Prioritizing asset remediations

US 8,495,747 B1
Filed: 03/31/2010
Issued: 07/23/2013
Est. Priority Date: 03/31/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a data processing apparatus, comprising:

using at least one processor device to generate a risk metric for an asset and a threat, wherein the risk metric is an estimate of a risk that the threat will affect the asset;

generating a remediation availability metric for the asset and the threat, wherein the remediation availability metric is based, at least in part, on whether a remediation for the threat is available and not applied to the asset, wherein the remediation reduces the risk that the threat will affect the asset when applied to the asset; and

determining a remediation prioritization metric for the asset and the threat according to the risk metric and the remediation availability metric, wherein the remediation prioritization metric specifies a priority of applying the remediation to the asset;

wherein generating the risk metric for the asset and the threat comprises;

receiving threat definition data for the threat and vulnerability detection data and countermeasure detection data for the asset, wherein the threat definition data identifies one or more countermeasures that reduce a risk that the threat will affect an asset, the vulnerability detection data identifies threats to which the asset is vulnerable, and the countermeasure detection data identifies one or more countermeasures protecting the asset;

analyzing the vulnerability detection data to determine whether the asset is vulnerable to the threat;

determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat; and

determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for prioritizing asset remediations. One method includes generating a risk metric for an asset and a threat, generating a remediation availability metric for the asset and the threat, and determining a remediation prioritization metric for the asset and the threat according to the risk metric and the remediation availability metric. The remediation prioritization metric specifies a priority of applying the remediation to the asset.

90 Citations

View as Search Results

23 Claims

1. A computer-implemented method performed by a data processing apparatus, comprising:
- using at least one processor device to generate a risk metric for an asset and a threat, wherein the risk metric is an estimate of a risk that the threat will affect the asset;
  
  generating a remediation availability metric for the asset and the threat, wherein the remediation availability metric is based, at least in part, on whether a remediation for the threat is available and not applied to the asset, wherein the remediation reduces the risk that the threat will affect the asset when applied to the asset; and
  
  determining a remediation prioritization metric for the asset and the threat according to the risk metric and the remediation availability metric, wherein the remediation prioritization metric specifies a priority of applying the remediation to the asset;
  
  wherein generating the risk metric for the asset and the threat comprises;
  
  receiving threat definition data for the threat and vulnerability detection data and countermeasure detection data for the asset, wherein the threat definition data identifies one or more countermeasures that reduce a risk that the threat will affect an asset, the vulnerability detection data identifies threats to which the asset is vulnerable, and the countermeasure detection data identifies one or more countermeasures protecting the asset;
  
  analyzing the vulnerability detection data to determine whether the asset is vulnerable to the threat;
  
  determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat; and
  
  determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising presenting the remediation prioritization metric to a user.
  - 3. The method of claim 1, wherein the remediation is an active countermeasure that modifies a configuration of the asset.
  - 4. The method of claim 1, wherein the remediation is a software patch.
  - 5. The method of claim 1, wherein determining the risk metric further comprises determining whether the threat applies to a configuration of the asset.
  - 6. The method of claim 1, wherein the risk metric for the asset and the threat is a compound risk metric further comprising a severity score estimating a severity of the threat.
  - 7. The method of claim 6, wherein:
    - the remediation prioritization metric is patch immediately if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score satisfies a severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch urgently if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score does not satisfy the severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch later if the risk metric indicates that there is at least some countermeasure protection for the asset, and if the remediation availability metric indicates that a remediation is available; and
      
      otherwise, the remediation prioritization metric is do not patch.
  - 8. The method of claim 1, wherein the remediation prioritization metric for the asset and the threat is further based on a criticality of the asset.
  - 9. The method of claim 8, wherein the criticality of an asset is derived from a monetary value of the asset.
  - 10. The method of claim 8, wherein the criticality of an asset is derived from a business value of the asset.
  - 11. The method of claim 1, further comprising determining a respective remediation prioritization metric for each of a plurality of assets and each of a plurality of threats.

12. A system comprising:
- a processor; and
  
  a computer storage medium coupled to the processor and including instructions, which, when executed by the processor, causes the processor to perform operations comprising;
  
  generating a risk metric for an asset and a threat, wherein the risk metric is an estimate of a risk that the threat will affect the asset;
  
  generating a remediation availability metric for the asset and the threat, wherein the remediation availability metric is based, at least in part, on whether a remediation for the threat is available and not applied to the asset, wherein the remediation reduces the risk that the threat will affect the asset when applied to the asset; and
  
  determining a remediation prioritization metric for the asset and the threat according to the risk metric and the remediation availability metric, wherein the remediation prioritization metric specifies a priority of applying the remediation to the asset;
  
  wherein generating the risk metric for the asset and the threat comprises;
  
  receiving threat definition data for the threat and vulnerability detection data and countermeasure detection data for the asset, wherein the threat definition data identifies one or more countermeasures that reduce a risk that the threat will affect an asset, the vulnerability detection data identifies threats to which the asset is vulnerable, and the countermeasure detection data identifies one or more countermeasures protecting the asset;
  
  analyzing the vulnerability detection data to determine whether the asset is vulnerable to the threat;
  
  determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat; and
  
  determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the operations further comprise presenting the remediation prioritization metric to a user.
  - 14. The system of claim 12, wherein the risk metric for the asset and the threat is a compound risk metric further comprising a severity score estimating a severity of the threat.
  - 15. The system of claim 14, wherein:
    - the remediation prioritization metric is patch immediately if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score satisfies a severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch urgently if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score does not satisfy the severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch later if the risk metric indicates that there is at least some countermeasure protection for the asset, and if the remediation availability metric indicates that a remediation is available; and
      
      otherwise, the remediation prioritization metric is do not patch.
  - 16. The system of claim 12, wherein the remediation prioritization metric for the asset and the threat is further based on a criticality of the asset.
  - 17. The system of claim 12, wherein the operations further comprise determining a respective remediation prioritization metric for each of a plurality of assets and each of a plurality of threats.

18. A non-transitory computer-storage medium encoded with a computer program including instructions operable to cause data processing apparatus to perform operations comprising:
- generating a risk metric for an asset and a threat, wherein the risk metric is an estimate of a risk that the threat will affect the asset;
  
  generating a remediation availability metric for the asset and the threat, wherein the remediation availability metric is based, at least in part, on whether a remediation for the threat is available and not applied to the asset, wherein the remediation reduces the risk that the threat will affect the asset when applied to the asset; and
  
  determining a remediation prioritization metric for the asset and the threat according to the risk metric and the remediation availability metric, wherein the remediation prioritization metric specifies a priority of applying the remediation to the asset;
  
  wherein generating the risk metric for the asset and the threat comprises;
  
  receiving threat definition data for the threat and vulnerability detection data and countermeasure detection data for the asset, wherein the threat definition data identifies one or more countermeasures that reduce a risk that the threat will affect an asset, the vulnerability detection data identifies threats to which the asset is vulnerable, and the countermeasure detection data identifies one or more countermeasures protecting the asset;
  
  analyzing the vulnerability detection data to determine whether the asset is vulnerable to the threat;
  
  determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat; and
  
  determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The non-transitory computer-storage medium of claim 18, wherein the operations further comprise presenting the remediation prioritization metric to a user.
  - 20. The non-transitory computer-storage medium of claim 18, wherein the risk metric for the asset and the threat is a compound risk metric further comprising a severity score estimating a severity of the threat.
  - 21. The non-transitory computer-storage medium of claim 20, wherein:
    - the remediation prioritization metric is patch immediately if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score satisfies a severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch urgently if the risk metric indicates that the asset is vulnerable to the threat with no countermeasure protection, the severity score does not satisfy the severity threshold, and the remediation availability metric indicates that a remediation is available;
      
      the remediation prioritization metric is patch later if the risk metric indicates that there is at least some countermeasure protection for the asset, and if the remediation availability metric indicates that a remediation is available; and
      
      otherwise, the remediation prioritization metric is do not patch.
  - 22. The non-transitory computer-storage medium of claim 18, wherein the remediation prioritization metric for the asset and the threat is further based on a criticality of the asset.
  - 23. The non-transitory computer-storage medium of claim 18, wherein the operations further comprise determining a respective remediation prioritization metric for each of a plurality of assets and each of a plurality of threats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nakawatase, Ryan, Schrecker, Sven, Ritter, Stephen
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US12/751,995
Time in Patent Office

1,210 Days
Field of Search

726/3, 726 11- 14, 726 22- 25, 709223-226
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Prioritizing asset remediations

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritizing asset remediations

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links