at least one of said plurality of devices, said response comprising data relating to said first request;
  
  creating a case object; and
  
  storing at least a portion of said data in said case object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising:
    - determining a modification to said first request and generating a second request based on said modification;
      
      transmitting said second request to said plurality of devices;
      
      receiving at least one second response based on said second request; and
      
      storing at least a portion of said second response in said case object.
  - 3. The method of claim 2, said determining a modification being performed by an automated analysis mechanism.
  - 4. The method of claim 2, said determining a modification being performed at least in part by receiving an input from a user interface.
  - 5. The method of claim 1 further comprising:
    - identifying an asset identifier in said case object; and
      
      for each instance of said asset identifier in said case object, replacing said asset identifier with a token.
  - 6. The method of claim 1, said identifying comprising monitoring a set of communications and determining an abnormality.
  - 7. The method of claim 1, said identifying comprising receiving an alert from a security monitoring agent.
  - 8. The method of claim 7, said security monitoring agent being adapted to monitor said at least one asset.
  - 9. The method of claim 1, said identifying comprising:
    - selecting a plurality of security issues;
      
      assigning a priority to each of said plurality of security issues; and
      
      selecting said first security issue based at least in part on said priority.
  - 10. The method of claim 1, said asset comprising at least one of a group composed of:
    - a user;
      
      a device;
      
      a communications channel;
      
      an application; and
      
      a data object.
  - 11. The method of claim 1, said first request further comprising a modifier.
  - 12. The method of claim 11, said modifier comprising at least one of a group composed of:
    - a time range designator;
      
      a session descriptor;
      
      a communications parameter; and
      
      a level of detail.
  - 13. The method of claim 1, said plurality of devices comprising at least one of a group composed of:
    - a messaging server;
      
      an email server;
      
      a network gateway server;
      
      an authentication server; and
      
      a status management server.

14. A system comprising:
- a database comprising security states for each of a plurality of monitored devices;
  
  a monitoring system configured to receive security alerts relating to one or more of said plurality of monitored devices;
  
  a case management system comprising;
  
  a request generation system configured to generate a request based on at least one of said security alerts, said request comprising an asset identifier;
  
  a transmission system configured to transmit said request to a plurality of devices;
  
  a response reception system configured to receive a response from at least one of said plurality of devices; and
  
  an analysis system configured to store at least a portion of said response in a case object.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, said analysis system further comprising automated analysis logic configured to generate a second request based on said response.
  - 16. The system of claim 14, said request generation system further configured to automatically generate said request based.
  - 17. The system of claim 14 further comprising:
    - a user interface configured to transmit a command to generate said request and display at least a portion of said case object.

18. A computer readable storage medium comprising computer executable instructions configured to perform a method comprising:
- receiving a selection of a first security issue from a plurality of security issues;
  
  create a first case object;
  
  creating a first request comprising at least one asset identifier, said asset identifier referring to an asset related to said first security issue;
  
  transmitting said first request to a plurality of devices;
  
  receiving at least one response from at least one of said plurality of devices, said response comprising data relating to said first request;
  
  storing at least a portion of said data in said case object; and
  
  presenting at least a portion of said first case object on a user interface.
- View Dependent Claims (19, 20)
- - 19. The storage medium of claim 18, said method further comprising:
    - analyzing said case object to determine a modification to said first request and generating a second request based on said modification;
      
      transmitting said second request to said plurality of devices;
      
      receiving at least one second response based on said second request; and
      
      storing at least a portion of said second response in said case object.
  - 20. The storage medium of claim 18, said method further comprising:
    - comparing said first case object with a second case object to determine at least one similarity between said first case object and said second case object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Helman, Yair, Weisberg, Tomer, Rafalovich, Ziv, Yossef, Oren, Hudis, Efim

Granted Patent

US 8,839,419 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/20   for managing network securi...

Distributive Security Investigation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributive Security Investigation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links