Multi-path remediation

US 9,118,708 B2
Filed: 09/28/2014
Issued: 08/25/2015
Est. Priority Date: 07/01/2003
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable medium, comprising:

code for accessing at least one data storage associating a plurality of device vulnerabilities, each device vulnerability having a vulnerability identifier, with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities;

such that;

each of the device vulnerabilities is associated with at least one remediation technique;

each remediation technique associated with a device vulnerability remediates that device vulnerability;

each remediation technique has a remediation type including at least one of a patch, a policy setting, and a configuration option; and

a first one of the device vulnerabilities is associated with at least two alternative remediation techniques including a firewall remediation technique for reacting to packets and an intrusion prevention system remediation technique for inspecting packet payloads;

code for causing at least one operation in connection with a plurality of devices, the at least one operation configured for;

identifying at least one aspect associated with at least one of an operating system and an application of the plurality of devices, anddetermining that the plurality of devices is actually vulnerable to the first one of the device vulnerabilities, based on the identified at least one aspect;

code for displaying a result of the at least one operation;

code for storing information associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable for use in connection with selection among the at least two alternative remediation techniques;

code for receiving a first signal in connection with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the first signal capable of being received after displaying the information associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable and the first signal including an identifier for use in connection with a second signal;

code for sending the second signal, automatically generated in response to the first signal, for displaying the at least two alternative remediation techniques associated with the first one of the device vulnerabilities, for selection by a user via a user interface, such that, in order to, at least in part, avoid false positives, only a relevant vulnerability prompts remediation technique user selection among the at least two alternative remediation techniques, which include both the firewall remediation technique and the intrusion prevention system remediation technique for providing diverse remediation technique options in connection with attack mitigation;

code for receiving, prior to detecting an attack associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the selection by the user of at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique for reacting to packets and the intrusion prevention system remediation technique for inspecting packet payloads; and

code for automatically applying, prior to detecting the attack associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the selected at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique for reacting to packets and the intrusion prevention system remediation technique for inspecting packet payloads, to the plurality of devices for the attack mitigation at any of the plurality of devices;

said computer program product further operable such that, in response to another selection by the user of at least one of the at least two alternative remediation techniques after the attack in connection with at least one of the plurality of devices, applying the at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique and the intrusion prevention system remediation technique to the at least one of the plurality of devices;

said computer program product further operable for automatically applying, after the attack, the at least one of the at least two alternative remediation techniques selected via the another selection by the user.

View all claims

0 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for a database associating a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities. Each of the device vulnerabilities is associated with at least one remediation technique. Each remediation technique associated with a particular device vulnerability remediates that particular vulnerability. Further, each remediation technique has a remediation type are selected from the type group consisting of patch, policy setting, and configuration option. Still yet, a first one of the device vulnerabilities is associated with at least two alternative remediation techniques.

939 Citations

21 Claims

1. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for accessing at least one data storage associating a plurality of device vulnerabilities, each device vulnerability having a vulnerability identifier, with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities;
  
  such that;
  
  each of the device vulnerabilities is associated with at least one remediation technique;
  
  each remediation technique associated with a device vulnerability remediates that device vulnerability;
  
  each remediation technique has a remediation type including at least one of a patch, a policy setting, and a configuration option; and
  
  a first one of the device vulnerabilities is associated with at least two alternative remediation techniques including a firewall remediation technique for reacting to packets and an intrusion prevention system remediation technique for inspecting packet payloads;
  
  code for causing at least one operation in connection with a plurality of devices, the at least one operation configured for;
  
  identifying at least one aspect associated with at least one of an operating system and an application of the plurality of devices, anddetermining that the plurality of devices is actually vulnerable to the first one of the device vulnerabilities, based on the identified at least one aspect;
  
  code for displaying a result of the at least one operation;
  
  code for storing information associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable for use in connection with selection among the at least two alternative remediation techniques;
  
  code for receiving a first signal in connection with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the first signal capable of being received after displaying the information associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable and the first signal including an identifier for use in connection with a second signal;
  
  code for sending the second signal, automatically generated in response to the first signal, for displaying the at least two alternative remediation techniques associated with the first one of the device vulnerabilities, for selection by a user via a user interface, such that, in order to, at least in part, avoid false positives, only a relevant vulnerability prompts remediation technique user selection among the at least two alternative remediation techniques, which include both the firewall remediation technique and the intrusion prevention system remediation technique for providing diverse remediation technique options in connection with attack mitigation;
  
  code for receiving, prior to detecting an attack associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the selection by the user of at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique for reacting to packets and the intrusion prevention system remediation technique for inspecting packet payloads; and
  
  code for automatically applying, prior to detecting the attack associated with the first one of the device vulnerabilities to which the plurality of devices is actually vulnerable, the selected at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique for reacting to packets and the intrusion prevention system remediation technique for inspecting packet payloads, to the plurality of devices for the attack mitigation at any of the plurality of devices;
  
  said computer program product further operable such that, in response to another selection by the user of at least one of the at least two alternative remediation techniques after the attack in connection with at least one of the plurality of devices, applying the at least one of the at least two alternative remediation techniques including at least one of the firewall remediation technique and the intrusion prevention system remediation technique to the at least one of the plurality of devices;
  
  said computer program product further operable for automatically applying, after the attack, the at least one of the at least two alternative remediation techniques selected via the another selection by the user.
- View Dependent Claims (2, 3)
- - 2. The computer program product of claim 1, wherein the computer program product is operable such at least one of:
    - said remediation type includes the patch;
      
      said remediation type includes the patch, and the patch includes a security update;
      
      said remediation type includes the policy setting;
      
      said remediation type includes the configuration option;
      
      said first signal is sent in connection with an identification of an attack that is capable of exploiting the first one of the device vulnerabilities;
      
      said first signal is sent before the identification of an attack that is capable of exploiting the first one of the device vulnerabilities;
      
      said first signal includes the identifier for use in connection with the second signal, for identifying the first signal so that the second signal is capable of being generated;
      
      said first signal includes a vulnerability identifier;
      
      said at least one data storage is accessed by at least one of;
      
      receiving at least one update therefrom;
      
      pulling at least one update therefrom, communicating therewith, and synchronizing therewith;
      
      at least some of said remediation techniques are configured for mitigating an effect of an attack that takes advantage of the corresponding device vulnerability;
      
      at least some of said remediation techniques are configured for removing the corresponding device vulnerability utilizing an update;
      
      said alternative remediation techniques are of different ones of the types;
      
      both of said at least two alternative remediation techniques are capable of being selected;
      
      only one of said at least two alternative remediation techniques including the firewall remediation technique is capable of being selected;
      
      only one of said at least two alternative remediation techniques including the intrusion prevention system remediation technique is capable of being selected;
      
      said another selection is capable of selecting the same at least one of the at least two alternative remediation techniques, as the selection; and
      
      said computer program product is further operable for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with the device vulnerabilities, and wherein the computer program product is operable for determining which devices have vulnerabilities by directly querying a firmware or operating system of the devices.
  - 3. The system of claim 1, wherein the system is operable such that the firewall remediation technique and the intrusion prevention system remediation technique involve policy options that are capable of being automatically applied to user-selected multiple devices at once, and are further capable of being applied such that only the firewall remediation technique is automatically applied to first user-selected multiple devices, only the intrusion prevention system remediation technique is automatically applied to second user-selected multiple devices, and both the firewall remediation technique and the intrusion prevention system remediation technique are automatically applied to third user-selected multiple devices.

4. A computer program product embodied on a non-transitory computer readable medium, the computer program product comprising:
- code for;
  
  accessing at least one data storage identifying a plurality of mitigation techniques that mitigate effects of attacks that take advantage of vulnerabilities, where;
  
  each mitigation technique is for mitigating an effect of an attack that takes advantage of a corresponding vulnerability,each mitigation technique has a mitigation type including at least one of a patch, a policy setting, and a configuration option, andat least two of the mitigation techniques are for mitigating an effect of an attack that takes advantage of a first one of the vulnerabilities, the at least two mitigation techniques including a firewall option for reacting to packets and an intrusion prevention system option for inspecting packet payloads;
  
  code for causing, in connection with a plurality of devices;
  
  identification of at least one aspect associated with at least one of an operating system and an application of the plurality of devices, anddetermination that the plurality of devices is actually vulnerable to the first one of the vulnerabilities, based on the identified at least one aspect;
  
  code for displaying a result of the determination;
  
  code for storing information associated with the first one of the vulnerabilities to which the plurality of devices is actually vulnerable for use in connection with selection among the at least two mitigation techniques;
  
  code for receiving a first signal prompted by a user via a user interface, the first signal capable of being received after displaying the information associated with the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the first signal including an identifier for use in connection with a second signal;
  
  code for sending, in response to the first signal, the second signal for causing display of the at least two mitigation techniques for mitigating the effect of the attack that takes advantage of the first one of the vulnerabilities to which the plurality of devices is determined to be actually vulnerable, for selection by the user via the user interface, such that, in order to reduce false positives, a relevant vulnerability prompts mitigation technique user selection among the at least two mitigation techniques, which include both the firewall option and the intrusion prevention system option for providing diverse mitigation options for attack mitigation;
  
  code for receiving, prior to detecting an attack involving the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the selection by the user of at least one of the at least two mitigation techniques; and
  
  code for applying, prior to detecting the attack involving the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the selected at least one of the at least two mitigation techniques including at least one of the firewall remediation technique for reacting to packets and the intrusion prevention system remediation technique for inspecting packet payloads, to the plurality of devices for the attack mitigation at any of the plurality of devices;
  
  said computer program product further operable such that, in response to another selection by the user of at least one of a plurality of post-attack mitigation techniques after at least one attack in connection with at least one device, applying the at least one of the post-attack mitigation techniques including at least one of the firewall option, the intrusion prevention system option, and a different mitigation option to the at least one device;
  
  said computer program product further operable for automatically applying, after the attack, the selected at least one of the post-attack mitigation techniques.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 5. The computer program product of claim 4, wherein the computer program product is operable such that the at least two mitigation techniques are caused to be displayed in connection with the first one of the vulnerabilities.
  - 6. The computer program product of claim 5, wherein the computer program product is operable such that different user input is capable of being received for different devices, for allowing different mitigation techniques including a first mitigation technique and a second mitigation technique to be selectively applied by the user to the different devices for different actual vulnerabilities.
  - 7. The computer program product of claim 5, wherein the computer program product is operable such that different user input is capable of being received for different devices, for allowing different mitigation techniques including a first mitigation technique and a second mitigation technique to be selectively applied by the user to the different devices for different actual vulnerabilities, such that the different user input is capable of resulting in:
    - only the first mitigation technique being selectively applied by the user to at least one first device, only the second mitigation technique being selectively applied by the user to at least one second device, and both the first mitigation technique and the second mitigation technique being selectively applied by the user to at least one third device.
  - 8. The computer program product of claim 4, wherein the computer program product is operable such that the at least one device includes at least one of the plurality of devices.
  - 9. The computer program product of claim 4, wherein the computer program product is operable such that, in response to the another selection, the firewall option, the intrusion prevention system option, and the different mitigation option are capable of being applied to the at least one device.
  - 10. The computer program product of claim 4, wherein the computer program product is operable such that, in response to the another selection, the different mitigation option is capable of being applied to the at least one device.
  - 11. The computer program product of claim 4, wherein the computer program product is operable such that the determination that the plurality of devices is actually vulnerable to the first one of the vulnerabilities is caused via an agentless vulnerability scan.
  - 12. The computer program product of claim 4, wherein the computer program product is operable such that the identification is caused by allowing receipt of the identification of the at least one of the operating system and the application after an interaction with the user;
    - and the information is capable of being used in connection with the selection among the at least two mitigation techniques, by;
      
      being displayed prior to the selection, being used to cause display of the at least two mitigation techniques, or being used to identify the relevant vulnerability.
  - 13. The computer program product of claim 4, wherein the computer program product is operable such that the information describes:
    - the plurality of devices determined to be actually vulnerable to the first one of the vulnerabilities, the first one of the vulnerabilities, or at least one of the at least two mitigation techniques.
  - 14. The computer program product of claim 4, wherein the computer program product is operable such that the firewall option and the intrusion prevention system option include policy options that are capable of being automatically applied to user-selected multiple devices at once, and are further capable of being applied such that only the firewall option is automatically applied to first user-selected multiple devices, only the intrusion prevention system option is automatically applied to second user-selected multiple devices, and both the firewall option and the intrusion prevention system option are automatically applied to third user-selected multiple devices.
  - 15. The computer program product of claim 4, wherein the computer program product is operable such that the first signal is prompted by user input received via the user interface, where the first signal is received over a network.
  - 16. The computer program product of claim 4, wherein the computer program product is operable such that the first signal is prompted by user input received via a user interface element that displays a result of the determination.
  - 17. The computer program product of claim 4, wherein the computer program product is operable such at least one of:
    - said mitigation type includes the patch;
      
      said mitigation type includes the patch, and the patch includes a security update;
      
      said mitigation type includes the policy setting;
      
      said mitigation type includes the configuration option;
      
      said first signal is received in connection with an identification of an attack that is capable of exploiting the first one of the vulnerabilities;
      
      said first signal is received before the identification of an attack that is capable of exploiting the first one of the vulnerabilities;
      
      said first signal includes the identifier for use in connection with the second signal, by identifying a purpose of the first signal so as to coordinate a generation of the second signal;
      
      said first signal includes a vulnerability identifier;
      
      said at least one data storage is accessed by at least one of;
      
      receiving at least one update therefrom;
      
      pulling at least one update therefrom, communicating therewith, and synchronizing therewith;
      
      at least some of said mitigation techniques are configured for mitigating an effect of an attack that takes advantage of the corresponding vulnerability;
      
      at least one of said mitigation techniques includes a remediation technique;
      
      at least some of said mitigation techniques are configured for removing the corresponding vulnerability utilizing an update;
      
      said at least one aspect is associated with the operating system of the plurality of devices;
      
      said at least one aspect is associated with the application of the plurality of devices;
      
      both of said at least two mitigation techniques are capable of being selected;
      
      only one of said at least two mitigation techniques including the at least one of the firewall option is capable of being selected;
      
      only one of said at least two mitigation techniques including the intrusion prevention system option is capable of being selected;
      
      both of said at least two mitigation techniques are capable of being applied;
      
      only one of said at least two mitigation techniques including the at least one of the firewall option is capable of being applied;
      
      only one of said at least two mitigation techniques including the intrusion prevention system option is capable of being applied;
      
      said another selection is capable of selecting the same at least one of the at least two mitigation techniques, as the selection; and
      
      said computer program product is operable such that, in response to the user input after the at least one attack in connection with the at least one device, the different mitigation option is capable of being applied to the at least one device; and
      
      wherein the computer program product is further operable for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with the vulnerabilities, and wherein the computer program product is operable for determining which devices have vulnerabilities by directly querying a firmware or operating system of the devices.

18. A system, comprising:
- an intrusion prevention system component of an intrusion prevention system that includes a hardware processor and memory, the intrusion prevention system component for accessing at least one data structure identifying a plurality of mitigation techniques that mitigate effects of attacks that take advantage of vulnerabilities, such that;
  
  each mitigation technique is for mitigating an effect of an attack that takes advantage of a corresponding vulnerability,each mitigation technique has a mitigation type including at least one of a patch, a policy setting, and a configuration option,at least two of the mitigation techniques are for mitigating an effect of an attack that takes advantage of a first one of the vulnerabilities, andsaid at least two mitigation techniques include a first mitigation technique that utilizes a firewall action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities and a second mitigation technique that utilizes a real-time intrusion prevention action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities;
  
  said intrusion prevention system component configured for;
  
  causing, in connection with a plurality of devices;
  
  identification of at least one aspect associated with at least one of an operating system and an application of the plurality of devices, anddetermination that the plurality of devices is actually vulnerable to the first one of the vulnerabilities, based on the identified at least one aspect;
  
  storing information associated with the first one of the vulnerabilities to which the plurality of devices is actually vulnerable for use in connection with selection among the at least two mitigation techniques;
  
  displaying at least a portion of the information;
  
  receiving a first signal relating to the first one of the vulnerabilities, the first signal capable of being received after displaying the information associated with the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the first signal including an identifier for use in connection with a second signal;
  
  sending the second signal, in response to the first signal, for causing a display of the at least two mitigation techniques for mitigating the effect of the attack that takes advantage of the first one of the vulnerabilities, for selection by a user via at least one user interface, such that, in order to reduce false positives, a relevant vulnerability prompts mitigation technique user selection among the at least two mitigation techniques, which include both the first mitigation technique that utilizes the firewall action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities and the second mitigation technique that utilizes the real-time intrusion prevention action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities;
  
  receiving, prior to detecting an attack involving the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the selection of at least one of the at least two mitigation techniques including at least one of the first mitigation technique that utilizes the firewall action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities and the second mitigation technique that utilizes the real-time intrusion prevention action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities; and
  
  automatically applying, prior to detecting the attack involving the first one of the vulnerabilities to which the plurality of devices is actually vulnerable, the selected at least one of the at least two mitigation techniques including at least one of the first mitigation technique that utilizes the firewall action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities and the second mitigation technique that utilizes the real-time intrusion prevention action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities, utilizing a communication with client code supporting the intrusion prevention system component;
  
  said system further operable such that, in response to another selection by the user of at least one of a plurality of post-attack mitigation techniques after at least one attack in connection with at least one device, applying the at least one of the post-attack mitigation techniques including at least one of the first mitigation technique, the second mitigation technique, and a third mitigation technique to the at least one device;
  
  said system further operable for automatically applying, after the attack, the selected at least one of the post-attack mitigation techniques.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18, wherein the system is operable such that the first mitigation technique and the second mitigation technique involve policy options that are capable of being automatically applied to user-selected multiple devices at once, and are further capable of being applied such that only the first mitigation technique is automatically applied to first user-selected multiple devices, only the second mitigation technique is automatically applied to second user-selected multiple devices, and both the first mitigation technique and the second mitigation technique are automatically applied to third user-selected multiple devices.
  - 20. The system of claim 18, wherein the system is operable such that different user input is capable of being received for different devices, for allowing different mitigation techniques including the first mitigation technique and the second mitigation technique to be selectively applied by the user to the different devices for different actual vulnerabilities.
  - 21. The system of claim 18, wherein the system is operable such that different user input is capable of being received for different devices, for allowing different mitigation techniques including the first mitigation technique and the second mitigation technique to be selectively applied by the user to the different devices for different actual vulnerabilities, such that the different user input is capable of resulting in:
    - only the first mitigation technique being selectively applied by the user to at least one first device, only the second mitigation technique being selectively applied by the user to at least one second device, and both the first mitigation technique and the second mitigation technique being selectively applied by the user to at least one third device.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
SecurityProfiling, LLC
Original Assignee
SecurityProfiling, LLC
Inventors
Oliphant, Brett M., Blignaut, John P.
Primary Examiner(s)
Patel, Nirav B

Application Number

US14/499,226
Publication Number

US 20150040230A1
Time in Patent Office

331 Days
Field of Search

726 22- 25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Multi-path remediation

First Claim

0 Assignments

Litigations

0 Petitions

Accused Products

Abstract

939 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-path remediation

First Claim

0 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

939 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links