System and method of managing network security risks
Abstract
A security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and vulnerabilities with threat attributes and vulnerabilities and displays a list of assets that are affected by a particular threat. The list can be sorted according to a calculated risk score, allowing an administrator to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action.
Claims
exact text as granted — not AI-modified1 .- 20 . (canceled)
21 . A system, comprising:
a processor and a memory; a vulnerability database comprising data indicative of security vulnerabilities possessed by each asset of a plurality of assets connected to a computer network; an asset database comprising data indicative of attributes possessed by each asset of the plurality of assets such that the vulnerability database and the asset database together define for each asset a group of security vulnerabilities and attributes possessed by each asset; and a threat correlation module in communication with the vulnerability database and the asset database and configured to:
receive at least one threat intelligence alert that comprises data identifying at least one security threat that affects a class of assets;
identify a selected threat from the at least one security threat identified by the at least one threat intelligence alert;
identify at least one asset affected by the selected threat; and
communicate with a threat response module configured to access a vulnerability remediation module and to initiate a ticketing and workflow process that at least partially directs remediation of asset vulnerabilities, wherein the ticketing and workflow process assigns at least one user at least one specific remediation task associated with the identified asset, and initiates a check-up vulnerability scan in order to verify that the remediation task has occurred.
22 . The system of claim 21 , wherein the threat intelligence alert defines the affected class of assets with reference to an associated group of attributes and security vulnerabilities possessed by the affected class of assets.
23 . The system of claim 21 , wherein the asset is deemed to be affected by the selected threat if the group of attributes and security vulnerabilities associated with the selected threat matches the group of attributes and security vulnerabilities possessed by the asset.
24 . The system of claim 21 , wherein a user recommendation is provided for responding to the selected threat.
25 . The system of claim 21 , wherein the threat correlation module is further configured to generate a prioritized list of the affected assets based on their respective security risks such that scanning activities are initiated for at least some of the affected assets based on their respective security risks.
26 . The system of claim 21 , wherein the threat correlation module is further configured to display information about each affected asset including a risk score representative of a level of risk to which the asset exposes the network.
27 . The system of claim 26 , wherein the risk score of each asset is based at least on a criticality of the asset, a vulnerability severity ranking for each vulnerability associated with the asset, and a criticality of the threats that affect the asset.
28 . The system of claim 21 , wherein the threat response module is further configured to transmit to the user, in response to receiving a download request, a file that includes information related to the affected assets.
29 . The system of claim 21 , further comprising a compliance tracking module configured to receive user input specifying compliance goals in terms of assets that are not actually affected by a threat but that are potentially affected by the threat, to periodically determine compliance with the goal, and to display a time-based compliance measurement indicative of actual compliance with the goal in relation to the goal.
30 . The system of claim 29 , wherein the compliance goal and the time-based compliance measurement are expressed as a percentage of assets not affected by the threat.
31 . The system of claim 29 , wherein the compliance goal and the time-based compliance measurement are expressed as a raw number of assets not affected by the threat.
32 . The system of claim 21 , wherein the data in the vulnerability database includes at least one of:
an identification of the asset; an identification of the vulnerability; open ports on the asset; an operating system running on the asset; an IP address of the asset; a domain name for the asset; a NetBIOS name; and a Windows Domain/Workgroup name.
33 . The system of claim 21 , wherein the attributes possessed by each asset of the plurality of assets comprise at least one of:
an IP address; open ports on the asset; banners produced by the asset; an operating system run by the asset; a criticality of the asset; services run on the asset; an asset group to which the asset belongs; a human understandable asset label; an asset owner; and a geographical asset location.
34 . The system of claim 21 , wherein a success of the remediation is defined in terms of a percentage.
35 . The system of claim 34 , wherein a remediation goal is defined for use with the percentage in order to determine whether the remediation goal has been met.
36 . The system of claim 21 , wherein the security risk management system is operable such that the at least one threat intelligence alert is initiated immediately from a threat intelligence communication module after an urgent threat has been added to a threat intelligence database.
37 . The system of claim 36 , wherein the at least one threat intelligence alert is received from the threat intelligence communication module by the threat correlation module which stores the at least one threat intelligence alert into a local threat intelligence database.
38 . A method comprising:
identifying a selected conceptual network security threat, wherein the selected conceptual network security threat defines a group of attributes and vulnerabilities that, if possessed by an asset, indicate that the asset possessing the group of attributes and vulnerabilities can be affected by the selected threat if the threat becomes a realized threat; identifying a group of assets for comparison; comparing attributes and vulnerabilities associated with each asset of the group of assets with attributes and vulnerabilities of the selected threat utilizing a threat correlation module; wherein the threat correlation module is in communication with a threat response module configured to access a vulnerability remediation module and initiate an automated ticketing and workflow process that at least partially directs remediation of asset vulnerabilities, the automated ticketing and workflow process automatically assigning at least one user at least one specific remediation task associated with at least one of the group of assets, and determining if the at least one specific remediation task has been completed by the at least one user.
39 . The method of claim 38 , further generating a prioritized list of the affected assets based on their respective security risks such that scanning activities are initiated for at least some of the affected assets based on their respective security risks;
40 . The method of claim 39 , further comprising displaying the list of affected assets comprising each asset whose attributes and vulnerabilities match the attributes and vulnerabilities of the selected threat.
41 . The method of claim 40 , wherein displaying a list of affected assets includes displaying along with each affected asset a risk score representing a level of security risk posed by the affected asset to a computer network and wherein the list is sorted such that assets posing high security risk are presented near the top of the list.
42 . The method of claim 39 , wherein the list of affected assets comprises each asset whose attributes and vulnerabilities partially match the attributes and vulnerabilities of the selected threat.
43 . The method of claim 38 , further comprising commencing a check-up vulnerability scan to verify that the remediation has occurred.
44 . The method of claim 38 , further comprising providing a user recommendation for responding to the selected conceptual network security threat.
45 . The method of claim 38 , wherein identifying a group of assets for comparison includes identifying a group of assets that, based on the vulnerabilities and attributes of the assets and the vulnerabilities and attributes of the selected threat can potentially be affected by the selected threat.Join the waitlist — get patent alerts
Track US2012185945A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.