Methods and apparatus for prioritization of remediation techniques for network security risks

US 8,132,260 B1
Filed: 06/12/2007
Issued: 03/06/2012
Est. Priority Date: 06/12/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a computer system including a display device comprising:

receiving, by the computer system, a description of a first network topology for at least a portion of a network, wherein the first network topology includes at least;

a location of a first server device, existence of a threat source device remote from the first server location and a first set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device;

determining, by the computer system, a current security risk value of the first server device based on at least the first network topology, the first set of vulnerabilities and a reachability of the first server from the threat source;

determining, by the computer system, a plurality of remediation actions in response to the current security risk value and first network topology wherein;

each remediation action includes a modification to the network topology and the plurality of remediation actions comprises, at least, a first remediation action and a second remediation action;

for at least two of the plurality of remediation actions;

determining, by the computer system, a description of a network topology based on the first network topology and the at least one of the plurality of remediation actions wherein the new network topology indicates at least;

the location of the first server device, the existence of the threat source device and a new set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device;

determining, by the computer system, an updated security risk value of the first server device based on at least the new network topology the new set of vulnerabilities and the reachability of the first server from the threat source; and

displaying a prioritized list of said remediation actions from the plurality of remediation actions on the display device based on the updated security risk associated with each remediation action.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a computer system includes receiving a topology of a network including a server location and a threat server at a threat server location, determining a vulnerability security risk for the server location, determining remediation actions including a first action and a second action in response to the vulnerability, determining updated security risks associated with the server location including an first updated security risk for a first action and a second updated security risk for, and displaying a prioritized list of remediation actions on the display, wherein the first remediation action is prioritized over the second remediation action when the first updated security risk value with respect to the security risk value shows a greater improvement in risk than the second updated security risk value with respect to the security risk value.

156 Citations

21 Claims

1. A method for a computer system including a display device comprising:
- receiving, by the computer system, a description of a first network topology for at least a portion of a network, wherein the first network topology includes at least;
  
  a location of a first server device, existence of a threat source device remote from the first server location and a first set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device;
  
  determining, by the computer system, a current security risk value of the first server device based on at least the first network topology, the first set of vulnerabilities and a reachability of the first server from the threat source;
  
  determining, by the computer system, a plurality of remediation actions in response to the current security risk value and first network topology wherein;
  
  each remediation action includes a modification to the network topology and the plurality of remediation actions comprises, at least, a first remediation action and a second remediation action;
  
  for at least two of the plurality of remediation actions;
  
  determining, by the computer system, a description of a network topology based on the first network topology and the at least one of the plurality of remediation actions wherein the new network topology indicates at least;
  
  the location of the first server device, the existence of the threat source device and a new set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device;
  
  determining, by the computer system, an updated security risk value of the first server device based on at least the new network topology the new set of vulnerabilities and the reachability of the first server from the threat source; and
  
  displaying a prioritized list of said remediation actions from the plurality of remediation actions on the display device based on the updated security risk associated with each remediation action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the plurality of remediation actions is selected from a group consisting of:
    - a software patch recommendation, a recommendation of a change to the network topology, a recommendation of an addition of a network resource, a recommendation of an addition of a filtering device, a recommendation of an addition of a firewall, a recommendation of closing of a port, a recommendation of a location in the network where a network resource may be added and a recommendation of a change to a rule in a filtering device that allows the vulnerability to reach the first server device.
  - 3. The method of claim 1 further comprising:
    - displaying data associated with each remediation action on the display device, wherein the data associated with said each remediation action comprises;
      
      a software patch associated with the vulnerability, a link to a software patch associated with the vulnerability, identification of a filtering device that allows the vulnerability to reach the first server location and identification of a filtering rule in a filtering device that allows the vulnerability to teach the first server device.
  - 4. The method of claim 3 further comprising:
    - receiving notification that the first remediation action has been taken;
      
      determining a revised security risk value associated with the first server location with respect to the vulnerability in response to the notification; and
      
      displaying a visual indication of a difference between the current security risk value and the revised security risk value on the display device.
  - 5. The method of claim 1 wherein the current security risk value is determined in response to a business value associated with the first server location, and in response to a likelihood of the vulnerability.
  - 6. The method of claim 5 wherein the likelihood of the vulnerability is determined in response to data selected from a group consisting of:
    - reachability of the vulnerability from the threat source device to the first server location, severity of the vulnerability, novelty of the vulnerability, market share of components associated with the first server location, difficultly in implementing the vulnerability and a vulnerability certainty associated with the first server location.
  - 7. The method of claim 1 wherein displaying a prioritized list of remediation actions comprises displaying a tree map having a plurality of elements, wherein network elements associated with the remediation actions from the plurality of remediation actions are highlighted on a treemap on the display device.

8. A non-transitory computer-readable storage medium storing computer-system executable-code, the code comprising:
- code that directs a computer system to receive a description of a first network topology for at least a portion of a network, wherein the topology of the network indicates at least;
  
  a location of a first server device, existence of a threat source device remote from the first server location and a first set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device;
  
  code that directs the computer system to determine a current security risk value of the first server device based on at least the first network topology, the first set of vulnerabilities and a reachability of the first server from the threat source;
  
  code that directs the computer system to determine a plurality of remediation actions in response to the current security risk value and first network topology, wherein;
  
  each remediation action includes a modification to the network topology and the plurality of said remediation actions comprises, at least, a first remediation action and a second remediation action;
  
  code that directs the computer system to for at least two of the plurality of remediation actions;
  
  determine a description of a new network topology based on the first network topology and the at least one of the plurality of remediation actions wherein the new network topology indicates at least;
  
  the location of the first server device, the existence of the threat source device and a new set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device; and
  
  determine an updated security risk value to the first server device based on at least the new network topology, the new set of vulnerabilities and the reachability of the first server from the threat source; and
  
  code that directs the computer system to display a prioritized list of said remediation actions from the plurality of remediation actions on a display device based on the updated security risk associated with each remediation action.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8 wherein the plurality of remediation actions is selected from a group consisting of:
    - a software patch recommendation, a recommendation of a change to the network topology, a recommendation of an addition of a network resource, a recommendation of an addition of a filtering device, a recommendation of an addition of a firewall, a recommendation of closing of a port, a recommendation of a location in the network where a network resource may be added and a recommendation of a change to a rule in a filtering device that allows the vulnerability to reach the first server device.
  - 10. The non-transitory computer-readable storage medium of claim 8 further comprising:
    - code that directs the computer system to display data associated with the remediation actions on the display device, wherein the data associated with each remediation action comprises;
      
      a software patch associated with the vulnerability, a link to a software patch associated with the vulnerability, identification of a filtering device that allows the vulnerability to reach the first server location and identification of a filtering rule in a filtering device that allows the vulnerability to reach the first server device.
  - 11. The non-transitory computer-readable storage medium of claim 10 further comprising:
    - code that directs the computer system to receive notification that the first remediation action has been taken;
      
      code that directs the computer system to determine a revised security risk value associated with the first server location with respect to the vulnerability in response to the notification; and
      
      code that directs the computer system to display a visual indication of a difference between the security risk value and the revised security risk value on the display device.
  - 12. The non-transitory computer-readable storage medium of claim 8 wherein the security risk value is determined in response to a business value associated with the first server location, and in response to a likelihood of the vulnerability.
  - 13. The non-transitory computer-readable storage medium of claim 12 wherein the likelihood of the vulnerability is determined in response to data selected from a group consisting of:
    - reachability of the vulnerability from the threat source device to the first server location, severity of the vulnerability, novelty of the vulnerability, market share of components associated with the first server location, difficulty in implementing the vulnerability and a vulnerability certainty associated with the first server location.
  - 14. The non-transitory computer-readable storage medium of claim 8 further comprising code that directs the computer system to display on the display device a tree map having a plurality of elements on the display device, wherein network elements associated with the remediation actions from the plurality of remediation actions are highlighted on a treemap on the display device.

15. A computer system comprising:
- a display device configured to output data to a user;
  
  a memory configured to store a description of a first network topology for at least a portion of a network, wherein the topology of the network indicates at least;
  
  a first server device at a first server location, existence of a threat source remote from the first server location and a first set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device; and
  
  a processor coupled to the memory, wherein the processor is configured to determine a current security risk value associated with the first server location based on at least the network topology, the first set of vulnerabilities and a reachability of the first server from the threat source, wherein the processor is configured to determine a plurality of remediation actions in response to the current security risk value and the first network topology, wherein;
  
  each remediation action includes a modification to the network topology and the plurality of remediation actions comprises, at least, a first remediation action and a second remediation action;
  
  wherein the processor is configured to for at least two of the plurality of remediation actions, determine a description of a new network topology based on the first network topology and the at least one of the plurality of remediation actions wherein the new network topology indicates at least;
  
  the location of the first server device, the existence of the threat source device, and a new set of vulnerabilities defined by at least vulnerability attributes of the first server device relative to the threat source device; and
  
  determine an updated security risk value associated with the first server location based on at least;
  
  the new network topology, the new set of vulnerabilities and the reachability of the first server from the threat source, andwherein the processor is configured to display a prioritized list of remediation actions from the plurality of said remediation actions on the display device based on the updated security risk associated with each remediation action.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15 wherein the plurality of remediation actions is selected from a group consisting of:
    - a software patch recommendation, a recommendation of a change to the network topology, a recommendation of an addition of a network resource, a recommendation of an addition of a filtering device, a recommendation of an addition of a firewall, a recommendation of closing of a port, a recommendation of a location in the network where a network resource may be added and a recommendation of a change to a rule in a filtering device that allows the vulnerability to reach the first server.
  - 17. The computer system of claim 15 wherein the processor is also configured to display data associated with remediation actions on the display device, wherein the data associated with the remediation actions comprises:
    - a software patch associated with the vulnerability, a link to a software patch associated with the vulnerability, identification of a filtering device that allows the vulnerability to reach the first server location and identification of a filtering rule in a filtering device that allows the vulnerability to reach the first server.
  - 18. The computer system of claim 17wherein the processor is configured to receive notification that the first remediation action has been taken;
    - wherein the processor is configured to determine a revised security risk value associated with the first server location with respect to the vulnerability in response to the notification; and
      
      wherein the processor is configured to display a visual indication of a difference between the current security risk value and the revised security risk value on the display.
  - 19. The computer system of claim 15 wherein the security risk values are determined in response to a business value associated with the first server location, and in response to a likelihood of the vulnerability.
  - 20. The computer system of claim 19 wherein the likelihood of the vulnerability is determined in response to data selected from a group consisting of:
    - reachability of the vulnerability from the threat source device to the first server location, severity of the vulnerability, novelty of the vulnerability, market share of components associated with the first server location, difficultly in implementing the vulnerability and a vulnerability certainty associated with the first server location.
  - 21. The computer system of claim 15 further wherein the processor is configured to display a tree map having a plurality of elements on the display device, wherein network elements associated with the remediation actions from the plurality of remediation actions are highlighted on a treemap on the display device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
Redseal Systems Incorporated
Inventors
Mayer, Alain Jules, Laing, Brian, Lloyd, Michael
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
Schwartz, Darren B

Application Number

US11/761,977
Time in Patent Office

1,729 Days
Field of Search

726 11- 14, 726 22- 25, 709217-226
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2145   Inheriting rights or proper...

H04L 41/22   comprising specially adapte...

H04L 63/1433   Vulnerability analysis

H04L 67/125   involving control of end-de...

H04L 67/75   Indicating network or usage...

Methods and apparatus for prioritization of remediation techniques for network security risks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for prioritization of remediation techniques for network security risks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others