Data security incidents pose a major operational and financial risk for business and government. In examples, data security incidents include loss of a physical asset, such as a company laptop computer, that contains company-confidential information and cyber attacks launched against systems and assets of a company's enterprise network.
Examples of cyber attacks include actions designed to disrupt normal business operations and intrusion attempts to steal information. Attacks that disrupt business operations include introduction of malware, computer viruses, and Denial of Service (DoS) attacks. The intrusion attempts use various methods to gain unauthorized access to personal information of individuals, and company confidential information such as customer lists and business plans. Attackers use methods that target security vulnerabilities in computer operating systems and software within the business' enterprise network to obtain unauthorized access.
Businesses use incident management systems to track and recommend responses to data security incidents in their enterprise computer networks. Current incident management systems and methods typically provide the ability for Incident Response Team (IRT) personnel to track how the institution is responding to incidents.
Current data incident management systems and methods have problems. Firstly, most incident management systems require IRT personnel to manually carry out actions in response to incidents by performing some action upon or by interacting with, or manipulating devices in the clients' enterprise networks. The devices must passively wait for IRT members to manually carry out the responses to incidents recommended by the incident management systems. This can create delay and can significantly impact the efficiency of responses to incidents. Moreover, the incident management systems that can execute actions in response to incidents directly upon the devices typically require significant configuration within each of the devices for communicating with the incident management systems. Although recently, incident management systems that provide an action response framework for tracking and reacting to data security incidents have been proposed. See “Action Response Framework for Data Security Incidents,” U.S. Non-Provisional application Ser. No. 14/792,129 filed Jul. 6, 2015, which is incorporated herein by this reference in its entirety.
Nevertheless, network devices often have different application programming interfaces and employ different protocols and/or communications interfaces, such as devices supporting proprietary protocols and legacy devices supporting serial communications only.
The present invention provides an Incident Response Bus (“IR bus”) within a client/server based action response framework that tracks data security incidents. The IR bus is preferably a centralized, protocol agnostic and device independent software component or service. The action response framework is included within an Incident Manager (IM) application or software service. The IR bus communicates with the IM on behalf of the devices and vice versa.
In response to events and conditions associated with data security incidents, or in response to explicit actions taken by IRT members within the IM, the IM includes information associated with the data security incidents in messages, and sends the messages to specific message queues of the messaging system. Message queues are also known as message destinations. The IR bus then acts as a proxy on behalf of the IM by accessing the messages in the message queues and coordinating the execution of specific logic or actions to be taken to interact with devices where the logic or actions preferably refer to the information concerning the data security incidents in the messages.
The IR bus typically includes a plugin software component for each device in the client's enterprise network with which the IM needs to interact. Each plugin defines device-specific interfacing and protocol support for communicating with the device associated with each plugin. In examples, each plugin can be a script written in a scripting language such as JavaScript, or a Java application. Java is a registered trademark of Oracle, Inc.
Some plugins are configured to poll for messages from specific message destinations and to download the messages. These plugins are designed and configured to implement specific logic, to interact with one or more devices to collect information or perform some remediation action, or to interact with other plugins. The same or other plugins may interact with information sources to collect additional contextual information about the data security incident (e.g. look up information about a user account thought to be involved in a security incident). The plugins refer to the information concerning the data security incidents in the downloaded messages.
Moreover, plugins can be configured together in a chain to process the messages and to implement complex functions and interactions in response to the data security incidents. The actions taken by a given plugin can be informed or affected by the results of previous plugins in the chain.
This provides an automated incident response capability. Additionally, IRT users can add plugins to the IR bus and associated message destinations to the IM that each plugin specifies to incrementally support new operations and devices. This provides an incident response capability that can scale with an increasing number of components within each client's enterprise network.
In one case, an incident management system has been proposed that enables communications between an incident manager that stores information concerning data security incidents and one or more information systems, where the information systems include additional information useful in the diagnosis or remediation of the data security incidents. These information systems, in one example, are threat intelligence source systems (TIS) that are located externally to the client's enterprise network. The TIS(s) include information concerning techniques, data resources (e.g. IP addresses or malware hashes) and identities of attackers involved in cyber attacks, in examples. See “System for Tracking Data Security Threats and Method for Same,” U.S. Non-Provisional application Ser. No. 14/743,399 filed Jun. 18, 2015, which is incorporated herein by this reference in its entirety.
The IR bus of the present invention functions as a proxy to allow the IM to interact with information systems such as the TIS(s) disclosed in U.S. Non-Provisional application Ser. No. 14/743,399 referenced herein above, and functions as a proxy to allow the IM to interact with the various devices on the client's enterprise network. In one example, the plugins of the IR bus enable the IM to access the TIS information systems. In this model, the IM is the coordinator between and is central to interactions between the IM and the devices.
In general, according to one aspect, the invention features a system for responding to data security incidents in an enterprise network. The system includes devices responsible for security on the enterprise network, an incident manager that stores information concerning the data security incidents, and an incident response bus (IR bus) that communicates with the incident manager and the devices, where the IR bus accesses messages from the incident manager concerning the data security incidents.
In one example, each of the messages includes information associated with a specific data security incident. Preferably, the IR bus includes software plugin components for the devices, where the plugin software components specify actions for the devices to execute. Typically, the actions refer to the information concerning the data security incidents in the messages.
Preferably, the plugin software components define device-specific interfacing and protocol support for communicating with the devices, and poll for the messages from the incident manager. Moreover, at least some of the plugin software components are configured trigger actions on other devices via the plugin software components of those other devices.
Preferably, at least some of the plugin software components are configured together in a chain to implement complex functions and interactions in response to the data security incidents.
In yet another example, the system further comprises one or more information systems that include information useful in the diagnosis or remediation of the data security incidents. The incident response bus then allows the incident manager to interact with the one or more information systems.
In general, according to another aspect, the invention features a method for responding to data security incidents in an enterprise network. The method includes an incident manager storing information concerning the data security incidents, and an incident response bus communicating with the incident manager and with devices responsible for security on the enterprise network. The incident response bus then accesses messages concerning the data security incidents from the incident manager for the devices.
Preferably, the method configures at least some of the plugin software components together in a chain to process the messages concerning the data security incidents. The incident manager accesses, via the incident response bus, one or more information systems that include information useful in the diagnosis or remediation of the data security incidents.
The above and other features of the invention including various novel details of construction and combinations of parts, and other advantages, will now be more particularly described with reference to the accompanying drawings and pointed out in the claims. It will be understood that the particular method and device embodying the invention are shown by way of illustration and not as a limitation of the invention. The principles and features of this invention may be employed in various and numerous embodiments without departing from the scope of the invention.
In the accompanying drawings, reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale; emphasis has instead been placed upon illustrating the principles of the invention. Of the drawings:
The invention now will be described more fully hereinafter with reference to the accompanying drawings, in which illustrative embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. Further, the singular forms including the articles “a”, “an” and “the” are intended to include the plural forms as well, unless expressly stated otherwise. It will be further understood that the terms: includes, comprises, including and/or comprising, when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Further, it will be understood that when an element, including component or subsystem, is referred to and/or shown as being connected or coupled to another element, it can be directly connected or coupled to the other element or intervening elements may be present.
The application server 180 includes a service manager 190 and one or more Incident Managers (IM) 102, which in turn include one or more message destinations 62. The message destinations 62 receive messages 40. The IMs 102, message destinations 62, and messages 40 form an incident response framework. Each of the message destinations 62-1 through 62-9, additionally labeled with references A through I, respectively, receive messages 40-1 through 40-9, respectfully. The message destinations 62 and messages 40 are implemented as a Java Messaging Service (JMS), in one example.
The JMS API allows applications to create, send, receive, and read messages using reliable, asynchronous, loosely coupled communications. The JMS API defines a common set of interfaces and associated semantics that allow programs written in the Java programming language to communicate with other messaging implementations. When using JMS, the sender and receiver need to know only which message format and which destination to use, as the JMS framework abstracts interface details of the senders and receivers.
Typically, a separate IM 102 is maintained for each enterprise client or customer 130. Each Incident Manager (IM) 102 is implemented preferably as a Software as a Service (SaaS) application. In one example, the service manager 190 sends management information 54 to update and maintain the IMs 102 for each of the separate customers of the entity that owns the application server 180.
Separate IMs 102-1, 102-2, and 102-3 are displayed for exemplary clients ACME Company, BigCorp, and CamCorp, respectively. The enterprise network 130 for ACME Company is included to show interactions between ACME's enterprise network and its associated IM 102-1. The IM 102 also includes a knowledge base 122 and an application programming interface (API) 134.
Within the IM 102, the knowledge base 122 stores information configured by the IRT 172 in response to incidents. This information includes details of the incidents, such as the incident data 20, and metadata associated with the incidents. The information is preferably received on the application programming interface 134, which forwards it to the knowledge base 122. The knowledge base 122 also includes a decision tree 18, destination objects 45, action conditions 44, incident objects 41, incident artifacts (IAs) 120, and notes 121.
The example enterprise network for ACME 130 includes exemplary appliances, devices, software and systems that communicate over a corporate network 70 and among one or more subnetworks 72. The subnetworks 72 are segmented from the corporate network 70 via a router 34. A firewall 36 is included on ACME's corporate network 70. Devices include firewall 36, Helpdesk System 98, access server 160, router 34, asset database 64, user account database 58, intercom and alert system 63, a Security Information and Event Manager (SIEM) 37, and a configuration server 103. The Helpdesk System 98 includes a Helpdesk Application 38 that logs events and supports creation of tickets for identifying issues in the enterprise network 130. Asset database 64 stores and maintains assets 59, such as for computer systems on ACME's enterprise network 130. The user account database 58 includes user accounts 60.
Some of the devices within the enterprise network 130 have limited interfacing and must rely on other devices to configure security related information. Devices that are not responsible for security on an enterprise network include the firewall 36, router 34, and intercom and alert system 63. Configuration server 103 includes one or more action scripts 42 that can interact with configuration server 103 to execute actions 43 on these devices. In a specific example, action script 42-1 executes action 43-1 on router 34 and action 43-2 on intercom and alert system 63.
Each enterprise network 130 also includes a local server 182. The local server 182 includes an incident response bus (IR bus) 135 and one or more config files 196. The IR bus 135 includes a parser 31 and plugins 13 associated with devices in ACME's enterprise network 130. In addition, plugins 13 can also be configured for and associated with software components within the local server 182 and within the application server 180. For example, plugin 13-1 is associated with the ACME IM 102-1 and is therefore referred to as an IM service plugin.
The IR bus 135 is preferably a centralized, protocol agnostic and device independent software component or service. The IR bus 135 communicates with its IM 102 and the devices and other components (e.g. hardware and/or software) via the plugins 13. Plugins 13-2 through 13-5 are associated with devices firewall 36, helpdesk system 98, access server 160, and asset database 64, respectively. Plugins 13-6 through 13-9 are associated with devices router 34, user account database 58, configuration server 103, and SIEM 37, respectively. Additionally, other plugins implement internal logic or transformations and do not directly execute actions on a specific device or system. In yet another example, the plugins 13 can be configured to connect to a specific message destination 62 and to download the messages 40 within each message destination 62.
The message destinations 62 and their messages 40 provide a loosely coupled communications path between the IM 102 and plugins 13 in the IR Bus 135. IRT personnel develop and design plugins to perform actions. When events associated with data security incidents satisfy action conditions 44, messages 40 are placed on message destinations 62. The messages 40 include information about the IM object involved in the data security incident. Those messages 40 are accessed by the associated plugin(s) 13 in the IR bus 135.
Plugins 13 then execute actions 43 based on their specific implementation. In some cases, those actions 43 will involve interacting with devices over the enterprise network 130. In other cases, those actions 43 will involve interacting with the IM 102 via an API 134. Plugins 13 can also be chained together to perform compound actions 43.
In the example, IRT users 172 configure an action condition 44-9, the satisfaction of which causes the IM 102 to send a message 40-9 to the defined message destination 62-9 within the action condition 44-9. Message 40-9 includes information associated with the data security incident that satisfied action condition 44-9. Plugin 13-9 associated with SIEM 37 is configured to monitor message destination 62-9.
Plugins 13 can also include action scripts 42. For example, plugin 13-4 includes action script 42-2 and incorporates the actions 43 of action script 42-2 with the actions 43 provided by plugin 13-4.
Plugin 13-9 polls message destination 62-9 and downloads messages 40-9. Plugin 13-9 extracts the information concerning the data security incidents in the message 40-9, and executes statements in the plugin 13-9 that refer to the information concerning the data security incidents. In this example, the statements within plugin 13-9 specify actions 43 for the SIEM 37 device to execute, where the actions refer to the information concerning the data security incidents extracted from message 40-9.
IRT personnel 172 use a browser 150 of access server 160 to configure the IM 102 via a graphical user interface API 134 of the IM 102. The communications path between the browser 150 and the IM 102, indicated by reference 89, does not utilize the IR bus 135 and its plugins 13. Via the browser 150, IRT 172 personnel create incident objects 41 within the IM 102 that include the incident data. This information can include the type of incident, such as “malware” or “phishing attempt,” a time stamp and duration of an incident, serial numbers/internal asset identifiers of systems and resources affected by the incident, and data traffic traces taken during an incident using network protocol analyzers, in examples.
Additionally, IRT personnel 172 can append information to the existing incident objects 41, and can create IAs 120 and notes 121 associated with the incident objects 41 to enhance the information associated with the incident objects 41. In one example, IRT personnel 172 can append information directly to the incident objects 41, such as documenting the steps taken to resolve the incident. In another example, IAs 120 can be created, where IAs 120 include details related to the tactics, techniques, or procedures use by an attacker or other indicators of the attack. Examples of data resources include IP addresses of servers used to orchestrate the attack, “hashes” of malicious files used in the attack, or registry keys of “breadcrumbs” left behind as a result of an attack.
In other examples, the IM 102 itself can create the incident objects 41, artifacts 120, and notes 121 within the knowledge database 122 in response to receiving incident data 20.
Within the knowledge base 122, IRT personnel 172 also define action conditions 44. The action conditions 44 define criteria associated with incidents and data security events. The IM 102 continuously compares the contents of its incident objects 41, IAs 120, and/or notes 121 with the defined action conditions 44. Each action condition 44 also specifies the name/ID of a message destination 62. Action conditions 44 are also known as rules.
When the IM 102 detects data associated with incidents or state changes in incident objects 41, IAs 120, and/or notes 121 that satisfy/meet the conditions of the defined action conditions 44, the IM 102 includes information associated with the data security incidents that satisfied the action conditions 44 in messages 40, and sends the messages 40 to the message destinations 62 specified in the action conditions 44.
For configuring the IR bus 135 between the IM 102 and the devices, each plugin 13 specifies a unique identifier of an associated message destination 62. In one example, the unique identifier is a URL of the message destination 62. The IR bus 135, via its plugins 13, acts as a proxy on behalf of the IM 102 to communicate with the devices in each client's enterprise network 130. The plugins 13 download the messages 40 in the message destinations 62 specified within the plugins 13. The plugins 13 then execute their defined functionality, referencing the information from the message 40 as needed. In some cases, this will involve interacting with or manipulating devices over the enterprise network 130.
In step 202, IRT personnel 172 configure various plugins 13 of the IR bus 135, where the plugins 13 are associated with different devices and software components in a client's enterprise network 130. Preferably, the IRT personnel 172 configure the plugins 13 by modifying configuration (config) files 196 associated with the plugins 13. The config files 196 include configuration statements and associated logic for initializing and configuring the plugins 13. In one example, this configuration includes specifying the Universal Resource Locator (URL) of a specific message destination 62. In other examples, IRT personnel 172 configure parameters or other information within the plugins 13 to modify or specify optional behaviors of the plugins 13, provide URL(s) and other information required for the plugin to interact with the appropriate device or service, and provide authentication credentials required to connect to or interact with a message destination 62, device or service. In yet another example, IRT personnel 135 provide configuration data within the config files 196 which indicates how multiple plugins 13 should be chained together.
According to step 204, IRT 172 personnel configure action conditions 44 on the IM 102 to trigger in response to events associated with data security incidents (e.g. in response to creation of an incident object 41 for a malware incident, or in response to creation of an Incident Artifact 120 for an IP address data resource identified within an incident object 41), where each of the action conditions 44 additionally specify the name/ID of a message destination 62.
Then, in step 206, in response to events associated with data security incidents (e.g. incident data 20) that satisfy the action conditions 44, the action conditions trigger, causing the action conditions 44 to include information concerning the data security incidents in messages 40, and to send the messages 40 to the message destinations 62 configured in the action conditions 44.
In step 302, the IR bus 135 loads all config files 196 for plugins 13 at IR Bus 135 startup. In step 304, parser 31 parses the contents of the config files 196. Then, in step 306, the IR bus 135 executes configuration statements from the config files that initialize the plugins 13.
According to step 308, for each plugin 13 or action script 42 that is configured to connect to a message destination 62, the plugin 13 or action script 42 connects to its associated message destination 62 and polls the message destination 62 for messages 40. In a preferred embodiment, each of the messages 40 includes information associated with a specific data security incident.
In step 312, each plugin 13 that is designed to connect to a message destination 62 downloads the messages 40 found in the associated message destination 62. In step 314, each of the plugins 13 executes its designed functionality, where the plugins 13 that connect to the message destinations 62 optionally reference information included in the downloaded messages 40 to make logic or branching decisions or to control the execution of conditional logic. In examples, the designed functionality of the plugins 13 includes interacting with devices or services located in the enterprise network 130 or with remote devices and services over the network cloud 26.
Finally, in step 316, if multiple plugins 13 have been configured to be chained together and there are more plugins 13 in the chain 420 to be processed, the current plugin 13 passes the message 40 and optionally other information for configuring the next plugins 13 of the chain 420, which then execute. Then, the process flow continues by transitioning to step 308 for the execution of the next plugin(s) 13.
Preferably, chains 420 include one or more plugins 13 that communicate in a specific sequence, the statements of which can additionally define a format for the messages 40 received at each plugin 13.
In
In response, plugin 13-7 first executes action 43-a to disable the user account 60 for user “Jones” in the user account database 58. Then, plugin 13-7 reformats the message, indicated by reference 40-7-1, to be in a format suitable for processing by the next plugin 13 in the chain 420-1, namely the IM service plugin 13-1. Plugin 13-1 executes action 43-b to update the IA 120 for malware hash=0x20456 to include the steps taken in response to the incident.
In
In response, plugin 13-2 first specifies action 43-z for execution on firewall 36, to block messages 40 including attachments having a hash value that matches value 0x044567. Then, plugin 13-2 reformats the message, indicated by references 40-2-1, 40-2-2, and 40-2-3, to be in a format suitable for processing by the next plugins 13 in the chain 420-2. The next plugins 13 in chain 420-2 are the helpdesk system plugin 13-3, the asset database plugin 13-5, and the router plugin 13-6.
The helpdesk system plugin 13-3 specifies action 43-w for execution on help desk system 98 to open a help desk ticket for cleaning the affected system of malware. The asset database plugin 13-5 specifies execution of action 43-x on the asset database 64 to lookup the indicated IP address in the asset database 64 and to determine the criticality of the affected system. The router plugin 13-6 specifies execution of action 43-y on router 34 to block all IP traffic to the nefarious IP address.
In
In response, plugin 13-1 reformats the message, indicated by references 40-1-1 and 40-1-2, to be in a format suitable for processing by the next plugins 13 in the chain 420-3. The next plugins 13 in chain 420-3 are the user account database plugin 13-7 and the configuration server plugin 13-8. The user account database plugin 13-7 specifies execution of action 43-f on the user account database 58, which sends SMS text messages that include the tornado warning to mobile phone numbers associated with all user accounts 60 in the user account database 58. The configuration server plugin 13-8 specifies execution of action 43-2 on the configuration server 103, which in turn instructs action script 42-1 to send the tornado warning message to the intercom and alert system 63.
While this invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
6678827 | Rothermel et al. | Jan 2004 | B1 |
7114005 | McDaniel | Sep 2006 | B2 |
7376969 | Njemanze et al. | May 2008 | B1 |
7472422 | Agbabian | Dec 2008 | B1 |
7562369 | Salamone | Jul 2009 | B1 |
7877804 | Khanolkar et al. | Jan 2011 | B2 |
7940756 | Duffy | May 2011 | B1 |
8032557 | Vijendra et al. | Oct 2011 | B1 |
8201191 | Ladd | Jun 2012 | B2 |
8244777 | Vijendra et al. | Aug 2012 | B1 |
8661062 | Jamail et al. | Feb 2014 | B1 |
8707445 | Sher-Jan et al. | Apr 2014 | B2 |
8763133 | Sher-Jan et al. | Jun 2014 | B2 |
8782784 | Bruskin | Jul 2014 | B1 |
8880682 | Bishop et al. | Nov 2014 | B2 |
8918867 | Salour | Dec 2014 | B1 |
9069930 | Hart | Jun 2015 | B1 |
9075668 | Hushon et al. | Jul 2015 | B1 |
9083734 | Bishop et al. | Jul 2015 | B1 |
9152706 | Claudatos et al. | Oct 2015 | B1 |
9215270 | Mohaban et al. | Dec 2015 | B2 |
9258321 | Amsler et al. | Feb 2016 | B2 |
9338181 | Burns | May 2016 | B1 |
9705922 | Foxhoven | Jul 2017 | B2 |
9819550 | Mann | Nov 2017 | B2 |
20020078263 | Darling | Jun 2002 | A1 |
20020087882 | Schneier | Jul 2002 | A1 |
20040098623 | Scheidell | May 2004 | A1 |
20050091068 | Ramamoorthy | Apr 2005 | A1 |
20050176507 | Ephrati | Aug 2005 | A1 |
20060092861 | Corday | May 2006 | A1 |
20060095968 | Portolani | May 2006 | A1 |
20060161816 | Gula | Jul 2006 | A1 |
20070067848 | Gustave | Mar 2007 | A1 |
20070103324 | Kosuge | May 2007 | A1 |
20070186284 | McConnell | Aug 2007 | A1 |
20070240197 | Blumenthal | Oct 2007 | A1 |
20070276941 | Yodaiken | Nov 2007 | A1 |
20080189774 | Ansari | Aug 2008 | A1 |
20080229419 | Holostov | Sep 2008 | A1 |
20080229422 | Hudis | Sep 2008 | A1 |
20080244034 | Shannon | Oct 2008 | A1 |
20090065572 | Jain | Mar 2009 | A1 |
20090164522 | Fahey | Jun 2009 | A1 |
20090178132 | Hudis | Jul 2009 | A1 |
20090222924 | Droz | Sep 2009 | A1 |
20090254392 | Zander | Oct 2009 | A1 |
20090254970 | Agarwal | Oct 2009 | A1 |
20100046378 | Knapp | Feb 2010 | A1 |
20100058432 | Neystadt | Mar 2010 | A1 |
20100179674 | Willard | Jul 2010 | A1 |
20110039237 | Skare | Feb 2011 | A1 |
20110126111 | Gill | May 2011 | A1 |
20110131324 | Chaturvedi | Jun 2011 | A1 |
20120188072 | Dawes | Jul 2012 | A1 |
20120210158 | Akiyama | Aug 2012 | A1 |
20120224057 | Gill | Sep 2012 | A1 |
20130124223 | Gregg | May 2013 | A1 |
20130179244 | Laffoon | Jul 2013 | A1 |
20130212683 | Sher-Jan | Aug 2013 | A1 |
20130291087 | Kailash | Oct 2013 | A1 |
20130305340 | Wotring | Nov 2013 | A1 |
20130305357 | Ayyagari | Nov 2013 | A1 |
20130332590 | Mohaban et al. | Dec 2013 | A1 |
20140053265 | Crowley | Feb 2014 | A1 |
20140068769 | Neil | Mar 2014 | A1 |
20140201836 | Amsler | Jul 2014 | A1 |
20140245423 | Lee | Aug 2014 | A1 |
20140245439 | Day | Aug 2014 | A1 |
20140259095 | Bryant | Sep 2014 | A1 |
20140259170 | Amsler | Sep 2014 | A1 |
20140278664 | Loomis | Sep 2014 | A1 |
20140283075 | Drissel | Sep 2014 | A1 |
20140304822 | Sher-Jan et al. | Oct 2014 | A1 |
20140310243 | McGee | Oct 2014 | A1 |
20150009038 | Trossbach, Jr. | Jan 2015 | A1 |
20150082432 | Eaton | Mar 2015 | A1 |
20150085994 | Koyabe | Mar 2015 | A1 |
20150113663 | Sher-Jan et al. | Apr 2015 | A1 |
20150163121 | Mahaffey | Jun 2015 | A1 |
20150163199 | Kailash | Jun 2015 | A1 |
20150172321 | Kirti | Jun 2015 | A1 |
20150235164 | Key | Aug 2015 | A1 |
20150237061 | Shraim | Aug 2015 | A1 |
20150242625 | Cassidy et al. | Aug 2015 | A1 |
20150264072 | Savchuk | Sep 2015 | A1 |
20150347751 | Card | Dec 2015 | A1 |
20150365438 | Carver | Dec 2015 | A1 |
20160021133 | Sher-Jan | Jan 2016 | A1 |
20160044061 | Forte | Feb 2016 | A1 |
20160072836 | Hadden | Mar 2016 | A1 |
20160127394 | Hadden | May 2016 | A1 |
20160127417 | Janssen | May 2016 | A1 |
20160149769 | Joshi | May 2016 | A1 |
20160164919 | Satish | Jun 2016 | A1 |
20160182566 | Bean | Jun 2016 | A1 |
20160204985 | Mann | Jul 2016 | A1 |
20160255105 | Palazzo | Sep 2016 | A1 |
20160259780 | Panemangalore | Sep 2016 | A1 |
20160260430 | Panemangalore | Sep 2016 | A1 |
20160301705 | Higbee | Oct 2016 | A1 |
Entry |
---|
Hadden et al., U.S. Appl. No. 14/743,399, filed Jun. 18, 2015. |
Hadden et al., U.S. Appl. No. 14/792,129, filed Jul. 6, 2015. |
BlackStratus SIEMStorm, “Rapidly identify and resolve threats, . . . ” www.blackstratus.com, 2012. Four pages. |
Domino Project Management, “Track and Control Projects with Lotus Notes,” www.trackersuite.com/index, 2013. Two pages. |
HP ArcSight Express, “World-Class Protection for the Mid-Size Organization,” www.arcsight.com, 2010. Six pages. |
Janet Csirt, “RTIR incident handling work-flow,” Janet (UK) WI/JCSIRT/002, jisc.ac.uk, 2011. Eighteen pages. |
Jarocki, J., “Orion Incident Response Live CD,” 2010, Sans Institute, https://www.sans.org. Forty-five pages. |
Khurana, H. et al., “Palantir: A Framework for Collaborative Incident Response and Investigation,” IDtrust, 2009. Fourteen pages. |
QRadar Administration Guide, http://www.q1labs.com, May 2012. 318 pages. |
QRadar Users Guide, http://www.q1labs.com, May 2012. 396 pages. |
Reddy, K. et al., “The architecture of a digital forensic readiness management system,” Computers & Security 32 (2013) 73-89. Seventeen pages. |
Swift, D., “A Practical Application of SIM/SEM/SIEM Automating Threat Identification,” 2006, SANS Institute 2007. Forty-one pages. |
West-Brown, M. et al., “Handbook for Computer Security Incident Response Teams (CSIRTs),” 2nd Edition, Apr. 2003. 223 pages. |
Number | Date | Country | |
---|---|---|---|
20170063926 A1 | Mar 2017 | US |