MANAGING WORKFLOWS UPON A SECURITY INCIDENT

US 20180124100A1
Filed: 12/18/2017
Published: 05/03/2018
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of managing service level agreements (SLAs) for security incidents in a computing environment, the method comprising:

identifying a rule set for a security incident of the security incidents based on enrichment information obtained for the security incident, wherein the rule set is associated with one or more action recommendations to be taken against the security incident;

identifying a default SLA for the security incident based on the rule set, wherein the default SLA comprises a default hierarchy of administrators for the security incident;

obtaining environmental characteristics related to the security incident;

determining a modified SLA for the security incident based on the environmental characteristics, wherein the modified SLA comprises a second hierarchy of administrators for the security incident;

providing the one or more security actions to administrators based on the modified SLA; and

obtaining input from at least one administrator regarding at least one security action of the one or more security actions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

0 Citations

20 Claims

1. A method of managing service level agreements (SLAs) for security incidents in a computing environment, the method comprising:
- identifying a rule set for a security incident of the security incidents based on enrichment information obtained for the security incident, wherein the rule set is associated with one or more action recommendations to be taken against the security incident;
  
  identifying a default SLA for the security incident based on the rule set, wherein the default SLA comprises a default hierarchy of administrators for the security incident;
  
  obtaining environmental characteristics related to the security incident;
  
  determining a modified SLA for the security incident based on the environmental characteristics, wherein the modified SLA comprises a second hierarchy of administrators for the security incident;
  
  providing the one or more security actions to administrators based on the modified SLA; and
  
  obtaining input from at least one administrator regarding at least one security action of the one or more security actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the environmental characteristics comprise a criticality rating of an asset associated with the security incident, a current severity level of the security incident, a rate of events for the security incident, current market conditions at a time for the incident, or geopolitical conditions at a time for the incident.
  - 3. The method of claim 1 further comprising obtaining the enrichment information for the security incident from one of a database or a website.
  - 4. The method of claim 1 wherein the security incident comprises one of an unknown process on an asset in the computing environment or an unknown communication request to an asset in the computing environment.
  - 5. The method of claim 1 further comprising:
    - initiating implementation of a first security action within the computing environment based on the rule set, wherein the first security action comprises a containment action for the security incident, andwherein obtaining the environmental characteristics related to the security incident comprises obtaining containment effectiveness information for the first security action.
  - 6. The method of claim 1 wherein the default SLA further comprises a default set of one or more time periods for administrator security actions, and wherein the modified SLA further comprises a second set of one or more time periods for administrator security actions.
  - 7. The method of claim 1 wherein obtaining input from at least one administrator regarding at least one security action of the one or more security actions comprises obtaining an action selection of the one or more security actions.
  - 8. The method of claim 1, wherein obtaining input from at least one administrator regarding at least one security action of the one or more security actions comprises obtaining feedback regarding the one or more action recommendations, wherein the feedback comprises modifying the one or more action recommendations, removing an action recommendation from the one or more action recommendations, or deferring action selection to another administrator.

9. An apparatus to manage service level agreements (SLAs) for security incidents in a computing environment, the apparatus comprising:
- one or more non-transitory computer readable storage media; and
  
  processing instructions stored on the one or more non-transitory computer readable storage media that, when executed by a processing system, direct the processing system to;
  
  identify a rule set for a security incident of the security incidents based on enrichment information obtained for the security incident, wherein the rule set is associated with one or more action recommendations to be taken against the security incident;
  
  identify a default SLA for the security incident based on the rule set, wherein the default SLA comprises a default hierarchy of administrators for the security incident;
  
  obtain environmental characteristics related to the security incident;
  
  determine a modified SLA for the security incident based on the environmental characteristics, wherein the modified SLA comprises a second hierarchy of administrators for the security incident;
  
  provide the one or more security actions to administrators based on the modified SLA; and
  
  obtain input from at least one administrator regarding at least one security action of the one or more security actions.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9 wherein the environmental characteristics comprise a criticality rating of an asset associated with the security incident, a current severity level of the security incident, a rate of events for the security incident, current market conditions at a time for the incident, or geopolitical conditions at a time for the incident.
  - 11. The apparatus of claim 9 wherein the processing instructions further direct the processing system to obtain the enrichment information for the security incident from one of a database or a website.
  - 12. The apparatus of claim 9 wherein the security incident comprises one of an unknown process on an asset in the computing environment or an unknown communication request to an asset in the computing environment.
  - 13. The apparatus of claim 9 wherein the processing instructions further direct the processing system to:
    - initiate implementation of a first security action within the computing environment based on the rule set, wherein the first security action comprises a containment action for the security incident, andwherein obtaining the environmental characteristics related to the security incident comprises obtaining containment effectiveness information for the first security action.
  - 14. The apparatus of claim 9 wherein the default SLA further comprises a default set of one or more time periods for administrator security actions, and wherein the modified SLA further comprises a second set of one or more time periods for administrator security actions.
  - 15. The apparatus of claim 9 wherein obtaining input from at least one administrator regarding at least one security action of the one or more security actions comprises obtaining an action selection of the one or more security actions.
  - 16. The apparatus of claim 9 wherein obtaining input from at least one administrator regarding at least one security action of the one or more security actions comprises obtaining feedback regarding the one or more action recommendations, wherein the feedback comprises modifying the one or more action recommendations, removing an action recommendation from the one or more action recommendations, or deferring action selection to another administrator.

17. A computing system to manage service level agreements (SLAs) for security incidents in a computing environment, the apparatus comprising:
- one or more non-transitory computer readable storage media;
  
  a processing system operatively coupled to the one or more non-transitory computer readable storage media; and
  
  processing instructions stored on the one or more non-transitory computer readable storage media that, when executed by a processing system, direct the processing system to;
  
  identify a rule set for a security incident of the security incidents based on enrichment information obtained for the security incident, wherein the rule set is associated with one or more action recommendations to be taken against the security incident;
  
  identify a default SLA for the security incident based on the rule set, wherein the default SLA comprises a default hierarchy of administrators for the security incident;
  
  obtain environmental characteristics related to the security incident;
  
  determine a modified SLA for the security incident based on the environmental characteristics, wherein the modified SLA comprises a second hierarchy of administrators for the security incident;
  
  provide the one or more security actions to administrators based on the modified SLA; and
  
  obtain input from at least one administrator regarding at least one security action of the one or more security actions.
- View Dependent Claims (18, 19, 20)
- - 18. The computing system of claim 17 wherein the environmental characteristics comprise a criticality rating of an asset associated with the security incident, a current severity level of the security incident, a rate of events for the security incident, current market conditions at a time for the incident, or geopolitical conditions at a time for the incident.
  - 19. The computing system of claim 17 wherein the processing instructions further direct the processing system to obtain the enrichment information for the security incident from one of a database or a website.
  - 20. The computing system of claim 17 wherein the security incident comprises one of an unknown process on an asset in the computing environment or an unknown communication request to an asset in the computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Phantom Cyber Corporation (Splunk Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind

Granted Patent

US 10,116,687 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

MANAGING WORKFLOWS UPON A SECURITY INCIDENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

0 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING WORKFLOWS UPON A SECURITY INCIDENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

0 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links