U.S. patent application number 10/882588 was filed with the patent office on 2006-11-16 for multiple-path remediation.
This patent application is currently assigned to SecurityProfiling, Inc.. Invention is credited to Brett M. Oliphant.
Application Number | 20060259779 10/882588 |
Document ID | / |
Family ID | 38668695 |
Filed Date | 2006-11-16 |
United States Patent
Application |
20060259779 |
Kind Code |
A2 |
Oliphant; Brett M. |
November 16, 2006 |
MULTIPLE-PATH REMEDIATION
Abstract
Abstract of the Disclosure A security information management
system is described, wherein a database of potential
vulnerabilities is maintained, along with data describing
remediation techniques (patches, policy settings, and configuration
options) available to protect against them. At least one
vulnerability is associated in the database with multiple available
remediation techniques. In one embodiment, the system presents a
user with the list of remediation techniques available to protect
against a known vulnerability, accepts the user`s selection from
the list, and executes the selected technique. In other
embodiments, the system uses a predetermined prioritization
schedule to automatically select among the available remediation
techniques, then automatically executes the selected technique.
Inventors: |
Oliphant; Brett M.;
(Lafayette, IN) |
Correspondence
Address: |
BINGHAM MCHALE LLP
2700 MARKET TOWER
10 WEST MARKET STREET
INDIANAPOLIS
IN
46204-4900
US
|
Assignee: |
SecurityProfiling, Inc.
P.O. Box 227
Lafayette
IN
47902
|
Prior
Publication: |
|
Document Identifier |
Publication Date |
|
US 20050044389 A1 |
February 24, 2005 |
|
|
Family ID: |
38668695 |
Appl. No.: |
10/882588 |
Filed: |
July 1, 2004 |
Current U.S.
Class: |
713/187 |
Current CPC
Class: |
H04L 63/1441 20130101;
G06F 21/55 20130101; G06F 21/57 20130101; H04L 63/1433 20130101;
H04L 63/20 20130101 |
Class at
Publication: |
713/187 |
International
Class: |
H04L 9/32 20060101
H04L009/32 |
Claims
1. A system, comprising: a database associating a plurality of
device vulnerabilities to which computing devices can be subject,
each vulnerability having a vulnerability identifier, with a
plurality of remediation techniques that collectively remediate the
plurality of device vulnerabilities; such that: each of the device
vulnerabilities is associated with at least one remediation
technique; each remediation technique associated with a particular
device vulnerability remediates that particular vulnerability; each
remediation technique has a remediation type selected from the type
group consisting of patch, policy setting, and configuration
option; and a first one of the device vulnerabilities is associated
with at least two remediation techniques; a query signal comprising
the vulnerability identifier for the first one of the device
vulnerabilities; and a response signal, automatically generated in
response to the query signal, that describes the at least two
remediation techniques.
2. The system of claim 1, further comprising a user interface that:
offers the at least two remediation techniques for selection by a
user; accepts a selection by the user of at least one of the at
least two remediation techniques; and applies the selected at least
one of the at least two remediation techniques.
3. The system of claim 1, further comprising: a processor; and a
memory encoded with programming instructions executable by the
processor to: receive the response signal; automatically select one
from of the at least two remediation techniques; and apply the
selected remediation technique.
4. The system of claim 3, wherein: each of the at least two
remediation techniques has a remediation type; and the automatic
selecting is based on the remediation type of each of the at least
two remediation techniques.
5. The system of claim 3, wherein the automatic selecting is based
on input from a user that is acquired before the response signal is
received.
6. The system of claim 3, wherein the automatic selecting is based
on input from a user that is acquired after the response signal is
received.
7. A method, comprising: providing a database that associates a
plurality of device vulnerabilities to which computing devices can
be subject with a plurality of remediation techniques that
collectively remediate the plurality of device vulnerabilities,
wherein: each vulnerability has a vulnerability identifier; each
vulnerability is associated with at least one remediation technique
operable to remediate that particular vulnerability; and each
remediation technique has a remediation type selected from the
group consisting of patch, policy setting, and configuration
option; transmitting a query signal comprising the vulnerability
identifier for a first device vulnerability; and transmitting a
response signal, automatically generated in response to the query
signal, that describes at least two remediation techniques
associated with the first device vulnerability.
8. The method of claim 7, further comprising: offering the at least
two remediation techniques for selection by a user via a user
interface; and accepting a selection by the user of at least one of
the at least two remediation techniques via the user interface.
9. The method of claim 7, further comprising providing a computing
device including: a processor; and memory encoded with programming
instructions executable by the processor to: receive the response
signal; automatically select one of the at least two remediation
techniques; and apply the selected remediation technique.
10. The method of claim 9, wherein: each of the at least two
remediation techniques has a remediation type; and the automatic
selecting is based on the remediation types of the at least two
remediation techniques.
11. The method of claim 9, wherein the automatic selecting is based
on input from a user.
12. A method of managing one or more computing devices, comprising:
maintaining a table that: contains a plurality of vulnerabilities
to which the computing devices might be vulnerable; contains a
plurality of remediation techniques, each selected from the group
consisting of patches, configuration settings, and policy settings;
and associates each vulnerability with one or more remediation
techniques that are effective to protect at least one of the
computing devices from the vulnerability, in which a first
vulnerability in the plurality of vulnerabilities is associated
with both a first remediation technique and a second remediation
technique; identifying a computing device that is vulnerable to the
first vulnerability; presenting the first remediation technique and
the second remediation technique to a user as options via a user
interface; accepting user input via the user interface, wherein the
user input selects at least one of the first remediation technique
and the second remediation technique; and automatically
implementing the at least one selected remediation technique.
13. The method of claim 12, wherein the accepting occurs before the
identifying.
14. The method of claim 12, wherein the accepting occurs after the
identifying.
15. A system, including: a processor; and software running on the
processor that: maintains a list of vulnerabilities to which a
computer might be vulnerable; maintains a collection of remediation
techniques that collectively remediate all of the vulnerabilities
on the list; and keeps track of one or more remediation techniques
that remediate each vulnerability on the list, wherein a first
particular vulnerability on the list might be remediated by either
a first remediation technique or a second remediation
technique.
16. The system of claim 15, wherein the software also: receives a
query signal that identifies the first particular vulnerability;
and automatically sends a response signal that is responsive to the
query signal and identifies the first remediation technique and the
second remediation technique.
17. The system of claim 16, further comprising a computer that:
sends the query signal to the processor; receives the response
signal; and implements the first remediation technique.
18. The system of claim 15, wherein the software also: receives a
query signal that identifies the first particular vulnerability;
automatically selects a remediation technique from the first
remediation technique and the second remediation technique; and
automatically sends a response signal that identifies the selected
remediation technique.
19. The system of claim 18, wherein the automatic selection is
based on a predetermined selection rule provided by a user.
20. The system of claim 15, wherein the software also updates the
list and the collection based on information received from an
update server.
21. An apparatus, comprising a device encoded with logic executable
by one or more processors to manage one or more computing devices
by associating a plurality of device vulnerabilities, to which the
computing devices can be subject, with a plurality of remediation
techniques that collectively remediate the plurality of device
vulnerabilities, wherein: each vulnerability has a vulnerability
identifier and is associated with at least one remediation
technique; each remediation technique has a remediation type
selected from the group consisting of patch, policy setting, and
configuration option; a first one of the device vulnerabilities is
associated with at least two remediation techniques; a query signal
is sent to the device, the query signal comprising the
vulnerability identifier for the first one of the device
vulnerabilities; and a response signal is sent from the device, the
response signal being automatically generated in response to the
query signal.
22. The apparatus of claim 21, wherein the response signal
describes the at least two remediation techniques.
23. The apparatus of claim 22, wherein a user interface is operable
to: offer the at least two remediation techniques to a user; and
accept a selection by the user of at least one of the at least two
remediation techniques.
24. The apparatus of claim 23, wherein the logic is further
executable by the one or more processors to apply the selected
remediation technique.
25. The apparatus of claim 22, wherein a first computing device
includes a processor and a memory encoded with programming
instructions executable by the processor to: receive the response
signal; select automatically one of the at least two remediation
techniques; and apply the selected remediation technique.
26. The apparatus of claim 21, wherein: the device automatically
selects one of the at least two remediation techniques; and the
response signal identifies the selected remediation technique.
27. The apparatus of claim 26, wherein the automatic selection is
based on a predetermined selection rule provided by a user.
Description
Detailed Description of the Invention
Cross-Reference to Related Applications
[0001] This application claims the benefit of U.S. Provisional
Application No. 60/484,085. This application is also related to
applications titled REAL-TIME VULNERABILITY MONITORING (Attorney
Docket No. 36029-3), POLICY-PROTECTION PROXY (Attorney Docket No.
36029-5), VULNERABILITY AND REMEDIATION DATABASE (Attorney Docket
No. 36029-6), AUTOMATED STAGED PATCH AND POLICY MANAGEMENT
(Attorney Docket No. 36029-7), and CLIENT CAPTURE OF VULNERABILITY
DATA (Attorney Docket 36029-8), all filed on even date herewith.
All of these applications are hereby incorporated herein by
reference as if fully set forth.
Field of the Invention
[0002] The present invention relates to computer systems, and more
particularly to management of security of computing and network
devices that are connected to other such devices.
Background
[0003] With the growing popularity of the Internet and the
increasing reliance by individuals and businesses on networked
computers, network security management has become a critical
function for many people. Furthermore, with computing systems
themselves becoming more complex, security vulnerabilities in a
product are often discovered long after the product is released
into general distribution. Improved methods are needed, therefore,
for managing updates and patches to software systems, and for
managing configurations of those systems.
[0004] The security management problem is still more complex,
though. Often techniques intended to remediate vulnerabilities
(such as configuration changes, changes to policy settings, or
application of patches) add additional problems. Sometimes patches
to an operating system or application interfere with operation of
other applications, and can inadvertently disable mission-critical
services and applications of an enterprise. At other times,
remediation steps open other vulnerabilities in software. There is,
therefore, a need for improved security management techniques.
Summary
[0005] One form of the present invention is a database of
information about a plurality of devices, updated in real-time and
used by an application to make a security-related decision. The
database stores data indicating the installed operating system(s),
installed software, patches that have been applied, system policies
that are in place, and configuration information for each device.
The database answers queries by one or more devices or applications
attached by a network to facilitate security-related decision
making. In one form of this embodiment, a firewall or router
handles a connection request or maintenance of a connection based
on the configuration information stored in the database that
relates to one or both of the devices involved in the
transmission.
Brief Description of the Drawings
[0006] Fig. 1 is a block diagram of a networked system of computers
in one embodiment of the present invention.
[0007] Fig. 2 is a block diagram showing components of several
computing devices in the system of Fig. 1.
[0008] Figs. 3 and 4 trace signals that travel through the system
of Figs. 1 and 2 and the present invention is applied to them.
Description
[0009] For the purpose of promoting an understanding of the
principles of the present invention, reference will now be made to
the embodiment illustrated in the drawings and specific language
will be used to describe the same. It will, nevertheless, be
understood that no limitation of the scope of the invention is
thereby intended; any alterations and further modifications of the
described or illustrated embodiments, and any further applications
of the principles of the invention as illustrated therein are
contemplated as would normally occur to one skilled in the art to
which the invention relates.
[0010] Generally, the present invention in its preferred embodiment
operates in the context of a network as shown in Fig. 1. System 100
includes a vulnerability and remediation database 110 connected by
Internet 120 to subnet 130. In this exemplary embodiment, firewall
131 serves as the gateway between Internet 120 and the rest of
subnet 130. Router 133 directs connections between computers 137
and each other and other devices on Internet 120. Server 135
collects certain information and provides certain data services
that will be discussed in further detail herein.
[0011] In particular, security server 135 includes processor 142,
and memory 144 encoded with programming instructions executable by
processor 142 to perform several important security-related
functions. For example, security server 135 collects data from
devices 131, 133, 137, and 139, including the software installed on
those devices, their configuration and policy settings, and patches
that have been installed. Security server 135 also obtains from
vulnerability and remediation database 110 a regularly updated list
of security vulnerabilities in software for a wide variety of
operating systems, and even in the operating systems themselves.
Security server 135 also downloads a regularly updated list of
remediation techniques that can be applied to protect a device from
damage due to those vulnerabilities. In a preferred embodiment,
each vulnerability in remediation database 110 is identified by a
vulnerability identifier, and the vulnerability identifier can be
used to retrieve remediation information from database 110 (and
from database 146, discussed below in relation to Fig. 2).
[0012] In this preferred embodiment, computers 137 and 139 each
comprise a processor 152, 162, memory 154, 164, and storage 156,
166. Computer 137 executes a client-side program (stored in storage
156, loaded into memory 154, and executed by processor 152) that
maintains an up-to-date collection of information regarding the
operating system, service pack (if applicable), software, and
patches installed on computer 137, and the policies and
configuration data (including configuration files, and elements
that may be contained in files, such as *.ini and *.conf files and
registry information, for example), and communicates that
information on a substantially real-time basis to security server
135. In an alternative embodiment, the collection of information is
not retained on computer 137, but is only communicated once to
security server 135, then is updated in real time as changes to
that collection occur.
[0013] In these exemplary systems, "configuration information" for
each device may take the form of initialization files (often named
*.ini or *.conf), configuration registry (such as the Windows
Registry on Microsoft WINDOWS operating systems), or configuration
data held in volatile or non-volatile memory. Such configuration
information often determines what and how data is accepted from
other devices, sent to other devices, processed, stored, or
otherwise handled, and in many cases determines what routines and
sub-routines are executed in a particular application or operating
system.
[0014] Computer 139 stores, loads, and executes a similar software
program that communicates configuration information pertaining to
computer 139 to security server 135, also substantially in real
time. Changes to the configuration registry in computer 139 are
monitored, and selected changes are communicated to security server
135 so that relevant information is always available. Security
server 135 may connect directly to and request software
installation status and configuration information from firewall 131
and router 133, for embodiments wherein firewall 131 and router 133
do not have a software program executing on them to communicate
this information directly.
[0015] This collection of information is made available at security
server 135, and combined with the vulnerability and remediation
data from source 110. The advanced functionality of system 100 is
thereby enabled as discussed further herein.
[0016] Turning to Fig. 2, one sees additional details and
components of the devices in subnet 130. Computers 137 and 139 are
traditional client or server machines, each having a processor 152,
162, memory 154, 164, and storage 156, 166. Firewall 131 and router
133 also have processors 172, 182 and storage 174, 184,
respectively, as is known in the art. In this embodiment, devices
137 and 139 each execute a client-side program that continuously
monitors the software installation and configuration status for
that device. Changes to that status are communicated in
substantially real time to security server 135, which continuously
maintains the information in database 146. Security server 135
connects directly to firewall 131 and router 133 to obtain software
installation and configuration status for those devices in the
absence of a client-side program running thereon.
[0017] Processors 142, 152, 162 may each be comprised of one or
more components configured as a single unit. Alternatively, when of
a multi-component form, processor 142, 152, 162 may each have one
or more components located remotely relative to the others. One or
more components of processor 142, 152, 162 may be of the electronic
variety defining digital circuitry, analog circuitry, or both. In
one embodiment, processor 142, 152, 162 are of a conventional,
integrated circuit microprocessor arrangement, such as one or more
PENTIUM 4 or XEON processors from INTEL Corporation of 2200 Mission
College Boulevard, Santa Clara, California, 95052, USA, or ATHLON
XP processors from Advanced Micro Devices, One AMD Place,
Sunnyvale, California, 94088, USA.
[0018] Memories 144, 154, 164 may include one or more types of
solid-state electronic memory, magnetic memory, or optical memory,
just to name a few. By way of non-limiting example, memory 40b may
include solid-state electronic Random Access Memory (RAM),
Sequentially Accessible Memory (SAM) (such as the First-In,
First-Out (FIFO) variety or the Last-In First-Out (LIFO) variety),
Programmable Read Only Memory (PROM), Electrically Programmable
Read Only Memory (EPROM), or Electrically Erasable Programmable
Read Only Memory (EEPROM); an optical disc memory (such as a DVD or
CD ROM); a magnetically encoded hard drive, floppy disk, tape, or
cartridge media; or a combination of any of these memory types.
Also, memories 144, 154, 164 may be volatile, nonvolatile, or a
hybrid combination of volatile and nonvolatile varieties.
[0019] In this exemplary embodiment, storage 146, 156, 166
comprises one or more of the memory types just given for memories
144, 154, 164, preferably selected from the non-volatile types.
[0020] This collection of information is used by system 100 in a
wide variety of ways. With reference to Fig. 3, assume for example
that a connection request 211 arrives at firewall 131 requesting
that data be transferred to computer 137. The payload of request
211 is, in this example, a probe request for a worm that takes
advantage of a particular security vulnerability in a certain
computer operating system. Based on characteristics of the
connection request 211, firewall 131 sends a query 213 to security
server 135. Query 213 includes information that security server 135
uses to determine (1) the intended destination of connection
request 211, and (2) some characterization of the payload of
connection request 211, such as a vulnerability identifier.
Security server 135 uses this information to determine whether
connection request 211 is attempting to take advantage of a
particular known vulnerability of destination machine 137, and uses
information from database 146 (see Fig. 2) to determine whether the
destination computer 137 has the vulnerable software installed, and
whether the vulnerability has been patched on computer 137, or
whether computer 137 has been configured so as to be invulnerable
to a particular attack.
[0021] Security server 135 sends result signal 217 back to firewall
131 with an indication of whether the connection request should be
granted or rejected. If it is to be granted, firewall 131 passes
the request to router 133 as request 219, and router 133 relays the
request as request 221 to computer 137, as is understood in the
art. If, on the other hand, signal 217 indicates that connection
request 211 is to be rejected, firewall 133 drops or rejects the
connection request 211 as is understood in the art.
[0022] Analogous operation can protect computers within subnet 130
from compromised devices within subnet 130 as well. For example,
Fig. 4 illustrates subnet 130 with computer 137 compromised. Under
the control of a virus or worm, for example, computer 137 sends
connection attempt 231 to router 133 in an attempt to probe or take
advantage of a potential vulnerability in computer 139. On
receiving connection request 231, router 133 sends relevant
information about request 231 in a query 233 to security server
135. Similarly to the operation discussed above in relation to Fig.
3, security server 135 determines whether connection request 231
poses any threat, and in particular any threat to software on
computer 139. If so, security server 135 determines whether the
vulnerability has been patched, and if not, it determines whether
computer 139 has been otherwise configured to avoid damage due to
that vulnerability. Security server 135 replies with signal 235 to
query 233 with that answer. Router 133 uses response 235 to
determine whether to allow the connection attempt.
[0023] In some embodiments, upon a determination by security server
135 that a connection attempt or other attack has occurred against
a computer that is vulnerable (based on its current software,
patch, policy, and configuration status), security server 135
selects one or more remediation techniques from database 146 that
remediate the particular vulnerability. Based on a prioritization
previously selected by an administrator or the system designer, the
remediation technique(s) are applied (1) to the machine that was
attacked, (2) to all devices subject to the same vulnerability
(based on their real-time software, patch, policy, and
configuration status), or (3) to all devices to which the selected
remediation can be applied.
[0024] In various embodiments, remediation techniques include the
closing of open ports on the device; installation of a patch that
is known to correct the vulnerability; changing the device`s
configuration; stopping, disabling, or removing services; setting
or modifying policies; and the like. Furthermore, in various
embodiments, events and actions are logged (preferably in a
non-volatile medium) for later analysis and review by system
administrators. In these embodiments, the log also stores
information describing whether the target device was vulnerable to
the attack.
[0025] A real-time status database according to the present
invention has many other applications as well. In some embodiments,
the database 146 is made available to an administrative console
running on security server 135 or other administrative terminal.
When a vulnerability is newly discovered in software that exists in
subnet 130, administrators can immediately see whether any devices
in subnet 130 are vulnerable to it, and if so, which ones. If a
means of remediation of the vulnerability is known, the remediation
can be selectively applied to only those devices subject to the
vulnerability.
[0026] In some embodiments, the database 146 is integrated into
another device, such as firewall 131 or router 133, or an
individual device on the network. While some of these embodiments
might avoid some failures due to network instability, they
substantially increase the complexity of the device itself. For
this reason, as well as the complexity of maintaining security
database functions when integrated with other functions, the
network-attached device embodiment described above in relation to
Figs. 1-4 is preferred.
[0027] In a preferred embodiment, a software development kit (SDK)
allows programmers to develop security applications that access the
data collected in database 146. The applications developed with the
SDK access information using a defined application programming
interface (API) to retrieve vulnerability, remediation, and device
status information available to the system. The applications then
make security-related determinations and are enabled to take
certain actions based on the available data.
[0028] In the preferred embodiment, database 146 includes
vulnerability and remediation information such that, for at least
one vulnerability, multiple methods of remediating the
vulnerability are specified. When the system has occasion to
implement or offer remediation of a vulnerability, all known
alternatives are presented that are relevant to the device or
machine`s particular configuration or setup. For example, when a
vulnerability of a device is presented to an administrator, the
administrator is given a choice among the plurality of remediation
options to remediate the vulnerability. In some embodiments, the
administrator can select a preferred type of remediation that will
be applied if available and a fallback type. For example, an
administrator may select application of a policy setting over
installation of a software patch, so that the risk of disruption of
critical business systems is minimized.
[0029] In other embodiments, an administrator or other user is
presented with a set of user interface elements that identify
multiple options for remediating and identifying the vulnerability.
The administrator or user select the method to be used, and that
remediation is applied to the vulnerable device(s).
[0030] All publications, prior applications, and other documents
cited herein are hereby incorporated by reference in their entirety
as if each had been individually incorporated by reference and
fully set forth.
[0031] While the invention has been illustrated and described in
detail in the drawings and foregoing description, the same is to be
considered as illustrative and not restrictive in character, it
being understood that only the preferred embodiments have been
shown and described and that all changes and modifications that
would occur to one skilled in the relevant art are desired to be
protected.
* * * * *