Real-time deployment of incident response roadmap
First Claim
Patent Images
1. A system for guiding an incident response (IR) team member comprising:
- a computer having a processor;
a database coupled to the computer;
a non-transitory processor-readable storage medium coupled to the computer and storing executable instructions;
wherein the non-transitory processor-readable storage medium and the executable instructions are configured to, with the processor, cause the system at least to;
receive event data, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system;
normalize the event data from a format used by the source to a standard format for processing;
process the normalized event data to determine a priority for the identified occurrence;
in response to determining the priority is above a threshold level, create an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action;
notify an IR Lead of the incident;
display an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident;
associate the incident to a roadmap pre-existing in the database, based on the attribute of the incident;
display a roadmap editing user interface configured to allow the IR Lead to modify the roadmap;
deploy the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task;
automatically monitor a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and
update and display the status of the delegated task to the IR Lead and the IR team member.
2 Assignments
0 Petitions
Accused Products
Abstract
In various representative aspects, a method and a system that guide an incident response team to efficiently respond to an information security incident based on a roadmap are disclosed herein. A delegated incident response lead may oversee the whole process, including the creation of the roadmap, the performance of the team members, and the statuses of all tasks. When an incident occurs, incident response team members are notified, and delegated tasks in the roadmap are laid out. With a secure collaboration platform, the incident response team may work together in a secure, uncompromised environment.
90 Citations
25 Claims
-
1. A system for guiding an incident response (IR) team member comprising:
-
a computer having a processor; a database coupled to the computer; a non-transitory processor-readable storage medium coupled to the computer and storing executable instructions; wherein the non-transitory processor-readable storage medium and the executable instructions are configured to, with the processor, cause the system at least to; receive event data, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system; normalize the event data from a format used by the source to a standard format for processing; process the normalized event data to determine a priority for the identified occurrence; in response to determining the priority is above a threshold level, create an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action; notify an IR Lead of the incident; display an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident; associate the incident to a roadmap pre-existing in the database, based on the attribute of the incident; display a roadmap editing user interface configured to allow the IR Lead to modify the roadmap; deploy the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task; automatically monitor a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and update and display the status of the delegated task to the IR Lead and the IR team member. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 25)
-
-
13. A method for guiding an incident response (IR) team member comprising:
-
receiving event data at a computer configured for incident response, wherein the event data comprises data concerning an identified occurrence, from a single system or network source, that may or may not have an adverse impact on the system or the network, the source comprising one or more of an intrusion detection system, a security information manager, a security event and information manager, a security event manager, an antivirus system, or other cyber-security system; normalizing, by the computer configured for incident response, the event data from a format used by the source to a standard format for processing; processing, by the computer configured for incident response, the normalized event data to determine a priority for the identified occurrence; in response to determining the priority is above a threshold level, creating, by the computer configured for incident response, an incident based on the event data, wherein the incident comprises a set of data that is generated when one or more security events has been determined to have a significant likelihood of compromising or threatening the system or the network and has been determined to require a responsive action; notifying, by the computer configured for incident response, an IR Lead of the incident; displaying, by the computer configured for incident response, an incident editing user interface configured to allow the IR Lead to modify an attribute of the incident; associating, by the computer configured for incident response, the incident to a roadmap pre-existing in a database, based on the attribute of the incident; displaying, by the computer configured for incident response, a roadmap editing user interface configured to allow the IR Lead to modify the roadmap; deploying, by the computer configured for incident response, the roadmap by notifying the IR team member of at least one delegated task in the roadmap and transmitting data relevant to the delegated task to a computer used by the IR team member to perform the delegated task; automatically monitoring a status of the delegated task by monitoring the computer used by the IR team member to perform the delegated task; and updating and displaying the status of the delegated task to the IR Lead and the IR team member, by the computer configured for incident response. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification