Patent Grant
11265340
The present invention relates to identifying vulnerabilities in network components, and more particularly to determining remediation exceptions for vulnerabilities and suppressing the reporting of the vulnerabilities.
Organizations utilize numerous network components (e.g., network devices, network applications, or the like) for the organization's operations. However, due to the large number of network components, opportunities are created for the occurrence of accidental or purposeful vulnerabilities in the network components. The vulnerabilities may be general vulnerabilities that are potential issues for all types of organizations regardless of the organization type, or may be specific vulnerabilities that are based on the organizations' specific uses and/or specific policies for the organizations' own network components. There exists a need to manage the vulnerabilities within an organization.
The following presents a simplified summary of one or more embodiments of the present invention, in order to provide a basic understanding of such embodiments. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor delineate the scope of any or all embodiments. Its sole purpose is to present some concepts of one or more embodiments of the present invention in a simplified form as a prelude to the more detailed description that is presented later.
Generally, systems, computer products, and methods are described herein for improved monitoring and management of network components, including monitoring the network components to determine the vulnerabilities of network components, implementing remediation plans for the vulnerabilities, instituting remediation suppression for acceptable uses, instituting network component exceptions and rolling exceptions for network components, taking consequence actions for the vulnerabilities, and/or the like. The present invention provides an organization improved control over its network components, thus improving the security for an organization, by providing improved network component information collection and network component decisioning in order to remediate the vulnerabilities. The security of the network components is improved by allowing the organization to remotely monitor the network components for vulnerabilities and remotely control the network components (e.g., freeze at least a potion thereof, limit or prevent operation of the network component in a number of different ways, or the like). Additionally, the present invention provides improved efficiency in monitoring and taking actions with respect to the network components because the monitoring and control of the network components may occur remotely.
Embodiments of the invention relate to first determining the primary user 4 or owner of the network components (e.g., is listed as the owner, the user that is responsible for the network component, the user the uses the network component the most, the user that accesses the network component the most, or the like). Thereafter, the network components are monitored to identify vulnerabilities in the network components. Next, a remediation plan may be implemented, which may include alerting the primary user 4 of the vulnerability, automatically and remotely freezing at least a portion of the network component, providing processes for remediating the vulnerability, providing updates for network components to remove the vulnerability, or the like.
It in some embodiments of the invention, remediation suppression may be implemented for the user 4, vulnerability, network component, or the like when the vulnerability is determined to be an acceptable vulnerability. For example, the remediation suppression may be implemented when the user 4 requests an exception and it is granted, when an exception is granted based on organization policy, and/or when an exception is granted based on third party information. When remediation suppression is implemented the reporting of the vulnerability may be prevented). As such, even though a vulnerability has occurred, the vulnerability may be acceptable and thus at least a portion of the remediation process may be suppressed, the reporting of the vulnerability may be suppressed in order to prevent false notifications of the vulnerabilities, and/or any consequence actions associated with the vulnerability may be suppressed. It should be understood that while the reporting of the vulnerabilities may be suppressed, the remediation suppression, the vulnerabilities, the organization's policies, and/or the network components may still be monitored to make sure changes have not occurred that will change the suppression of the vulnerabilities. For example, the network components may be monitored to make sure company policy does not change that would make the suppression no longer valid, that the network components may have changed such that the network components may no longer have vulnerabilities, and/or the vulnerabilities are no longer considered vulnerabilities.
Alternatively, or in addition to remediation suppression, customized criteria may be created and used to identify rolling network component exceptions that automatically prevent identification and/or remediation of vulnerabilities for particular network components. It should be understood that the customized criteria may be set up by a user or automatically identified by the organization systems. If any current network component or new network components meets the customized criteria, the network component may be automatically rolled into network component exceptions processes in order to prevent a vulnerability action, such as identification of a vulnerability for the network component or remediation of the vulnerability for the network component.
Embodiments of the invention comprise systems, computer implemented methods, and computer program products for suppressing remediation of vulnerabilities of network components based on acceptable vulnerabilities. The invention comprises monitoring network components for vulnerabilities. A vulnerability is identified, and wherein the vulnerability is related to at least one of the network components. Identify when the vulnerability is an acceptable vulnerability and tag the acceptable vulnerability with a remediation suppression. The remediation suppression results in suppressing at least a portion of a remediation plan, a consequence action, or reporting for the acceptable vulnerability. Monitoring of the network components and the acceptable vulnerability is continued in order to determine a change for the remediation suppression.
In further accord with embodiments of the invention, suppressing at least the portion of the reporting for the acceptable vulnerability comprises preventing reporting of the acceptable vulnerability in order to prevent a false reporting of the vulnerability.
In other embodiments of the invention, suppressing at least the portion of the remediation plan comprises suspending alerts to a primary user of a network component impacted by the acceptable vulnerability.
In still other embodiments of the invention, suppressing at least the portion of the remediation plan comprises altering a remediation deadline for remediating the acceptable vulnerability.
In yet other embodiments of the invention, suppressing at least the portion of the remediation plan comprises suspending prevention of operation of at least a portion of the network component impacted by the acceptable vulnerability.
In further accord with embodiments of the invention, suppressing implementation of the consequence action comprises suspending removal of a network component impacted by the acceptable vulnerability.
In other embodiments of the invention, determining when the vulnerability is the acceptable vulnerability comprises determining when a user exception request for the vulnerability has been approved.
In still other embodiments of the invention, determining when the vulnerability is the acceptable vulnerability comprises determining when the vulnerability is acceptable based on organization policy.
In yet other embodiments the invention further comprises determining when the acceptable vulnerability is no longer acceptable based on a change in the organization policy, and untagging the remediation suppression from the acceptable vulnerability when the acceptable vulnerability is no longer acceptable based on the change in the organization policy.
In other embodiments the invention further comprises determining when the acceptable vulnerability ceases to exist based on a change to one or more of the network components, an untagging the remediation suppression from the acceptable vulnerability when the vulnerability ceases to exist based on the change to the one or more of the network components.
In still other embodiments the invention further comprises editing the remediation suppression when a change in one or more of the network components or an organization policy occurs, wherein editing the remediation suppression comprises changing the suppression of at least the portion of the remediation plan, the consequence actions, or the reporting for the acceptable vulnerability.
In yet other embodiments the invention further comprises determining when the remediation suppression is untagged from the acceptable vulnerability; determining the remediation plan for the vulnerability for the at least one of the network components; implementing the remediation plan for the at least one of the network components; monitoring the at least one of the network components for compliance with the remediation plan; identifying a trigger for implementing the consequence action for the at least one of the network components; and implementing the consequence action for the at least one of the network components when the trigger is identified.
To the accomplishment the foregoing and the related ends, the one or more embodiments comprise the features hereinafter described and particularly pointed out in the claims. The following description and the annexed drawings set forth certain illustrative features of the one or more embodiments. These features are indicative, however, of but a few of the various ways in which the principles of various embodiments may be employed, and this description is intended to include all such embodiments and their equivalents.
Having thus described embodiments of the invention in general terms, reference will now be made to the accompanying drawings, and wherein:
Embodiments of the invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all, embodiments of the invention are shown. Indeed, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more embodiments. It may be evident; however, that such embodiment(s) may be practiced without these specific details. Like numbers refer to like elements throughout.
Systems, methods, and computer program products are herein disclosed that monitor and manage network components, including determining the vulnerabilities of network devices and network applications, implementing remediation plans for the vulnerabilities, identifying exceptions for the vulnerabilities, suppressing reporting of the vulnerabilities, and taking consequence actions based on the vulnerabilities (e.g., suspending, blocking, removal, or the like of the network components).
The network 2 illustrated in
As illustrated in
The one or more processors 14 use the one or more communication interfaces 12 to communicate with the network 2 and other components on the network 2, such as, but not limited to, the one or more network devices 20, the one or more third-party systems 30, or one or more other systems 40. As such, the one or more communication interfaces 12 generally comprise a wireless transceiver, modem, server, electrical connection, electrical circuit, or other component for communicating with other components on the network 2. The one or more communication interfaces 12 may further include an interface that accepts one or more network interface cards, ports for connection of network components, Universal Serial Bus (USB) connectors and the like.
As further illustrated in
As illustrated in
The one or more processors 24 are operatively coupled to the one or more communication interfaces 22, and the one or more memories 26. The one or more processors 24 use the one or more communication interfaces 22 to communicate with the network 2 and other components on the network 2, such as, but not limited to, the one or more organization systems 10, the one or more third-party systems 30, and/or the one or more other systems 40. As such, the one or more communication interfaces 22 generally comprise a wireless transceiver, modem, server, electrical connection, or other component for communicating with other components on the network 2. The one or more communication interfaces 22 may further include an interface that accepts one or more network interface cards, ports for connection of network components, Universal Serial Bus (USB) connectors and the like. Moreover, the one or more communication interfaces 22 may include a keypad, keyboard, touch-screen, touchpad, microphone, speaker, mouse, joystick, other pointer, button, soft key, and/or other input/output(s) for communicating with the users 4.
As illustrated in
As illustrated in
The one or more processors 34 are operatively coupled to the one or more communication interfaces 32, and the one or more memories 36. The one or more processors 34 use the one or more communication interfaces 32 to communicate with the network 2 and other components on the network 2, such as, but not limited to, the one or more organization systems 10, the one or more network devices 20, and/or the one or more other systems 40. As such, the one or more communication interfaces 32 generally comprise a wireless transceiver, modem, server, electrical connection, or other component for communicating with other components on the network 2. The one or more communication interfaces 32 may further include an interface that accepts one or more network interface cards, ports for connection of network components, Universal Serial Bus (USB) connectors and the like.
As illustrated in
Moreover, as illustrated in
Block 120 of
Block 130 of
Block 140 of
Block 150 illustrates that in some embodiments, a user 4 may request a remediation exception for the identified vulnerability. That is, the user 4 may request an exception to allow for the continued use of the network component with the presence of the identified vulnerability (e.g., unfreeze the network component, prevent implementation of the remediation plan, and/or prevent the consequence action for the network component). For example, if the network component violates the organization policy, but is needed for a specific reason or falls within an exclusion, the user 4 may request continued use of the network component with the vulnerability without implementing the remediation plan. It should be understood that the remediation exception request routing is described in further detail with respect to U.S. patent application Ser. No. 15/889,949 entitled “Exception Remediation Logic Routing and Suppression Platform” filed concurrently herewith, which is incorporated by reference in its entirety herein.
Block 160 of
Additionally, or alternatively with respect to block 160, the present disclosure indicates that instead of or in addition to remediation suppression, customized criteria may be created and used to identify rolling network component exceptions that automatically prevent remediation of vulnerabilities for particular network components before the vulnerabilities are identified and remediation begins. It should be understood that the rolling network component exceptions are described in further detail with respect to U.S. patent application Ser. No. 15/889,799 entitled “Exception Remediation Logic Rolling Platform” filed concurrently herewith, which is incorporated by reference in its entirety herein.
Block 320 of
In response to identifying that the vulnerability is an acceptable vulnerability, and thus subject to remediation suppression, the vulnerability, network component, and/or users 4 may be marked as exceptions, indicating that the remediation of the vulnerability may be suppressed in various ways as will be discussed in further detail with respect to blocks 330 to 350. As illustrated by block 330, when the vulnerability is identified as acceptable, the implementation of at least a part of the remediation plan may be suppressed. For example, the alerts that should be sent to the users 4 for the remediation plan are suspended. Additionally, the automatic implementation of portions of the remediation plan, such as automatic software updates, preventing operation of at least a portion of the operation of the network components, or the like may be suspended. Alternatively, the remediation may still be implemented, but the remediation deadline may be suppressed in order to prevent false notifications of the failure to meet the remediation deadline.
Block 340 further illustrates that the implementation of any of the consequence actions may be suppressed. For example, any of the actions that are typically undertaken when a remediation plan is not implemented (e.g., when remediation does not occur before the remediation deadline, user 4 does not respond to alerts that were not sent, user does not update the applications, or the like) may be suppressed to prevent implementation of the actions. As such, the remediation suppression may prevent the removal the network component. It should be understood that removal may include the organization systems 10 (e.g., directly or through user computer systems) accessing (e.g., logging into, pushing, or the like) the network component to instruct the network component to power down, removing a network application from the network device, changing the login credentials of a user 4 to prevent user access, changing the network 2 information to prevent the network component from accessing the network 2, electronically altering the network component so that it cannot function, or the like.
As illustrated by block 350, in addition to suppressing the implementation of the remediation plan and/or the consequence actions, reporting of the vulnerability may be suppressed so as to prevent false positives for reporting the vulnerability that has been identified as acceptable. As such, the vulnerability will not be reported as a vulnerability for remediation. In this way, the organization systems 10 monitoring the vulnerabilities will not mistake an allowed vulnerability for a vulnerability that requires remediation.
In order to store information regarding the network components, vulnerabilities, and/or users that are subject to remediation suppression, suppression data may be coupled to the network components. For example, the suppression data may include associating metadata with the network component, storing the network component and associated remediation suppression in a network component suppression list with other suppression data, or the like.
Alternatively, as illustrated in block 370 of
In some embodiments of the invention, each network component and organization policy is tagged with the associated remediation suppression. As such, anytime there is a change in the network component and/or the organization policy each of the tagged remediation suppressions are automatically reviewed in order to determine if the changes in the network components and/or the organization policy that affect the remediation suppression.
In response to identifying new vulnerabilities that may be acceptable as discussed with respect to block 360, or that there are changes in the acceptable vulnerabilities as discussed with respect to block 370, new remediation suppressions may be added, the remediation suppressions may be changed, and/or the remediation suppressions may be removed, as illustrated by block 380. For example, in some embodiments the remediation suppressions may be changed because the vulnerability no longer exists (e.g., the network component is no longer exposed to the vulnerability, the organization policies have changed such that the network component no longer has a vulnerability, or the like), or in other embodiments the vulnerability may no longer qualify for remediation suppression, and instead may now be a vulnerability that should be remediated. As such, in some embodiments the remediation plan, consequence actions, and/or reporting (or portions of each) may be implemented, changed, or suppressed. In some embodiments, when remediation suppression is removed the network components are returned for remediation, as previously discussed with respect to block 140 of
It should be understood, that the systems described herein may be configured to establish a communication link (e.g., electronic link, or the like) with each other in order to accomplish the steps of the processes described herein. The link may be an internal link within the same entity (e.g., within the same financial institution) or a link with the other entity systems. In some embodiments, the one or more systems may be configured for selectively responding to dynamic authentication inquires. These feeds of resource usage and availability may be provided via wireless network path portions through the Internet. When the systems are not providing data, transforming data, transmitting the data, and/or creating the reports, the systems need not be transmitting data over the Internet, although it could be. The systems and associated data for each of the systems may be made continuously available, however, continuously available does not necessarily mean that the systems actually continuously generate data, but that a systems are continuously available to perform actions associated with the systems in real-time (i.e., within a few seconds, or the like) of receiving a request for it. In any case, the systems are continuously available to perform actions with respect to the data, in some cases in digitized data in Internet Protocol (IP) packet format. In response to continuously receiving real-time data feeds from the various systems, the systems may be configured to update actions associated with the systems, as described herein.
Moreover, it should be understood that the process flows described herein include transforming the data from the different systems (e.g., internally or externally) from the data format of the various systems to a data format associated with a particular display. There are many ways in which data is converted within the computer environment. This may be seamless, as in the case of upgrading to a newer version of a computer program. Alternatively, the conversion may require processing by the use of a special conversion program, or it may involve a complex process of going through intermediary stages, or involving complex “exporting” and “importing” procedures, which may convert to and from a tab-delimited or comma-separated text file. In some cases, a program may recognize several data file formats at the data input stage and then is also capable of storing the output data in a number of different formats. Such a program may be used to convert a file format. If the source format or target format is not recognized, then at times a third program may be available which permits the conversion to an intermediate format, which can then be reformatted.
As will be appreciated by one of skill in the art in view of this disclosure, embodiments of the invention may be embodied as an apparatus (e.g., a system, computer program product, and/or other device), a method, or a combination of the foregoing. Accordingly, embodiments of the invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may generally be referred to herein as a “system.” Furthermore, embodiments of the invention may take the form of a computer program product comprising a computer-usable storage medium having computer-usable program code/computer-readable instructions embodied in the medium (e.g., a non-transitory medium, or the like).
Any suitable computer-usable or computer-readable medium may be utilized. The computer usable or computer readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires; a tangible medium such as a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a compact disc read-only memory (CD-ROM), or other tangible optical or magnetic storage device.
Computer program code/computer-readable instructions for carrying out operations of embodiments of the invention may be written in an object oriented, scripted or unscripted programming language such as Java, Pearl, Python, Smalltalk, C++ or the like. However, the computer program code/computer-readable instructions for carrying out operations of the invention may also be written in conventional procedural programming languages, such as the “C” programming language or similar programming languages.
Embodiments of the invention described above, with reference to flowchart illustrations and/or block diagrams of methods or apparatuses (the term “apparatus” including systems and computer program products), will be understood to include that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a particular machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create mechanisms for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture including instructions, which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. Alternatively, computer program implemented steps or acts may be combined with operator or human implemented steps or acts in order to carry out an embodiment of the invention.
Specific embodiments of the invention are described herein. Many modifications and other embodiments of the invention set forth herein will come to mind to one skilled in the art to which the invention pertains, having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments and combinations of embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
To supplement the present disclosure, this application further incorporates entirely by reference the following commonly assigned patent applications:
| Number | Name | Date | Kind |
|---|---|---|---|
| 6711571 | Putzolu | Mar 2004 | B2 |
| 7000247 | Banzhof | Feb 2006 | B2 |
| 7448066 | Birk et al. | Nov 2008 | B2 |
| 7529981 | Childress et al. | May 2009 | B2 |
| 7574740 | Kennis | Aug 2009 | B1 |
| 7607164 | Vasishth et al. | Oct 2009 | B2 |
| 7665119 | Bezilla et al. | Feb 2010 | B2 |
| 7668947 | Hutchinson et al. | Feb 2010 | B2 |
| 7698275 | O'Brien et al. | Apr 2010 | B2 |
| 7698391 | Paliwal et al. | Apr 2010 | B2 |
| 7711683 | Watanabe et al. | May 2010 | B1 |
| 7761920 | Bezilla et al. | Jul 2010 | B2 |
| 7774848 | D'Mello et al. | Aug 2010 | B2 |
| 7818788 | Meier | Oct 2010 | B2 |
| 7962696 | Steely, Jr. et al. | Jun 2011 | B2 |
| 7962960 | Fudge | Jun 2011 | B2 |
| 7992033 | Childress et al. | Aug 2011 | B2 |
| 8224937 | Childress et al. | Jul 2012 | B2 |
| 8291093 | Choe | Oct 2012 | B2 |
| 8341691 | Bezilla et al. | Dec 2012 | B2 |
| 8375113 | Sinn et al. | Feb 2013 | B2 |
| 8561134 | Bezilla et al. | Oct 2013 | B2 |
| 8561175 | Williams et al. | Oct 2013 | B2 |
| 8613080 | Wysopal et al. | Dec 2013 | B2 |
| 8769412 | Gill et al. | Jul 2014 | B2 |
| 8776170 | Bezilla et al. | Jul 2014 | B2 |
| 8924577 | Choe | Dec 2014 | B2 |
| 8984586 | Bezilla et al. | Mar 2015 | B2 |
| 8984643 | Krisher et al. | Mar 2015 | B1 |
| 9100431 | Oliphant et al. | Aug 2015 | B2 |
| 9154523 | Bezilla et al. | Oct 2015 | B2 |
| 9253202 | Thakur | Feb 2016 | B2 |
| 9270695 | Roytman et al. | Feb 2016 | B2 |
| 9436820 | Gleichauf et al. | Sep 2016 | B1 |
| 9467464 | Gula et al. | Oct 2016 | B2 |
| 9483281 | Bonczkowski et al. | Nov 2016 | B2 |
| 9706410 | Sreenivas et al. | Jul 2017 | B2 |
| 9727728 | Avrahami et al. | Aug 2017 | B2 |
| 20040128370 | Kortright | Jul 2004 | A1 |
| 20050044418 | Miliefsky | Feb 2005 | A1 |
| 20050216957 | Banzhof et al. | Sep 2005 | A1 |
| 20050229256 | Banzhof | Oct 2005 | A2 |
| 20060010497 | OBrien et al. | Jan 2006 | A1 |
| 20060191012 | Banzhof | Aug 2006 | A1 |
| 20060195905 | Fudge | Aug 2006 | A1 |
| 20100130178 | Bennett et al. | May 2010 | A1 |
| 20100216429 | Mahajan | Aug 2010 | A1 |
| 20100242114 | Bunker | Sep 2010 | A1 |
| 20110225275 | Shah et al. | Sep 2011 | A1 |
| 20120046985 | Richter et al. | Feb 2012 | A1 |
| 20130007865 | Krishnamurthy et al. | Jan 2013 | A1 |
| 20130091534 | Gilde et al. | Apr 2013 | A1 |
| 20140331326 | Thakur | Nov 2014 | A1 |
| 20150281287 | Gill et al. | Oct 2015 | A1 |
| 20150288709 | Singhal et al. | Oct 2015 | A1 |
| 20160253364 | Gomadam et al. | Sep 2016 | A1 |
| 20170220808 | Schmidt et al. | Aug 2017 | A1 |
| 20170279799 | Baltzer et al. | Sep 2017 | A1 |
| 20180096260 | Zimmer et al. | Apr 2018 | A1 |
| 20180144139 | Cheng et al. | May 2018 | A1 |
| 20190087832 | Mercury et al. | Mar 2019 | A1 |
| 20190098028 | Ektare et al. | Mar 2019 | A1 |
| 20190166149 | Gerrick | May 2019 | A1 |
| 20190245878 | Ward et al. | Aug 2019 | A1 |
| 20190245879 | Ward et al. | Aug 2019 | A1 |
| 20190245880 | Ward et al. | Aug 2019 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20190245878 A1 | Aug 2019 | US |
