Patent Application
20160080408
This application may contain material that is subject to copyright, mask work, and/or other intellectual property protection. The respective owners of such intellectual property have no objection to the facsimile reproduction of the disclosure by anyone as it appears in published Patent Office file/records, but otherwise reserve all rights.
Some embodiments described herein generally relate to apparatuses, methods, and systems for a cyber threat intelligence management mechanism, and more particularly, relate to a cyber security assessment mechanism (“CSRA”).
Cyber analysts and security operations personnel want to determine how safe a network is, such as their corporate network, partner network or other networks that may be connected to their infrastructure under their control. A type of cyber risk includes computer malware, which can send malicious code programs over a network to a computer so as to burden the processing capacity of the computer, gain access to secured data without authorization, or modify critical system settings. The Internet topology, and how often cyber risk is associated with a network element of the Internet can change constantly.
The accompanying appendices, drawings, figures, images, etc. illustrate various example, non-limiting, inventive aspects, embodiments, and features (“e.g.,” or “example(s)”) in accordance with the present disclosure.
In one embodiment, a cyber security assessment mechanism system is disclosed. The cyber security assessment mechanism includes a first cyber threat intelligence processing component, disposed at a network-accessible compute device. The first cyber threat intelligence processing component calculates a cyber threat indicator confidence score associated with at least one of a cyber threat indicator or a network element after the cyber threat indicator is received. The cyber security assessment further includes a cyber security index component, at the data center, communicatively coupled to the first cyber threat processing component. The cyber security index component associates the cyber threat indicator confidence score with a network element of a cyber network based on the network topology information after the network topology information is obtained. The cyber security index component generates a cyber threat index value for the cyber network based on the cyber threat indicator confidence score associated with the network elements after the cyber threat indicator confidence score is associated. The cyber security index component further sends the cyber threat index value for the cyber network, after the cyber threat index value is generated, to a second cyber threat processing component disposed at a remote location from the data center such that the second cyber threat processing component receives the cyber threat index value for the cyber network, and generates a user interface visualization representing the cyber threat index value.
In some embodiments, a cyber security assessment mechanism (hereinafter “CSRA”) provides a system to assess cyber health of a network, such as the global Internet. In some instances, the CSRA provides an infrastructure to collect and analyze cyber threat information, and to provide a cyber threat report through a user interactive user interface for a client to view and/or edit cyber threat analytics results.
In some instances, the CSRA can protect an organization's information assets against cyber threats via cyber threat intelligence management, which may include a variety of data analytics and heuristics to monitor and analyze the organization's network environment, and/or the like. For example, a cyber threat intelligence processing component (e.g., see CSRA core processor 109 in
In some instances, the CSRA system can collect global Internet topology information, collect and fuse multiple intelligence feeds from various data sources relating to network security, and associate those feeds with the Internet topology and a cyber health index score. The cyber health index score (or a threat indicator confidence score, as used interchangeably throughout the application), is calculated as a rating of the severity of a threat indicator. Such threat indicator confidence score can be calculated as associated with an independent threat incident, and/or associated with a network element because the threat incident can promulgate through the elements of the network. A network element or set of network elements can include any hardware, software, functional modules, routing topology, and/or the like, of a network. The network element or a set of network elements can have an associated threat indicator confidence score, which represents how threatening the particular network element, or set of network elements is. For example, a threat indicator confidence score can be associated with all network elements that have threat indicators associated with them, including an IP host, classless inter-domain routing (CIDR), fully qualified domain name (FQDN), autonomous system number (ASN), and/or the like. In another example, a threat indicator confidence score can be associated with any user-defined entities, which can be groups of network elements such as IP, CIDR, FQDN, ASN, and/or the like. For example, a user-defined entity “Fedex” can be a group of CIDRs, ASNs, Domains, IPs, and/or the like. After the CSRA system calculates the cyber health index score at a core processor (e.g., deployed at a server at the CSRA assessment center, etc.), the scores and other data are then distributed to multiple customer views on a site processor (e.g., deployed at a client site, etc.), where customers can view and/or make changes that provide feedback to the CSRA assessment center.
In some instances, at the core processor 305, the threat indicator confidence can be associated with different classes of objects. For example, a threat indicator confidence can be associated with all threat indicators. As another example, a threat indicator confidence can be associated with all network elements that have threat indicators associated with them, including an IP host, classless inter-domain routing (CIDR), fully qualified domain name (FQDN), autonomous system number (ASN), and/or the like.
Communication network 105 can be any communication network, such as the Internet, configurable to allow the one or more UEs 101, the one or more CSRA core processor(s) 109, one or more CSRA site processor(s) 108, one or more CSRA telemetry processor(s) 103, one or more CSRA report processor(s) 104 to communicate with communication network 105 and/or to each other through communication network 105. Communication network 105 can be any network or combination of networks capable of transmitting information (e.g., data and/or signals) and can include, for example, a telephone network, an Ethernet network, a fiber-optic network, a wireless network, and/or a cellular network.
In some instances, communication network 105 can include multiple networks operatively coupled to one another by, for example, network bridges, routers, switches and/or gateways. For example, the UEs 101 can be operatively coupled to a cellular network; and the CSRA site processor(s) 108 can be operatively coupled to a fiber-optic network. The cellular network and fiber-optic network can each be operatively coupled to one another via one or more network bridges, routers, switches, and/or gateways such that the cellular network, the Ethernet network and the fiber-optic network are operatively coupled to form a communication network. Alternatively, the cellular network and fiber-optic network can each be operatively coupled to one another via one or more additional networks. For example, the cellular network and the fiber-optic network can each be operatively coupled to the Internet such that the cellular network, the fiber-optic network and the Internet are operatively coupled to form a communication network.
As illustrated in
A network connection can be a wireless network connection such as, for example, a wireless fidelity (“Wi-Fi”) or Wireless Local Area Network (“WLAN”) connection, a Wireless Wide Area Network (“WWAN”) connection, and/or a cellular connection. A network connection can be a wired connection such as, for example, an Ethernet connection, a Digital Subscription Line (“DSL”) connection, a broadband coaxial connection, and/or a fiber-optic connection.
As mentioned above, in some instances, a communication network system 100 can include more than one UE 101, more than one CSRA core processor(s) 109, and more than one data source 111. A UE 101, and/or a CSRA core processor 109, can be operatively coupled to the communication network 105 by heterogeneous network connections. For example, a first UE 101 can be operatively coupled to the communication network 105 by a WWAN network connection, another UE 101 can be operatively coupled to the communication network 105 by a DSL network connection, and a CSRA core processor 109 can be operatively coupled to the communication network 105 by a fiber-optic network connection.
The CSRA core processor(s) 109 and/or the CSRA site processor 108 each can include, for example, a processor at a web server, a processor at a remote server, and/or the like, configured to provide cyber threat analytics to electronic devices, such as UEs 101. The UE 101 can be in communication with the CSRA core processor(s) 109 via the communication network 105, and/or with the CSRA site processor(s) 108 via the communication network 105.
In one implementation, the CSRA core processor(s) 109, the CSRA site processor 108, the CSRA telemetry processor 103, and/or the CSRA report processor 104 each can be a remote server housed separately from the UE 101. For example, the UE 101 can receive a signal representing a threat indicator confidence score (e.g., a numeric value that is calculated to represent a rating of the severity of the threat indicator, etc.) from the CSRA core processor 109 via the communication links 117, or can receive a signal representing a cyber threat analytics report from the CSRA report processor 104 via communication links 114. In another implementation, the CSRA site processor 108 and/or the CSRA report processor 104 can be integrated with the UE 101, where the report can be directly presented at the UI 107 on UE 101. The report of cyber threat analytics can be generated at the CSRA report processor 104 using threat indicator confidence scores calculated at the CSRA core processor 109. A detailed discussion of functionalities and data exchange of and in between the processors 103, 104, 108 and 109 is provided in
The UEs 101 can be any of a variety of electronic devices that can be operatively coupled to communication network 105. A UE 101 can be, for example, a personal computer, a tablet computer, a personal digital assistant (PDA), a cellular telephone, a portable/mobile internet device, television, kiosk display, display screens in vehicles, projection devices, laser display devices, digital display watches, digital display glasses and/or some other electronic communication device with audio and/or visual capabilities. A UE 101 can also be, for example, a television set, a streamer device, a set top box, or any other electronic device equipped with a display unit (a UI 107) and an interface to a network connection 113 that enables the device to run applications on an operating system. The UEs 101 each can include or implement a web browser configured to access a webpage or website, for example, hosted on or accessible via the CSRA site processor 108 over communication network 105. The UEs 101 can be, for example, configured to support, for example, Hyper Text Markup Language (HTML) using JavaScript. For example, the UEs 101 can include or implement a web browser, such as, Firefox®, Safari®, Dolphin®, Opera®, Internet Explorer (IE)®, Chrome® and/or similar browsers. An Internet page or website can be accessed by a user of a web browser at a UE 101 by providing the web browser with a reference such as a uniform resource locator (URL), for example, of a webpage. For example, a user of a UE 101 can access a CSRA core processor 109 via a URL designated for the CSRA core processor 109. In some instances, UEs 101 each can include specialized software other than a web browser for accessing a web server such as, for example, a server hosting the CSRA core processor 109. Specialized software can be, for example, a specialized network-enabled application or program. In some instances, portions of a website accessible via a web server can be located in a local or remote memory space/data store accessible to the web server. A UE 101 can also include a display, monitor or user interface (UI) 107, a keyboard, various ports (e.g., a USB port), and other user interface features, such as, for example, touch screen controls, audio components, and/or video components (each not shown). For example, the UE 101 may be operated and/or accessed by a user (e.g., a cyber analyst, etc.) to obtain cyber threat analytics report.
Data source(s) 111 can be distributed sources of data throughout the communication network system 100. A data source 111 can be at least one or more of a database, a data warehouse, a file, etc. For example, the data source(s) can include a variety of network security monitoring systems, hosted by the CSRA and/or a third party, which provide intelligence feeds relating to cyber threat information and network performance (e.g., see 302 in
In some instances, the site processor 201 can be owned by an organization that has subscribed to the CSRA core processor system (e.g., as further discussed in
The site processor 201 can allow users to view all contributing threat indicators for a network element and also the threat indicator confidence score associated with each indicator. The users can also see how that threat indicator score for the network element is derived, e.g., the network topology, etc. The site processor 201 provides a threat indicator score editing user interface, which allows users to modify a threat indicator score by changing the score on a network element, and/or changing the criticality rating, classification rating or source rating associated with the threat indicator. Upon receiving user modifications, the site processor 201 may automatically feed those changes to the core processor (e.g., 109 in
In some instances, the site processor 201 may monitor or ingest site specific threat intelligence via a site specific threats module 201d. For example, an organization can monitor a type of the cyber threat intelligence monitor a cyber threat obtained from a certain source, and/or the like. A larger organization may deploy multiple site processors 201, e.g., depending on the number of users and how much of the global Internet the organization wishes to monitor at the organization.
In some instances, the report processor 202 includes reporting capability that processes data flowing from the site processor 201 and generates summarized reports (e.g., 202b) and/or historical reports (e.g., 202a) based on data obtained from the site processor 201. For example, the report processor 202 may include a historical reports module 202a, a summary reports module 202b, a twenty-four hour monitor reports module 202c, and/or the like, to generate different types of reports of cyber threats, respectively. The report processor 202 may store the generated cyber threat reports at a report datatable 291c.
In some instances, the telemetry processor 203 includes a capability to ingest local security telemetry in a scalable manner across the organization's network, e.g., from a variety of telemetry sources 204 such as, but not limited to router(s) of the network 204a, firewall(s) 204b, web activities 204c, archive(s) 204d, and/or the like. The telemetry fusion module 203a can fuse various telemetry data and supply the fused telemetry data to the telemetry correlation module 203b. The telemetry correlation module 203b may then correlate the collected telemetry that have related attributes and/or characteristics, e.g., data messages originated from and/or destined at a same Internet Protocol (IP) address, suspicious activity data that is associated with the same network element, and/or the like. The telemetry correlation module 203b correlates network telemetry to global and local threat intelligence indicators and provides annotation of the telemetry to the report processor so that users can generate reports on their network telemetry for global cyber threat intelligence. The correlated telemetry data may be stored at the telemetry datatable 219d.
As shown in
In some instances, the core processor 305 can fuse the intelligence feeds into a set of cyber health scores (e.g., the threat indicator score) associated with every threat indicator; those threat indicators are then associated with the network topology for the global Internet at the core processor 305. The core processor may calculate threat indicator scores continuously when it receives new intelligence feeds that contribute to the threat indicators and any Internet topology information. Once the core processor 305 has calculated threat indicator scores for all threat indicators and network elements, the core processor 305 asynchronously notifies each site processor (e.g., 201 in
The core processor can then generate a threat index for the cyber network at 324, e.g., a numeric index value based on the threat indicator confidence scores associated with network elements of the cyber network. The generated threat index may then be sent to a client site at 325, e.g., the site processor 201 in
As an alternative example shown in
In some instances, a data center replication module 507 at the primary data center 505 can interface with a corresponding data center replication module 503 at a secondary data center 501, which may in turn process data feeds at a (secondary) core processor 502.
In some instances, the primary data center 505 communicate with a site processor, e.g., a customer site intelligence processor 513 at a customer cloud, which may communicate, via intelligence service processor connectors 514 and intelligence service exchange API 515, with the intelligence navigator connector 516. The intelligence navigator connector 516 connects with the intelligence navigator 517, which can provide a user interface for system customer 520 to view cyber threat analytics generated at the primary data center 505.
As shown in FIG. 5-(2), via the intelligence receiver API 526, enforcement API 527, site processor API 528, a customer on premise (e.g., a customer device located remotely from the primary 505 and/or secondary data center 501, etc.) can receive data (e.g., threat indicator confidence scores, threat analytics, etc.) from the primary data center 505 shown in FIG. 5-(1). For example, the customer on premise can deploy a third party security tool 531 to process threat analytics received via the intelligence service connector 532a. As another example, the site security enforcement module 534 can receive enforcement data via the intelligence services enforcement connector 532b; and can enforce the security rules on a network security device 533 at the customer on premise. As another example, a site intelligence processor 535 (e.g., similar to 201 in
It is intended that the systems and methods described herein can be performed by software (executed on hardware), hardware, or a combination thereof. Hardware modules can include, for example, a general-purpose processor, a field programmable gates array (FPGA), and/or an application specific integrated circuit (ASIC). Software modules (executed on hardware) can be expressed in a variety of software languages (e.g., computer code), including C, C++, Java™, Ruby, Python, JavaScript, Perl, PHP, Visual Basic™, and other object-oriented, procedural, or other programming language and development tools. Examples of computer code include, but are not limited to, micro-code or micro-instructions, machine instructions, such as produced by a compiler, code used to produce a web service, and files containing higher-level instructions that are executed by a computer using an interpreter. Additional examples of computer code include, but are not limited to, control signals, encrypted code, and compressed code.
Some embodiments described herein relate to a computer storage product with a non-transitory computer-readable medium (also can be referred to as a non-transitory processor-readable medium) having instructions or computer code thereon for performing various computer-implemented operations. The computer-readable medium (or processor-readable medium) is non-transitory in the sense that it does not include transitory propagating signals per se (e.g., a propagating electromagnetic wave carrying information on a transmission medium such as space or a cable). The media and computer code (also can be referred to as code) may be those designed and constructed for the specific purpose or purposes. Examples of non-transitory computer-readable media include, but are not limited to, magnetic storage media such as hard disks, floppy disks, and magnetic tape; optical storage media such as Compact Disc/Digital Video Discs (CD/DVDs), Compact Disc-Read Only Memories (CD-ROMs), and holographic devices; magneto-optical storage media such as optical disks; carrier wave signal processing modules; and hardware devices that are specially configured to store and execute program code, such as Application-Specific Integrated Circuits (ASICs), Programmable Logic Devices (PLDs), Read-Only Memory (ROM) and Random-Access Memory (RAM) devices.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Where methods and steps described above indicate certain events occurring in certain order, the ordering of certain steps may be modified. Additionally, certain of the steps may be performed concurrently in a parallel process when possible, as well as performed sequentially as described above. Although various embodiments have been described as having particular features and/or combinations of components, other embodiments are possible having any combination or sub-combination of any features and/or components from any of the embodiments described herein.
