TREA

Translating security actions into computing asset-specific action procedures

Follow

Information

  • Patent Grant
  • 11658998
  • Patent Number
    11,658,998
  • Date Filed
    Monday, May 3, 2021
    4 years ago
  • Date Issued
    Tuesday, May 23, 2023
    a year ago
Information
Abstract
Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.
Description
TECHNICAL FIELD

Aspects of the disclosure are related to computing environment security, and in particular to managing the allocation of security actions to computing assets with various configurations.


TECHNICAL BACKGROUND

An increasing number of data security threats exist in the modern computerized society. These threats may include viruses or other malware that attacks the local computer of the end user, or sophisticated cyber attacks to gather data and other information from the cloud or server based infrastructure. This server based infrastructure includes real and virtual computing devices that are used to provide a variety of services to user computing systems, such as data storage, cloud processing, web sites and services, amongst other possible services. To protect applications and services, various antivirus, encryption, and firewall implementations may be used across an array of operating systems, such as Linux and Microsoft Windows.


Further, some computing environments may implement security information and event management (SIEM) systems and other security detection systems to provide analysis of security alerts generated by network hardware and applications. In particular, SIEM systems allow for real-time monitoring, correlation of events, notifications, and console views for end users. Further, SIEM systems may provide storage logs capable of managing historical information about various security events within the network. Although SIEMs and other security threat identifying systems may generate security alerts for devices within the network, administrators may be forced to translate each of these alerts into particular actions, which take time and resources.


Overview


The technology disclosed herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.





BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the disclosure can be better understood with reference to the following drawings. While several implementations are described in connection with these drawings, the disclosure is not limited to the implementations disclosed herein. On the contrary, the intent is to cover all alternatives, modifications, and equivalents.



FIG. 1 illustrates a computing environment to manage security actions for a plurality of network assets.



FIG. 2 illustrates a method of operating an advisement system to implement security actions.



FIG. 3 illustrates an operational scenario of implementing security actions in a computing environment.



FIG. 4 illustrates a flow diagram of implementing a security action in multiple computing assets.



FIG. 5 illustrates an advisement computing system to implement security actions in a computing environment.





TECHNICAL DISCLOSURE

The various examples disclosed herein provide enhancements for implementing security actions in computing assets with various hardware and software configurations. In many organizations, security systems, such as security information and event management (STEM) systems provide analysis of security alerts generated by network hardware and processes. The network hardware and processes may include routers, firewalls, operating systems and applications executing on one or more computing devices, switches, or intrusion detection systems, amongst a variety of other network devices and processes. During the analysis of the particular network, a SIEM system may identify an issue, and flag the issue as a possible security threat. Once flagged, the STEM system may provide information to an administrator, or store information about the threat to be analyzed for a possible solution.


Here, in addition to the operations provided by the STEM system or other security monitoring systems within a computing environment, an advisement system may be used to identify, implement, and recommend security actions to be taken against security threats. In particular, the advisement system may generate actions to be implemented in computing assets with varying software and hardware configurations. For example, a first computing asset may include a firewall from a first software distributor, while a second computing asset within the same environment may include a firewall from a second software distributor. Accordingly, to implement a security action within the first and second computing assets, the advisement system might be required to use multiple command procedures, which are specific to the firewalls on the individual computing assets.


In some implementations, the advisement system may allow administrators to provide actions in a unified command language that can be translated as necessary into the various procedures necessary for the computing assets in the environment. Consequently, rather than developing commands in each of the command languages necessary for the various assets in the environment, an administrator may use a single language for all of the assets in the environment. Referring to a firewall implementation, if an internet protocol (IP) address is to be blocked on multiple computing devices, the unified language could specify the IP address and the computing assets for the action implementation. Once specified, the command may be translated into the necessary sets of procedures to implement the IP block on the computing systems.


In some examples, the unified language for the computing environment may include various characters and symbols. However, in other implementations, the administrator may use a visual programming language to specify particular security actions. This visual programming language may include visual representations of computing assets, visual representations of communication interactions with the computing assets, or any other similar visual representation. For example, the user may select visual representations of two computing assets, and specify, via links or other symbols, that the assets should no longer communicate with one another. In some implementations, to prevent future communications the administrator may draw or connect a link on a user interface that represents a blocked communication between the two assets. However, it should be understood that to prevent future communications the user might provide a written command to implement the same action.


To further illustrate the operation of an advisement system within a computing network, FIG. 1 is provided. FIG. 1 illustrates a computing environment 100 to manage security actions for a plurality of network assets. Computing environment 100 includes computing assets 110-116, STEM system 120, advisement system 130, sources 140, and administration console 150. Computing assets 110-116 include applications 110, routers 111, intrusion detection systems and intrusion prevention system (IDS/IDP) 112, virtual private networks (VPNs) 113, firewalls 114, switches 115, and operating systems 116, although other assets may exist. Assets 110-116 may execute via any number of computing systems or devices. In addition to the routers and switches, these computing devices may include server computers, desktop computers, laptop computers, tablet computers, and the like. Although not illustrated in the present example, in some implementations, assets may be defined at computing system level. Accordingly, assets may be defined as physical computing systems, such as servers, end user computing systems, host computing systems, and the like, and may further be defined as virtual processing systems, such as virtual machines or containers executing via host computing systems. These physical and virtual computing systems may include an operating system, applications, processes, firewalls, and other similar computing resources.


SIEM system 120, advisement system 130, internal and external sources 140, and administration console 150 may each include communication interfaces, network interfaces, processing systems, computer systems, microprocessors, storage systems, storage media, or some other processing devices or software systems, and can be distributed among multiple devices. STEM system 120, advisement system 130, and sources 140 may comprise one or more server, desktop, laptop, or other similar computing devices. Administration console 150 may comprise an end user device, such as a desktop computer, laptop computer, smartphone, tablet, or any other similar computing device.


Advisement system 130 communicates with SIEM system 120, sources 140, and administration console 150 via communication links that may use Time Division Multiplex (TDM), asynchronous transfer mode (ATM), internet protocol (IP), Ethernet, synchronous optical networking (SONET), hybrid fiber-coax (HFC), circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. Similarly, STEM system 120 may gather information from assets 110-116 via a plurality of communication links to the computing systems associated with the assets, wherein the links may use TDM, ATM, IP, Ethernet, SONET, HFC, circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. While not illustrated in the present example, it should be understood that advisement system 130 might communicate with the assets over various communication links and communication formats to implement desired security actions.


In operation, SIEM system 120 receives data and performance information from assets 110-116 and performs inspections to identify possible security issues. Once SIEM system 120 identifies a possible security threat, information about the security threat is transferred to advisement system 130. Advisement system 130 identifies the security threat and analyzes the threat using sources 140 to determine actions against the security threat. These actions might include default actions that can be initiated and implemented within the environment without interaction from an administrator, and might further include suggested actions that can be provided to administrator (admin) 160. Once the suggested actions are determined, the suggested actions are transferred, via email, text message, or other similar format, to administration console 150 to be presented to administrator 160. From the suggested actions, administrator 160 may select a particular action and advisement system 130 may implement the action within the computing environment.


In some implementations, to select a particular action, the administrator may use a unified security language to implement actions in a variety of hardware and software configurations. Once the administrator enters a command using the unified language, the language may be translated into the one or more processes or languages necessary to implement the action within the computing environment. For example, the administrator may select to remove a particular malicious process from multiple computing systems with different software configurations. Accordingly, advisement system 130 may be used to translate the command from the administrator into the necessary processes to remove each instance of the malicious process on the varying computing systems.


Referring now to FIG. 2 to further demonstrate the operation of advisement system 130. FIG. 2 illustrates a method 200 of operating advisement system 130 to implement security actions. As described above in FIG. 1, STEM system 120 receives information from a plurality of network assets 110-116 and identifies security threats to devices and systems based on the information. Once a threat is recognized, information about the threat is transferred to, and identified by, advisement system 130 (201). In response to identifying the threat, advisement system 130 notifies administrator 160 of the security incident (202). In some implementations, to notify administrator 160, advisement system 130 may provide information about the security threat, including the asset associated with the threat, the IP address associated with the threat, the severity level of the threat, the number of assets affected by the threat, or other similar information. This information may be gathered from STEM system 120, may be gathered from the assets within computing environment 100, or may be gathered from internal and external sources 140 related to the particular incident. For example, enrichment information may be gathered from a web database regarding an unknown process executing on a computing system. In addition to or in place of the information about the threat, advisement system 130 may further provide action recommendations to administrator 160 based on gathered enrichment information. These action recommendations may include separating the affected asset from the other assets within the environment, removing a particular threat from a computing asset, blocking one or more IP addresses related to a threat, or any other similar action to protect the assets in computing environment 100.


Once the information is provided to administrator 160, advisement system 130 may obtain an action request from administrator 160 in a command language (203). As illustrated in FIG. 1, advisement system 130 may provide information to administration console 150 via a web based console, a text message, an email, or some other similar form of communication. In response to receiving the information about the threat, administrator 160 may use a command language to implement a security modification to counter the security threat. For example, the user may select to block a particular IP address from communicating with one or more assets within the environment.


Upon identifying the action request from administrator 160, advisement system 130 translates the action request in the command language to one or more action procedures (204). To translate the command, advisement system 130 may identify the hardware and software configurations for the assets associated with the action request. For example, the administrator may request that an IP address is blocked in a firewall for two computing systems. In response to the request, advisement system 130 may identify the hardware and software configurations for the two computing systems, and translate the action into procedures required by the two computing systems. Once the command is translated, advisement system 130 may initiate implementation of the action in the required computing assets using the one or more identified procedures (205).


In some examples, to implement the actions within each of the computing assets, procedures may need to be executed with indefinite time delays. For instance, to implement a firewall action within the computing environment, advisement system 130 may be required to log into the computing asset, and transfer one or more commands to the computing asset to block the required address. Accordingly, advisement system 130 may be configured to wait until each process is completed, such as waiting to be logged into the computing asset before applying the procedures necessary to block the IP address.


Although illustrated in FIG. 1 with a STEM system, it should be understood that in some examples, other systems, such as the assets themselves within the computing environment, might be used to identify security threats. Further, although illustrated separate in the example of FIG. 1, it should be understood that STEM system 120 might reside wholly or partially on the same computing systems as advisement system 130.


Turning to FIG. 3, FIG. 3 illustrates an operational scenario 300 of implementing security actions in a computing environment according to one implementation. Operational scenario 300 includes computing environment 310, advisement system 320, asset configuration data 325, security incident information 330, action selection 335, and administrator (admin) 340. Computing environment 310 includes a plurality of computing assets, which may comprise end user computing systems, routers, switches, firewalls, or any other similar computing asset.


As illustrated in FIG. 3, advisement system 320 initially identifies a security incident within computing environment 310. This security incident may be identified from one of the computing assets directly, or may be identified by a security monitoring system, such as SIEM systems that monitor security threats within the various computing assets. Once the incident is identified by advisement system 320, advisement system 320 may provide security incident information 330 to administrator 340. In some implementations, security incident information 330 may be provided via a user interface on advisement system 320. However, in other instances, security incident information 330 may be provided as a text message, email correspondence, web view, or other similar interface at an administration console for administrator 340. Security incident information 330 may include information about the asset affected by the threat, an IP address related to the source of the threat, information about a process related to the threat, a severity level of the threat, or some other similar information. This information may be obtained directly from the assets and security management systems, and may further be supplemented with enrichment information gathered from internal and external sources. For example, if an unknown process were identified on one of the computing assets, advisement system 320 may query a database to identify whether the process was malicious. Once the inquiry is made, the information returned from the database may be provided in security incident information 330. In some implementations, in addition to or in place of the information gathered about the threat, advisement system 320 may determine suggested actions that can be provided to administrator 340. These suggested actions may include removing a particular malicious process, entering one or more computing assets into virtual local area network (VLAN), blocking particular IP addresses, or some other similar action recommendation based on the threat and possible enrichment information.


Once security incident information 330 is provided to administrator 340, administrator 340 may generate action selection 335. Here, action selection 335 comprises a selection made in a unified command language for all assets within the environment. Once action selection 335 is identified by advisement system 320, advisement system 320 may obtain hardware and software configuration information based on the action selection. For example, action selection 335 may include a request to remove a particular process from multiple computing assets within computing environment 310. In response to the request, advisement system 320 may use asset configuration data 325 to determine software and hardware characteristics for the relevant computing assets. Once the characteristics are obtained, advisement system 320 may translate action selection 335 into one or more action procedures that correspond to the software and hardware configurations of the assets.


Returning to the example of removing a particular process from multiple computing assets, each of the computing assets may have a different hardware or software configuration. As a result, the procedures necessary to implement the action may be different for each of the assets. Rather than requiring administrator 340 to provide procedural commands for each of the computing assets, advisement system 320 may be used to translate an action selection into the commands for the various asset configurations. Upon translating action selection 335 into the required procedures, advisement system 320 may implement the action on the corresponding assets in computing environment 310.


In some examples, the procedures to implement a particular action within an asset may have indefinite time delays between each step of the procedure. For instance, to implement a firewall modification, advisement system 320 may be required to login to the relevant asset before providing commands to the asset. Accordingly, advisement system 320 may implement wait conditions that allow each step of the action procedures to be implemented without further interaction from the administrator.


Turning to FIG. 4, FIG. 4 illustrates a flow diagram 400 of implementing a security action in multiple computing assets. Flow diagram 400 includes administrator 410, translate process 420, and assets 430-432. Translate process 420 is representative of a process to be implemented on advisement system 130 or advisement system 320, although translate process 420 may be implemented on other computing systems. Assets 430-432 are representative of any computing asset within a computing environment, including end user computing systems, server computing systems, routers, switches, firewalls, virtual computing elements, or any other similar asset.


As described herein, computing environments include a plurality of computing assets that may encounter security incidents. To respond to the incidents, an advisement system may provide information about the threats or incidents to administrator 410, allowing the administrator to implement an action against the threat. This information may be obtained from the individual assets, from security monitoring systems within the environment, or may be supplemented with enrichment information obtained from one or more internal or external sources. The information provided to administrator 410 may include identifiers for the assets related to the incident, IP addresses related to the incident, files or processes related to the incident, indications of the severity of the incident within the environment, or any other similar information.


Once the information is provided to administrator 410, the administrator may select an action to be taken against the threat within the environment. In particular, the administrator may use a unified command language that can be used to implement security actions across a plurality of assets within the environment, including assets with different software and/or hardware configurations. For example, the unified command language may include a structure for implementing actions within the environment, including asset identifiers for assets that require the modification, as well as one or more commands to be applied to the assets that require the modification.


Once the administrator inputs the particular action selection via a user interface on the advisement system or a separate administration console device, the advisement system identifies the action in the unified command language and translates the action to one or more action procedures based on the asset configurations. In particular, the advisement system may obtain software and hardware characteristics for each of the computing assets involved in the security action. Once the characteristics are obtained, the advisement system may translate the user generated action into the necessary procedures for the various computing assets. As depicted in FIG. 4, the action generated by administrator 410 requested modifications to assets 430-432. Accordingly, translate process 420 translates the request from the administrator in the unified language into the required procedures for assets 430-432. In the present example, each of assets 430-432 require a different set of procedures, which may occur as a result of different software or hardware configurations on the computing assets. For example, if administrator 410 desired a firewall implementation in assets 430-432, translate process 420 may translate the action into the necessary parameters and procedures for each individual firewall for the computing assets.


In some implementations, the advisement system for a computing environment may have access to a database of connectors or software modules that can be used to translate the various commands from the administrator. For example, when firewall software is distributed, a connector may be generated for the firewall that allows commands in the unified language to modify a configuration of the firewall. Accordingly, when a command is generated for an asset with the new firewall distribution, the new connector may be used to implement the required procedures.


Turning to FIG. 5, FIG. 5 illustrates an advisement computing system 500 to provide action recommendations for a plurality of network assets. Advisement computing system 500 is representative of a computing system that may be employed in any computing apparatus, system, or device, or collections thereof, to suitably implement the advisement systems described herein. Computing system 500 comprises communication interface 501, user interface 502, and processing system 503. Processing system 503 is communicatively linked to communication interface 501 and user interface 502. Processing system 503 includes processing circuitry 505 and memory device 506 that stores operating software 507.


Communication interface 501 comprises components that communicate over communication links, such as network cards, ports, radio frequency (RF) transceivers, processing circuitry and software, or some other communication devices. Communication interface 501 may be configured to communicate over metallic, wireless, or optical links. Communication interface 501 may be configured to use TDM, IP, Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format—including combinations thereof. In particular, communication interface 501 may communicate with security identification systems, such as STEM systems, security monitoring processes on the assets themselves, or some other security identification system. Further, communication interface 501 may be configured to communicate with one or more administration consoles to provide the suggested actions to administrators, and may also communicate with the computing assets of the environment to implement selected actions.


User interface 502 comprises components that interact with a user. User interface 502 may include a keyboard, display screen, mouse, touch pad, or some other user input/output apparatus. User interface 502 may be omitted in some examples.


Processing circuitry 505 comprises microprocessor and other circuitry that retrieves and executes operating software 507 from memory device 506. Memory device 506 comprises a non-transitory storage medium, such as a disk drive, flash drive, data storage circuitry, or some other memory apparatus. Operating software 507 comprises computer programs, firmware, or some other form of machine-readable processing instructions. Operating software 507 includes identify module 508, asset information (info) module 509, translate module 510, and implement module 511, although any number of software modules may provide the same operation. Operating software 507 may further include an operating system, utilities, drivers, network interfaces, applications, or some other type of software. When executed by circuitry 505, operating software 507 directs processing system 503 to operate advisement computing system 500 as described herein.


In particular, identify module 508 directs processing system 503 to identify a security action in a command language for the computing environment. In response to the security action, asset info module 509 directs processing system 503 to identify one or more computing assets related to the security action, and obtain hardware and software characteristics for the one or more computing assets. Based on the hardware and software characteristics, translate module 510 directs processing system 503 to translate the security action in the command language to one or more action procedures based on the hardware and software characteristics. For example, a computing environment may include a variety of different hardware with a variety of different software configurations. Accordingly, if the security action comprised an action to be implemented across multiple devices, different procedures may be required for each of the devices. Rather than requiring an administrator to manually implement the various procedures, computing system 500 may be used to translate a security action to the required procedures for various software and hardware configurations. Once the security action is translated, implement module 511 directs processing system 503 to initiate implementation of the one or more action procedures in the one or more computing assets.


In some implementations, advisement computing system 500 may have access to one or more connectors or modules that can be used to interface with the various hardware and software within the computing environment. For example, a security action from an administrator may select to implement a firewall to be applied across multiple computing assets with multiple hardware and/or software configurations. In response to identifying the action, computing system 500 may identify hardware and software characteristics for the computing assets that require the modification, and translate the action based on the characteristics. For example, a first connector may specify the action procedures for a computing system with a first firewall distribution, whereas a second connector may specify the action procedures for a computing system with a second firewall distribution.


Although not illustrated in the present example, in some instances, advisement computing system 500 may be configured to notify an administrator of a security threat within the environment. This notification may include the identity of the asset affected by the threat, the severity of the threat within the environment, the IP address associated with the threat, the process name associated with the threat, or any other similar information. The information may be obtained directly from the assets in the environment, a security system configured to monitor for security issues within the environment, or may be obtained from internal and external sources. For example, computing system 500 may identify a security issue within the computing environment. In response to the security issue, processing system 503 may be configured to query internal and external sources for enrichment data regarding the threat. Accordingly, if an unknown process were identified as executing on a computing asset, processing system 503 may query a database to determine if the process is malicious. Once the information is retrieved, the information may be provided to the administrator with the notification, allowing the administrator to generate a security action in the environment.


The included descriptions and figures depict specific implementations to teach those skilled in the art how to make and use the best option. For the purpose of teaching inventive principles, some conventional aspects have been simplified or omitted. Those skilled in the art will appreciate variations from these implementations that fall within the scope of the invention. Those skilled in the art will also appreciate that the features described above can be combined in various ways to form multiple implementations. As a result, the invention is not limited to the specific implementations described above, but only by the claims and their equivalents.

Claims
  • 1. A computer-implemented method comprising: identifying, by an advisement system, a security incident associated with a computing environment including a plurality of computing assets;identifying, by the advisement system, a security action to be used to mitigate the security incident, wherein implementation of the security action involves interacting with a computing asset of the plurality of computing assets;identifying a connector used to interface with the computing asset;using the connector to translate the security action into an action procedure used to perform the security action at the computing asset; andinitiating implementation of the action procedure at the computing asset.
  • 2. The computer-implemented method of claim 1, wherein the plurality of computing assets includes at least one of: a server, an end user computing system, a router, a switch, or a virtual processing system.
  • 3. The computer-implemented method of claim 1, wherein the security action is a first security action, the computing asset is a first computing asset, the connector is a first connector, the action procedure is a first action procedure, and wherein the method further comprises: identifying, by the advisement system, a plurality of security actions to be used to mitigate the security incident, wherein the plurality of security actions includes the first security action and a second security action, and wherein implementation of the second security action involves interacting with a second computing asset of the plurality of computing assets;identifying a second connector used to interface with the second computing asset;using the second connector to translate the second security action into a second action procedure used to perform the second security action at the second computing asset; andinitiating implementation of the second action procedure at the computing asset.
  • 4. The computer-implemented method of claim 1, wherein the security action represents performing at least one of: blocking an internet protocol (IP) address, terminating a process running on a computing asset, or adding a computing asset to a virtual local area network (VLAN).
  • 5. The computer-implemented method of claim 1, wherein the security incident is identified based on information generated by a security detection system that monitors the plurality of computing assets.
  • 6. The computer-implemented method of claim 1, wherein the security action to be used to mitigate the security action is identified based on data obtained by the advisement system describing the security incident, wherein the data describing the security incident includes at least one of: identification of a computing asset affected by the security incident, an internet protocol (IP) address related to a source of the security incident, a process related to the security incident, or a severity level of the security incident.
  • 7. The computer-implemented method of claim 1, further comprising obtaining enrichment information for the security incident from one or more internal or external sources, wherein the enrichment information is used by the advisement system to identify the security action to be used to mitigate the security incident.
  • 8. The computer-implemented method of claim 1, wherein the connector translates the security action into a plurality of action procedures used to perform the security action at the computing asset, and wherein each action procedure of the plurality of action procedures is implemented in a defined order relative to other action procedures of the plurality of action procedures.
  • 9. The computer-implemented method of claim 1, further comprising causing display of a visual representation of at least a portion of the computing environment including the computing asset.
  • 10. The computer-implemented method of claim 1, further comprising obtaining enrichment information related to the security incident from one or more internal or external sources, wherein the connector translates the security action is translated into the action procedure based at least in part on the enrichment information.
  • 11. The computer-implemented method of claim 1, further comprising obtaining enrichment information related to the security incident from one or more internal or external sources, wherein the enrichment information including at least one of: information indicating whether a process or file is malicious, or information indication whether an internet protocol (IP) address is malicious.
  • 12. The computer-implemented method of claim 1, wherein the security incident includes at least one of: a virus, malware, or a network-based attack.
  • 13. The computer-implemented method of claim 1, further comprising causing display of a visual representation of at least a portion of the computing environment, wherein the visual representation of at least a portion of the computing environment includes a visual representation of communication interactions between at least two computing assets of the plurality of computing assets.
  • 14. The computer-implemented method of claim 1, wherein information related to the security incident is provided to a user via at least one of: an application console, a web-based console, an email, or a text message.
  • 15. The computer-implemented method of claim 1, further comprising obtaining configuration information associated with the computing asset, wherein translating the security action into the action procedure is based at least in part on the configuration information.
  • 16. The computer-implemented method of claim 1, further comprising receiving an indication of the security incident from a security information and event management (SIEM) system.
  • 17. The computer-implemented method of claim 1, wherein the connector is stored in a database accessible to the advisement system, and wherein the connector includes code executable by the advisement system to translate the security action into the action procedure.
  • 18. The computer-implemented method of claim 1, wherein the connector is associated with a type of computing asset, and the connector is identified based on determining that the computing asset is associated with the type of computing asset.
  • 19. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising: identifying, by an advisement system, a security incident associated with a computing environment including a plurality of computing assets;identifying, by the advisement system, a security action to be used to mitigate the security incident, wherein implementation of the security action involves interacting with a computing asset of the plurality of computing assets;identifying a connector used to interface with the computing asset;using the connector to translate the security action into an action procedure used to perform the security action at the computing asset; andinitiating implementation of the action procedure at the computing asset.
  • 20. An apparatus, comprising: one or more processors;a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the apparatus to: identify, by an advisement system, a security incident associated with a computing environment including a plurality of computing assets;identify, by the advisement system, a security action to be used to mitigate the security incident, wherein implementation of the security action involves interacting with a computing asset of the plurality of computing assets;identify a connector used to interface with the computing asset;use the connector to translate the security action into an action procedure used to perform the security action at the computing asset; andinitiate implementation of the action procedure at the computing asset.
RELATED APPLICATIONS

This application is a continuation of, and claims the benefit of priority to, U.S. patent application Ser. No. 16/539,918, filed Aug. 13, 2019, which is a continuation of U.S. patent application Ser. No. 16/107,975, filed on Aug. 21, 2018, issued as U.S. Pat. No. 10,425,441, which is a continuation of U.S. application Ser. No. 15/699,454, filed on Sep. 9, 2017, issued as U.S. Pat. No. 10,158,663, which is a continuation of U.S. application Ser. No. 14/689,973, filed on Apr. 17, 2015, entitled “INCIDENT RESPONSE AUTOMATION ENGINE,” issued as U.S. Pat. No. 9,762,607, which itself claims priority to U.S. Provisional Patent Application No. 62/087,025, entitled “ACTION RECOMMENDATIONS FOR COMPUTING ASSETS BASED ON ENRICHMENT INFORMATION,” filed on Dec. 3, 2014, U.S. Provisional Patent Application No. 62/106,830, entitled “ACTION RECOMMENDATIONS FOR ADMINISTRATORS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, and U.S. Provisional Patent Application No. 62/106,837, entitled “SECURITY ACTIONS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, all of which are hereby incorporated by reference in their entirety.

US Referenced Citations (149)
Number Name Date Kind
6405318 Rowland Jun 2002 B1
7076803 Bruton et al. Jul 2006 B2
7127743 Khanolkar et al. Oct 2006 B1
7174566 Yadav Feb 2007 B2
7469301 Daniell et al. Dec 2008 B2
7617533 Hernacki Nov 2009 B1
7657927 Tajalli Feb 2010 B2
7900259 Jeschke et al. Mar 2011 B2
7950056 Satish et al. May 2011 B1
8042171 Nordstrom et al. Oct 2011 B1
8103875 Ramzan et al. Jan 2012 B1
8146147 Litvin et al. Mar 2012 B2
8185953 Rothstein et al. May 2012 B2
8261317 Litvin et al. Sep 2012 B2
8271642 Sankararaman et al. Sep 2012 B1
8291495 Burns et al. Oct 2012 B1
8336094 Litvin Dec 2012 B2
8380828 Schlichter et al. Feb 2013 B1
8402540 Kapoor et al. Mar 2013 B2
8484338 Paster Jul 2013 B2
8516575 Burnside et al. Aug 2013 B2
8590035 Aaron Nov 2013 B2
8627466 Fisher et al. Jan 2014 B2
8676970 Boyns et al. Mar 2014 B2
8756697 Ocepek et al. Jun 2014 B2
8856910 Rostami-Hesarsorkh et al. Oct 2014 B1
8881282 Aziz et al. Nov 2014 B1
8914878 Burns et al. Dec 2014 B2
8924469 Raleigh et al. Dec 2014 B2
8943123 Miyazaki et al. Jan 2015 B2
8949931 Ermagan et al. Feb 2015 B2
8955107 Eyada Feb 2015 B2
9009814 Wertz et al. Apr 2015 B1
9009824 Chen et al. Apr 2015 B1
9049226 Duane Jun 2015 B1
9137258 Haugsnes Sep 2015 B2
9166995 Roundy Oct 2015 B1
9231964 Cross et al. Jan 2016 B2
9256739 Roundy et al. Feb 2016 B1
9258319 Rubin Feb 2016 B1
9306965 Grossman et al. Apr 2016 B1
9311479 Manni et al. Apr 2016 B1
9313211 Lototskiy Apr 2016 B1
9325733 Kolman et al. Apr 2016 B1
9336385 Spencer et al. May 2016 B1
9338181 Burns et al. May 2016 B1
9344445 Burns et al. May 2016 B2
9378361 Yen et al. Jun 2016 B1
9396592 Chapman et al. Jul 2016 B2
9489516 Lu et al. Nov 2016 B1
9680846 Haugsnes Jun 2017 B2
9712555 Satish et al. Jul 2017 B2
9729572 Adams et al. Aug 2017 B1
9762607 Satish et al. Sep 2017 B2
9871818 Satish et al. Jan 2018 B2
9954888 Satish et al. Apr 2018 B2
10158663 Satish et al. Dec 2018 B2
10257227 Stickle et al. Apr 2019 B1
10425440 Satish et al. Sep 2019 B2
10425441 Satish et al. Sep 2019 B2
10476905 Satish et al. Nov 2019 B2
10986120 Satish et al. Apr 2021 B2
11019092 Satish et al. May 2021 B2
11019093 Satish May 2021 B2
11165812 Satish et al. Nov 2021 B2
20040003286 Kaler et al. Jan 2004 A1
20040054498 Shipp Mar 2004 A1
20040111637 Baffes et al. Jun 2004 A1
20040250133 Lim Dec 2004 A1
20050055578 Wright et al. Mar 2005 A1
20050216956 Orr et al. Sep 2005 A1
20050235360 Pearson Oct 2005 A1
20050273857 Freund Dec 2005 A1
20060010493 Piesco et al. Jan 2006 A1
20060048209 Shelest et al. Mar 2006 A1
20060059568 Smith-Mickelson et al. Mar 2006 A1
20060095965 Phillips et al. May 2006 A1
20060117386 Gupta et al. Jun 2006 A1
20060174342 Zaheer et al. Aug 2006 A1
20070168874 Kloeffer et al. Jul 2007 A1
20070169194 Church et al. Jul 2007 A1
20070255724 Jung et al. Nov 2007 A1
20080005782 Aziz Jan 2008 A1
20080082662 Dandliker et al. Apr 2008 A1
20080289028 Jansen et al. Nov 2008 A1
20090037548 Ordille et al. Feb 2009 A1
20090165132 Jain et al. Jun 2009 A1
20100100962 Boren Apr 2010 A1
20100162347 Barile Jun 2010 A1
20100169973 Kim et al. Jul 2010 A1
20100251329 Wei Sep 2010 A1
20100319004 Hudson et al. Dec 2010 A1
20100319069 Granstedt et al. Dec 2010 A1
20100325412 Norrman et al. Dec 2010 A1
20100325685 Sanbower Dec 2010 A1
20110161452 Poornachandran et al. Jun 2011 A1
20120210434 Curtis et al. Aug 2012 A1
20120224057 Gill et al. Sep 2012 A1
20120331553 Aziz et al. Dec 2012 A1
20130007882 Devarajan et al. Jan 2013 A1
20130081138 Rados et al. Mar 2013 A1
20130081141 Anurag Mar 2013 A1
20130104203 Davis et al. Apr 2013 A1
20130276108 Blackwell Oct 2013 A1
20130291106 Simonoff et al. Oct 2013 A1
20130298230 Kumar et al. Nov 2013 A1
20130298244 Kumar et al. Nov 2013 A1
20130312092 Parker Nov 2013 A1
20130333032 Delatorre et al. Dec 2013 A1
20140007222 Qureshi et al. Jan 2014 A1
20140059641 Chapman et al. Feb 2014 A1
20140082726 Dreller et al. Mar 2014 A1
20140089039 McClellan Mar 2014 A1
20140137257 Martinez et al. May 2014 A1
20140165200 Singla Jun 2014 A1
20140165207 Engel et al. Jun 2014 A1
20140199663 Sadeh-Koniecpol et al. Jul 2014 A1
20140237599 Gertner et al. Aug 2014 A1
20140259170 Amsler Sep 2014 A1
20140283049 Shnowske et al. Sep 2014 A1
20140310811 Hentunen Oct 2014 A1
20140344926 Cunningham et al. Nov 2014 A1
20140351441 Madani et al. Nov 2014 A1
20140351940 Loder et al. Nov 2014 A1
20150040217 Abuelsaad et al. Feb 2015 A1
20150143516 Sharpe et al. May 2015 A1
20150207813 Reybok et al. Jul 2015 A1
20150215325 Ogawa Jul 2015 A1
20150222647 Lietz et al. Aug 2015 A1
20150222656 Haugsnes Aug 2015 A1
20150304169 Milman et al. Oct 2015 A1
20150334132 Zombik et al. Nov 2015 A1
20150341384 Mandayam et al. Nov 2015 A1
20150347751 Card et al. Dec 2015 A1
20150347949 Dwyer et al. Dec 2015 A1
20150365438 Carver et al. Dec 2015 A1
20150381641 Cabrera et al. Dec 2015 A1
20150381649 Schultz et al. Dec 2015 A1
20160006749 Cohen et al. Jan 2016 A1
20160065608 Futty Mar 2016 A1
20160072836 Hadden et al. Mar 2016 A1
20160103992 Roundy et al. Apr 2016 A1
20160119379 Nadkarni Apr 2016 A1
20160164893 Levi Jun 2016 A1
20160164917 Friedrichs et al. Jun 2016 A1
20160241580 Watters et al. Aug 2016 A1
20160241581 Watters et al. Aug 2016 A1
20170237762 Ogawa Aug 2017 A1
20200396237 Cohen et al. Dec 2020 A1
Non-Patent Literature Citations (74)
Entry
Aguirre, Idoia; Alonso, Sergio; “Improving the Automation of Security Information Management: A Collaborative Approach”, IEEE Security & Privacy, vol. 10, Issue 1, Oct. 25, 2011, pp. 55-59.
Final Office Action from U.S. Appl. No. 14/674,679, dated Sep. 22, 2016, 19 pages.
Final Office Action from U.S. Appl. No. 14/677,493, dated Aug. 24, 2017,29 pages.
Final Office Action from U.S. Appl. No. 14/824,262, dated Apr. 6, 2017, 22 pages.
Final Office Action from U.S. Appl. No. 14/868,553, dated Oct. 15, 2018, 19 pages.
Final Office Action from U.S. Appl. No. 14/868,553, dated Oct. 18, 2017, 19 pages.
Final Office Action from U.S. Appl. No. 14/956,589, dated Nov. 22, 2017, 27 pages.
Final Office Action from U.S. Appl. No. 15/924,759, dated Aug. 1, 2018, 13 pages.
Final Office Action received for U.S. Appl. No. 16/182,914, dated Sep. 18, 2019, 6 pages.
Final Office Action, U.S. Appl. No. 14/675,176, dated Nov. 25, 2016, 21 pages.
Final Office Action, U.S. Appl. No. 14/675,176, dated Sep. 25, 2017, 31 pages.
Final Office Action, U.S. Appl. No. 14/677,493, dated Jan. 16, 2020, 16 pages.
Non-Final Office Action from U.S. Appl. No. 15/886,183, dated Mar. 22, 2018, 21 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,972, dated Dec. 31, 2018, 11 pages.
Non-Final Office Action from U.S. Appl. No. 16/142,913, dated Apr. 30, 2019, 33 pages.
Non-Final Office Action from U.S. Appl. No. 14/674,679, dated Jun. 2, 2016, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/675,075, dated Jul. 11, 2016, 13 pages.
Non-Final Office Action from U.S. Appl. No. 14/689,926, dated May 8, 2017, 34 pages.
Non-Final Office Action from U.S. Appl. No. 14/689,973, dated Jan. 25, 2017, 18 pages.
Non-Final Office Action from U.S. Appl. No. 14/824,262, dated Jul. 13, 2017, 20 pages.
Non-Final Office Action from U.S. Appl. No. 14/824,262, dated Oct. 7, 2016, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/868,553, dated Mar. 26, 2018, 22 pages.
Non-Final Office Action from U.S. Appl. No. 14/868,553, dated May 26, 2017, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/956,589, dated May 31, 2017, 33 pages.
Non-Final Office Action from U.S. Appl. No. 14/956,615, dated Jul. 28, 2017, 46 pages.
Non-Final Office Action from U.S. Appl. No. 15/699,454, dated Feb. 8, 2018, 19 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,975, dated Jan. 4, 2019, 11 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,979, dated Oct. 18, 2018, 14 pages.
Non-Final Office Action from U.S. Appl. No. 16/182,914, dated May 30, 2019, 23 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Apr. 17, 2017, 22 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Jul. 18, 2016, 18 pages.
Non-Final Office Action, U.S. Appl. No. 16/042,283, dated Jan. 24, 2020, 25 pages.
Non-Final Office Action, U.S. Appl. No. 16/539,918, dated Jul. 16, 2020, 14 pages.
Non-Final Office Action, U.S. Appl. No. 16/568,949, dated Mar. 19, 2020, 18 pages.
Notice of Allowance from U.S. Appl. No. 14/674,679, dated Apr. 18, 2017, 20 pages.
Notice of Allowance from U.S. Appl. No. 14/689,926, dated Nov. 8, 2017, 22 pages.
Notice of Allowance from U.S. Appl. No. 14/689,973, dated Jul. 27, 2017, 33 pages.
Notice of Allowance from U.S. Appl. No. 14/824,262, dated Nov. 22, 2017, 7 pages.
Notice of Allowance from U.S. Appl. No. 14/956,589, dated Apr. 23, 2018, 21 pages.
Notice of Allowance from U.S. Appl. No. 14/956,615, dated Dec. 18, 2017, 19 pages.
Notice of Allowance from U.S. Appl. No. 15/699,454, dated Aug. 9, 2018, 11 pages.
Notice of Allowance from U.S. Appl. No. 15/845,963, dated Jun. 26, 2018, 11 pages.
Notice of Allowance from U.S. Appl. No. 15/886,183, dated Sep. 19, 2018, 9 pages.
Notice of Allowance from U.S. Appl. No. 15/924,759, dated Jun. 13, 2019, 21 pages.
Notice of Allowance from U.S. Appl. No. 16/107,972, dated May 9, 2019, 18 pages.
Notice of Allowance from U.S. Appl. No. 16/107,975, dated May 13, 2019, 18 pages.
Notice of Allowance, U.S. Appl. No. 14/675,176, dated Dec. 30, 2019, 6 pages.
Notice of Allowance, U.S. Appl. No. 14/689,973, dated Aug. 10, 2017, 6 pages.
Notice of Allowance, U.S. Appl. No. 14/824,262, dated Jan. 5, 2018, 4 pages.
Notice of Allowance, U.S. Appl. No. 15/699,454, dated Nov. 20, 2018, 6 pages.
Non-Final Office Action, U.S. Appl. No. 16/863,557, dated Nov. 24, 2021, 17 pages.
Notice of Allowance, U.S. Appl. No. 17/033,146, dated Jan. 10, 2022, 10 pages.
Notice of Allowance, U.S. Appl. No. 16/107,979, dated Oct. 7, 2019, 14 pages.
Notice of Allowance, U.S. Appl. No. 16/142,913, dated Aug. 30, 2019, 21 pages.
Notice of Allowance, U.S. Appl. No. 16/182,914, dated Dec. 4, 2019, 5 pages.
Notice of Allowance, U.S. Appl. No. 16/539,918, dated Jan. 22, 2021, 7 pages.
Paudice, Andrea; Sarkar, Santonu; Cotroneo, Dominco; “An Experiment with Conceptual Clustering for the Analysis of Security Alerts”, IEEE International Symposium on Software Reliability Engineering Workshops, Nov. 3-6, 2014, pp. 335-340.
Final Office Action, U.S. Appl. No. 14/675,176, dated Jan. 26, 2021, 18 pages.
Final Office Action, U.S. Appl. No. 16/568,949, dated Oct. 28, 2020, 19 pages.
Final Office Action, U.S. Appl. No. 16/736,120, dated Jan. 6, 2021, 15 pages.
Hasegawa, Hirokazu; Yamaguchi, Yukiko; Shimada, Hajime; Takakura; Hiroki; “A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks”, 38th Annual Computer Software and Applications Conference, IEEE, Jul. 21-25, 2014, pp. 400-405.
Hershey, Paul C., Ph.D.; Silio, Jr., Charles B., Ph.D.; “Procedure for Detection of and Response to Distributed Denial of Service Cyber Attacks on Complex Enterprise Systems”, International Systems Conference SysCon, IEEE, Mar. 19-22, 2012, 6 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Jul. 14, 2020, 18 pages.
Non-Final Office Action, U.S. Appl. No. 14/677,493, dated Jul. 14, 2020, 18 pages.
Non-Final Office Action, U.S. Appl. No. 16/699,299, dated Apr. 29, 2021 , 10 pages.
Non-Final Office Action, U.S. Appl. No. 16/736,120, dated Sep. 22, 2020, 14 pages.
Tejay, Gurvirender P.S.; Zadig, Sean M.; “Investigating the Effectiveness of IS Security Countermeasures Towards Cyber Attacker Deterrence”, 45th Hawaii International Conference on System Sciences, IEEE, Jan. 4-7, 2012, pp. 3051-3060.
Final Office Action, U.S. Appl. No. 16/863,557, dated Apr. 7, 2022, 18 pages.
Non-Final Office Action, U.S. Appl. No. 16/863,557, dated Aug. 25, 2022, 18 pages.
Non-Final Office Action, U.S. Appl. No. 17/104,537, dated Jul. 20, 2022, 16 pages.
Non-Final Office Action, U.S. Appl. No. 17/326,070, dated Aug. 16, 2022, 20 pages.
Non-Final Office Action, U.S. Appl. No. 14/677,493, dated May 1, 2017, 25 pages.
Non-Final Office Action, U.S. Appl. No. 17/185,612, dated Sep. 16, 2022, 10 pages.
Non-Final Office Action, U.S. Appl. No. 17/513,595, dated Dec. 30, 2022, 15 pages.
Related Publications (1)
Number Date Country
20210258340 A1 Aug 2021 US
Provisional Applications (3)
Number Date Country
62106830 Jan 2015 US
62106837 Jan 2015 US
62087025 Dec 2014 US
Continuations (4)
Number Date Country
Parent 16539918 Aug 2019 US
Child 17306703 US
Parent 16107975 Aug 2018 US
Child 16539918 US
Parent 15699454 Sep 2017 US
Child 16107975 US
Parent 14689973 Apr 2015 US
Child 15699454 US