AUTOMATED RESPONSES TO SECURITY THREATS

US 20160164916A1
Filed: 03/31/2015
Published: 06/09/2016
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:

identifying a security incident for an asset in the computing environment;

in response to identifying the security incident, identifying enrichment information about the security incident;

determining a rule set for the security incident based on the enrichment information;

identifying an action response for the security incident based on the rule set; and

initiating implementation of the action response for the security incident in the computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

Citations

20 Claims

1. A method of operating an advisement system to provide default security actions in a computing environment, the method comprising:
- identifying a security incident for an asset in the computing environment;
  
  in response to identifying the security incident, identifying enrichment information about the security incident;
  
  determining a rule set for the security incident based on the enrichment information;
  
  identifying an action response for the security incident based on the rule set; and
  
  initiating implementation of the action response for the security incident in the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the action response comprises a temporary action response approved for a temporary time period.
  - 3. The method of claim 2 further comprising determining the temporary time period based on at least one of a criticality rating of the asset or a severity rating for the security incident.
  - 4. The method of claim 2 further comprising, in response to the temporary time period expiring, initiating removal of the action response for the security incident in the computing environment.
  - 5. The method of claim 1 further comprising identifying one or more action recommendations for an administrator based on the rule set, and providing the one or more action recommendations to the administrator.
  - 6. The method of claim 5 further comprising:
    - after initiating implementation of the action response, identifying a user selection of an action in the one or more action recommendations; and
      
      initiating implementation of the action in the computing environment in place of the action response.
  - 7. The method of claim 1 further comprising:
    - identifying whether the security incident is no longer active within the computing environment; and
      
      if the security incident is no longer active, initiating removal of the action response for the security incident in the computing environment.
  - 8. The method of claim 1 wherein identifying the enrichment information about the security incident comprises inquiring one or more databases to determine the enrichment information for the security incident.
  - 9. The method of claim 1 further comprising:
    - identifying one or more action recommendations for an administrator based on the rule set;
      
      providing the one or more action recommendations to the administrator; and
      
      identifying whether the administrator makes a selection of the one or more action recommendations during a response time period;
      
      wherein initiating implementation of the action response for the security incident in the computing environment comprises, if the administrator does not make a selection of the one or more action recommendations during the time period, initiating implementation of the action response for the security incident in the computing environment.

10. A computer readable storage medium having instructions stored thereon, that when executed by an advisement computing system, direct the advisement computing system to perform a method of providing default security actions in a computing environment comprising a plurality assets, the method comprising:
- identifying a security incident for an asset in the computing environment;
  
  in response to identifying the security incident, identifying enrichment information about the security incident;
  
  determining a rule set for the security incident based on the enrichment information;
  
  identifying an action response for the security incident based on the rule set; and
  
  initiating implementation of the action response for the security incident in the computing environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable storage medium of claim 10, wherein the action response comprises a temporary action response approved for a temporary time period.
  - 12. The computer readable storage medium of claim 11, wherein the method further comprises determining the temporary time period based on a criticality rating of the asset or a severity rating for the security incident.
  - 13. The computer readable storage medium of claim 11, wherein the method further comprises, in response to the temporary time period expiring, initiating removal of the action response for the security incident in the computing environment.
  - 14. The computer readable storage medium of claim 10, wherein the method further comprises identifying one or more action recommendations for an administrator based on the rule set, and providing the one or more action recommendations to the administrator.
  - 15. The computer readable storage medium of claim 14, wherein the method further comprises:
    - after initiating implementation of the action response, identifying a user selection of an action in the one or more action recommendations; and
      
      initiating implementation of the action in the computing environment in place of the action response.
  - 16. The computer readable storage medium of claim 10, wherein the method further comprises:
    - identifying whether the security incident is no longer active within the computing environment; and
      
      if the security incident is no longer active, initiating removal of the action response for the security incident in the computing environment.
  - 17. The computer readable storage medium of claim 10, wherein identifying the enrichment information about the security incident comprises inquiring one or more databases to the enrichment information for the security incident.
  - 18. The computer readable storage medium of claim 10, wherein the method further comprises wherein the method further comprises:
    - identifying one or more action recommendations for an administrator based on the rule set;
      
      providing the one or more action recommendations to the administrator; and
      
      identifying whether the administrator makes a selection of the one or more action recommendations during a response time period;
      
      wherein initiating implementation of the action response for the security incident in the computing environment comprises, if the administrator does not make a selection of the one or more action recommendations during the time period, initiating implementation of the action response for the security incident in the computing environment.

19. An advisement system to manage security actions in a computing environment, the advisement system comprising:
- a communication interface configured to;
  
  receive a security incident for an asset in the computing environment;
  
  a processing system, communicatively coupled to the communication interface, configured to;
  
  determine a rule set for the security incident based on the enrichment information;
  
  identify an action response for the security incident based on the rule set; and
  
  initiate implementation of the action response for the security incident in the computing environment.
- View Dependent Claims (20)
- - 20. The advisement system of claim 19 wherein the processing system is further configured to identify one or more action recommendations for an administrator based on the rule set, and provide the one or more action recommendations to the administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Phantom Cyber Corporation (Splunk Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind

Granted Patent

US 9,712,555 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

AUTOMATED RESPONSES TO SECURITY THREATS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED RESPONSES TO SECURITY THREATS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links