Real-time deployment of incident response roadmap

US 9,773,405 B2
Filed: 03/17/2014
Issued: 09/26/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system for guiding an incident response (IR) team member comprising:

a computer having a processor;

a database coupled to the computer;

a non-transitory processor-readable storage medium coupled to the computer and storing executable instructions;

wherein the non-transitory processor-readable storage medium and the executable instructions are configured to, with the processor, cause the system at least to;

receive event data, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system;

normalize the event data from a format used by the source to a standard format for processing;

process the normalized event data to determine a priority for the identified occurrence;

in response to determining the priority is above a threshold level, create an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action;

notify an IR Lead of the incident;

display an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident;

associate the incident to a roadmap pre-existing in the database, based on the attribute of the incident;

display a roadmap editing user interface configured to allow the IR Lead to modify the roadmap;

deploy the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task;

automatically monitor a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and

update and display the status of the delegated task to the IR Lead and the IR team member.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various representative aspects, a method and a system that guide an incident response team to efficiently respond to an information security incident based on a roadmap are disclosed herein. A delegated incident response lead may oversee the whole process, including the creation of the roadmap, the performance of the team members, and the statuses of all tasks. When an incident occurs, incident response team members are notified, and delegated tasks in the roadmap are laid out. With a secure collaboration platform, the incident response team may work together in a secure, uncompromised environment.

90 Citations

View as Search Results

25 Claims

1. A system for guiding an incident response (IR) team member comprising:
- a computer having a processor;
  
  a database coupled to the computer;
  
  a non-transitory processor-readable storage medium coupled to the computer and storing executable instructions;
  
  wherein the non-transitory processor-readable storage medium and the executable instructions are configured to, with the processor, cause the system at least to;
  
  receive event data, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system;
  
  normalize the event data from a format used by the source to a standard format for processing;
  
  process the normalized event data to determine a priority for the identified occurrence;
  
  in response to determining the priority is above a threshold level, create an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action;
  
  notify an IR Lead of the incident;
  
  display an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident;
  
  associate the incident to a roadmap pre-existing in the database, based on the attribute of the incident;
  
  display a roadmap editing user interface configured to allow the IR Lead to modify the roadmap;
  
  deploy the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task;
  
  automatically monitor a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and
  
  update and display the status of the delegated task to the IR Lead and the IR team member.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 25)
- - 2. The system of claim 1, wherein the computer is further coupled to a second computer and is configured to receive the event data from the second computer.
  - 3. The system of claim 1, wherein the event data is manually created.
  - 4. The system of claim 3, further comprising a timer, wherein the timer is configured to permit an administrator to set a time to start a simulation with the event data.
  - 5. The system of claim 1, wherein the attribute of the incident is an incident type.
  - 6. The system of claim 1, wherein the attribute of the incident is set to an answer by the IR Lead to a question relating to the event data that the incident editing user interface pulls from the database.
  - 7. The system of claim 1, wherein the roadmap editing user interface is further configured to:
    - allow the IR Lead to create a second roadmap, store the second roadmap in the database, and replace the roadmap by the second roadmap;
      
      allow the IR Lead to replace the roadmap by a third roadmap pre-existing in the database;
      
      allow the IR Lead to create the delegated task in the roadmap and assign the delegated task to the IR team member;
      
      allow the IR Lead to delete the delegated task; and
      
      allow the IR Lead to delegate the delegated task to a second IR team member.
  - 8. The system of claim 1, further comprising:
    - a secure communication platform for the IR team member to communicate with a second IR team member via at least one of online chat, messaging, internal notifications, document sharing, screen share, whiteboard, calendaring, external email, or SMS notifications.
  - 9. The system of claim 1, wherein the non-transitory processor-readable storage medium and the executable instructions are further configured to, with the processor, cause the system at least to display the status of the delegated task to a second IR team member.
  - 10. The system of claim 1, wherein the non-transitory processor-readable storage medium and the executable instructions are further configured to, with the processor, cause the system at least to display only the delegated task that is not contingent upon an unfinished second task in the roadmap, when notifying the IR team member of the delegated task in the roadmap.
  - 11. The system of claim 1, wherein the non-transitory processor-readable storage medium and the executable instructions are further configured to, with the processor, cause the system at least to allow the IR team member to create an evidence in the database by:
    - receiving data relating to the evidence and saving the data to a chain of custody form in the database;
      
      when the evidence points to a resource not yet existing in the system, then creating the resource; and
      
      saving the location of the resource to the database.
  - 12. The system of claim 11, wherein the non-transitory processor-readable storage medium and the executable instructions are further configured to, with the processor, cause the system at least to:
    - allow the IR team member to retain the evidence stored in the database by filling in the chain of custody form and accessing the evidence; and
      
      receive a description by the IR team member and save the description to the chain of custody form to the database.
  - 25. The system of claim 1, wherein the non-transitory processor-readable storage medium and the executable instructions are further configured to, with the processor, cause the system at least to:
    - provide an evidence capture mechanism, wherein the evidence capture mechanism is configured to maintain a digital chain of custody for evidence.

13. A method for guiding an incident response (IR) team member comprising:
- receiving event data at a computer configured for incident response, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system;
  
  normalizing, by the computer configured for incident response, the event data from a format used by the source to a standard format for processing;
  
  processing, by the computer configured for incident response, the normalized event data to determine a priority for the identified occurrence;
  
  in response to determining the priority is above a threshold level, creating, by the computer configured for incident response, an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action;
  
  notifying, by the computer configured for incident response, an IR Lead of the incident;
  
  displaying, by the computer configured for incident response, an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident;
  
  associating, by the computer configured for incident response, the incident to a roadmap pre-existing in a database, based on the attribute of the incident;
  
  displaying, by the computer configured for incident response, a roadmap editing user interface configured to allow the IR Lead to modify the roadmap;
  
  deploying, by the computer configured for incident response, the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task;
  
  automatically monitoring a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and
  
  updating and displaying the status of the delegated task to the IR Lead and the IR team member, by the computer configured for incident response.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, further comprising:
    - receiving, by the computer configured for incident response, the event data from another computer.
  - 15. The method of claim 13, further comprising:
    - displaying, by the computer configured for incident response, a user interface for manually creating the event data.
  - 16. The method of claim 15, further comprising:
    - allowing, by the user interface, an administrator to set a time to start a simulation with the event data.
  - 17. The method of claim 13, wherein the attribute of the incident is an incident type.
  - 18. The method of claim 13, wherein the attribute of the incident is set to an answer by the IR Lead to a question relating to the event data that the incident editing user interface pulls from the database.
  - 19. The method of claim 14, wherein the roadmap editing user interface is further configured to:
    - allow the IR Lead to create a second roadmap, store the second roadmap in the database, and replace the roadmap by the second roadmap;
      
      allow the IR Lead to replace the roadmap by a third roadmap pre-existing in the database;
      
      allow the IR Lead to create the delegated task in the roadmap and assign the delegated task to the IR team member;
      
      allow the IR Lead to delete the delegated task; and
      
      allow the IR Lead to delegate the delegated task to a second IR team member.
  - 20. The method of claim 13, further comprising:
    - providing, by the computer configured for incident response, a secure communication platform for the IR team member to communicate with a second IR team member via a communication means selected from the group consisting of online chat, messaging, internal notifications, document sharing, screen share, whiteboard, calendaring, external email, SMS notifications, and combinations thereof.
  - 21. The method of claim 13, further comprising:
    - displaying, by the computer configured for incident response, the status of the delegated task to a second IR team member.
  - 22. The method of claim 13, further comprising:
    - displaying, by the computer configured for incident response, to the IR team member only the delegated task that is not contingent upon an unfinished second task in the roadmap.
  - 23. The method of claim 13, further comprising:
    - allowing the IR team member to create an evidence in the database by;
      
      receiving, by the computer configured for incident response, data relating to the evidence and saving the data to a chain of custody form in the database;
      
      when the evidence points to a resource not yet existing in the system, then creating the resource, by the computer configured for incident response; and
      
      saving, by the computer configured for incident response, the location of the resource to the database.
  - 24. The method of claim 23, further comprising:
    - allowing, by the computer configured for incident response, the IR team member to retain the evidence stored in the database by filling in the chain of custody form and accessing the evidence; and
      
      receiving a description by the IR team member and saving the description to the chain of custody form to the database, by the computer configured for incident response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Cybersponse, Inc. (Fortinet Inc.)
Inventors
Loomis, Joseph
Primary Examiner(s)
Singh, Gurkanwaljit

Application Number

US14/216,570
Publication Number

US 20140278664A1
Time in Patent Office

1,289 Days
Field of Search

None
US Class Current
CPC Class Codes

G05B 23/0272   Presentation of monitored r...

G06F 16/00   Information retrieval; Data...

G06Q 10/063118   Staff planning in a project...

G06Q 50/265   Personal security, identity...

G06T 19/006   Mixed reality object pose d...

G08B 25/14   Central alarm receiver or a...

G08B 27/001   Signalling to an emergency ...

H04M 1/72418   for supporting emergency se...

Real-time deployment of incident response roadmap

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time deployment of incident response roadmap

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links