Systems and methods for orchestrating runtime operational integrity
Abstract
Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods use a graphical user interface (GUI) console to orchestrate operational integrity of a platform. In an embodiment, a method presents a data center-level runtime operational integrity dashboard and remediation controls for infected systems in a display of a platform having a network trust agent, an endpoint trust agent, and a trust orchestrator. The method receives runtime integrity metrics for trust vectors and displays risk indicators based on the confidence level of received integrity metrics in the GUI. The method provides remediation controls for threat containment and risk mitigation and displays remediation status and progress results and malware analytics in the GUI.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for presenting a data center level runtime operational integrity dashboard for visibility at an application level and controls to remediate infected systems hosting applications engaging in malicious activities in a display of a computing platform having an integrity processor, a runtime event correlation matrix, a trust broker, a system event correlator, a network activity correlator, a trust supervisor, and a remediation controller, the method comprising:
receiving, from a plurality of endpoint assessment services, runtime integrity metrics for a plurality of trust vectors; displaying, in a graphical user interface (GUI) on the display, risk indicators and impact analysis based on the confidence level of received integrity metrics; and providing manual or automated remediation controls for threat containment and risk mitigation by performing one or more of:
taking a snapshot of the infected system,
restoring or reimaging the infected system from a trusted baseline configuration,
quarantining the infected system from a network fabric,
diverting users from the infected system,
diverting transactions from the infected system, and
diverting traffic from the infected system.
2 . The method of claim 1 , further comprising:
displaying, in the GUI, a status and progress of initiated remediation actions; and displaying, in the GUI, details of malware analytics comprising one or more of:
infection summaries,
infection diagnosis,
threat categorization and identification based on a signature-less infection life-cycle model,
an address and geo-location for a source or attacker,
an identification of one or more infected victims,
forensic evidence chain of detected malicious activities and intent, and
compute, memory, storage and network level anomalies detected on the victim machine or infected system.
3 . The method of claim 1 , wherein the risk indicators are color-coded.
4 . The method of claim 1 , wherein the runtime operational integrity comprises execution anomalies and a threat posture.
5 . A method of orchestrating runtime operational integrity of a system executing on a computing platform using a network activity correlator, an integrity processor, a system event correlator, a trust broker, a remediation controller, a trust supervisor and a plurality of network endpoint assessments, the method comprising:
determining, by the network activity correlator, infection profiles based on network event correlation forensic evidence of malicious communications; determining, by the trust broker, system configuration anomalies based on system level normalization and collation of assessments; determining, by the integrity processor, resource utilization anomalies based on rulesets or alert expressions associated with processor, memory, and network resource usage; determining, by the integrity processor, at least one application integrity anomaly based on rulesets or alert expressions associated with static and dynamic image analysis; determining, by the system event correlator, integrity profiles based on temporal and endpoint events associated with the application; and correlating, by the trust supervisor, integrity and infection profiles to characterize behaviors through continuous local and remote monitoring risk analysis and detection of malicious applications.
6 . The method of claim 5 , further comprising:
mitigating, by the remediation controller, an infected system using inputs received from a real time threat visualization dashboard to implement flow level or transaction level remediation controls for the malicious applications.
7 . A system for orchestrating and displaying reputation scoring of a subject, the system comprising:
a display; a reputation broker configured to:
process a query from a service provider for a reputation score of the subject, and
dispatch a request to generate a hierarchical reputation score for the subject;
a display module configured to render a graphical user interface (GUI) for an administration console comprising a plurality of dashboards in the display; a trust orchestrator configured to:
process a received request from the reputation broker for a hierarchical reputation score by:
initiating a plurality of directed queries to information management systems external to an organization to interrogate attributes associated with the subject,
analyzing received query responses,
receiving a generated hierarchical reputation score for the subject based on a calculus of risk; and
sending the received hierarchical reputation score for the subject to the reputation broker;
receive a reputation token from the reputation broker for the subject in response to the dispatched request; and
send the reputation token to the service provider as a response to the query.
8 . The system of claim 7 , wherein the query is received at a reputation broker configured to forward the query to the trust broker, and wherein the query can be created, displayed, edited, and submitted using a dashboard of the administration console.
9 . The system of claim 7 , wherein the response is displayed in a dashboard of the administration console.
10 . The system of claim 7 , wherein the hierarchical reputation is graphically depicted in a dashboard of the administration console.
11 . The system of claim 7 , wherein the plurality of dashboards comprise one or more of:
a global view dashboard; a system configuration dashboard; a resource utilization dashboard; an application integrity dashboard; and a network activity dashboard.
12 . The system of claim 7 , wherein the plurality of dashboards includes a global view dashboard.
13 . The system of claim 7 , wherein the plurality of dashboards includes a system configuration dashboard.
14 . The system of claim 7 , wherein the plurality of dashboards includes a resource utilization dashboard.
15 . The system of claim 7 , wherein the plurality of dashboards includes an application integrity dashboard.
16 . The system of claim 7 , wherein the plurality of dashboards includes a network activity dashboard.Join the waitlist — get patent alerts
Track US2015244735A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.