`
`III IIIIIIII a mui uiu imi !jilt Itiiui 91)1101111111111111IIIIIIIIIII
`
`US 2017004.8266A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2017/0048266A1
`(12) Patent Application Publication (10) Pub. No.: US 2017/0048266 Al
`Feb. 16, 2017
`(43) Pub. Date:
`Feb. 16, 2017
`HOVOr et al.
`Hovor et al.
`(43) Pub. Date:
`
`(54) COMPUTER ASSET VULNERABILITIES
`(54) COMPUTER ASSET VULNERABILITIES
`(71) Applicant: Accenture Global Services Limited,
`(71) Applicant: Accenture Global Services Limited,
`Dublin (IE)
`Dublin (IE)
`(72) Inventors: Elvis Hovor, Clarksburg, MD (US);
`Inventors: Elvis Hovor, Clarksburg, MD (US);
`(72)
`Shaan Mulchandani, Arlington, VA
`Shaan Mulchandani, Arlington, VA
`(US); Matthew Carver, Washington,
`(US); Matthew Carver, Washington,
`DC (US)
`DC (US)
`
`(21) Appl. No.: 14/841,007
`(21) Appl. No.: 14/841,007
`
`(22) Filed:
`(22) Filed:
`
`Aug. 31, 2015
`Aug. 31, 2015
`
`Related U.S. Application Data
`Related U.S. Application Data
`(60) Provisional application No. 62/204.830, filed on Aug.
`(60) Provisional application No. 62/204,830, filed on Aug.
`13, 2015.
`13, 2015.
`
`Publication Classification
`Publication Classification
`
`(51) Int. Cl.
`(51) Int. Cl.
`H04L 29/06
`H04L 29/06
`
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`(52) U.S.
`CPC ................................. H04L 63/1433 (2013.01)
` H04L 63/1433 (2013.01)
`CPC
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`Methods, systems, and apparatus, including computer pro
`Methods, systems, and apparatus, including computer pro-
`grams encoded on computer storage media, for determining
`grams encoded on computer storage media, for determining
`a network path between computer assets. One of the meth
`a network path between computer assets. One of the meth-
`ods includes receiving an asset topology that includes an
`ods includes receiving an asset topology that includes an
`identifier for each computer-related asset that may be an
`identifier for each computer-related asset that may be an
`entry point for an attack simulation, receiving threat data
`entry point for an attack simulation, receiving threat data
`that identifies vulnerabilities of computer-related assets,
`that identifies vulnerabilities of computer-related assets,
`determining a first computer-related asset that may be an
`determining a first computer-related asset that may be an
`entry point for an attack simulation, identifying one or more
`entry point for an attack simulation, identifying one or more
`first vulnerabilities of the first computer-related asset, deter
`first vulnerabilities of the first computer-related asset, deter-
`mining a path from the first computer-related asset to a
`mining a path from the first computer-related asset to a
`second computer-related asset, determining one or more
`second computer-related asset, determining one or more
`second Vulnerabilities of the second computer-related asset,
`second vulnerabilities of the second computer-related asset,
`determining a probability that the second computer-related
`determining a probability that the second computer-related
`asset will be compromised by an adversary, and determining
`asset will be compromised by an adversary, and determining
`a change to the asset topology to reduce the probability that
`a change to the asset topology to reduce the probability that
`the second computer-related asset will be compromised by
`the second computer-related asset will be compromised by
`an adversary.
`an adversary.
`
`500
`
`so
`
`
`
`For at east one computer
`For at least one computer
`asset on a path between a first computer
`asset on a path between a first computer
`asset and a Second computer asset
`asset and a second computer asset
`
`Determine, using an asset topology, ail of
`Determine, using an asset topology, all of
`subsequent computer assets directly
`subsequent computer assets directly
`connected to the computer asset not
`connected to the computer asset not
`including any computer assets used to
`including any computer assets used to
`access the computer asset
`502
`access the computer asset
`502
`
`Determine, for each of the subsequent
`Determine, for each of the subsequent
`computer assets, one or more vulnerabilities
`computer assets, one or more vulnerabilities
`of the subsequent computer asset 504
`of the subsequent computer asset 5s4
`
`Determine, for each of the subsequent
`Determine, for each of the subsequent
`Computer assets using the vulnerabilities of
`computer assets using the vulnerabilities of
`the subsequent computer asset, a probability
`the subsequent computer asset, a probability
`that the subsequent computer asset will be
`that the subsequent computer asset will be
`Compromised by an adversary
`506
`compromised by an adversary
`5.O
`
`Select a particular subsequent computer
`Select a particular subsequent computer
`asset with the probability greater than the
`asset with the probability greater than the
`probabilities of the other subsequent
`probabilities of the other subsequent
`Computer assets as the next computer asset
`computer assets as the next computer asset
`in the path between the first computer asset
`in the path between the first computer asset
`and the second computer asset 508
`and the second computer asset
`228
`
`WIZ, Inc. EXHIBIT - 1085
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1085
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017. Sheet 1 of 7
`L Jo I loollS LJ0Z `91 'VI
`
`IV 99Z81700/LI0Z SR US 2017/0048266 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Entity Network M
`
`Asset D
`
`108d
`
`108e-z
`
`Asset B
`106b
`
`108a -1_
`
`108c
`
`Asset C
`106c
`
`
`
`, Asset \
`. \
`
`
`
`
`
`108b
`
`
`
`
`Asset G
`lag
`
`108g
`
`Asset F
`
`108f7
`
`!= ) ? ? ? ? ? ? ? ? ? ? ?
`
`110a
`
`110b
`
`100
`
`r
`
`Non-entity Network IDA
`
`FIG. 1A
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017. Sheet 2 of 7
`L Jo Z loollS LJ0Z `91 'VI
`
`TV 99Z81700/LI0Z SR US 2017/0048266 A1
`
`
`
`
`
`
`
`Asset G
`
`108g
`
`Asset F
`1.1261
`
`1 0 8 f
`
`Asset E:.\']
`
`• • • • • • • • ? ? ? ? ? ? ? ? ?
`
`110b
`
`Entity Network _102
`
`Asset D
`10 6,1I
`
`108d
`
`108e-
`
`Asset B
`106b
`
`108a7
`
`V Device -7-"7.4
`I.
`X11.24
`
`108c
`
`Asset C
`
`
`(Application 'A
`
`1';
`I1941
`
`,S,•,'S,3;:sSeik:
`\N
`„
`
`108b
`
`110a
`
`r
`
`100
`
`Žo.
`
`Non-entity Network 104
`
`FIG. 1B
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017. Sheet 3 of 7
`L JO £ loollS LJ0Z `91 'VI
`
`TV 99Z81700/LI0Z SR US 2017/0048266 A1
`
`I
`
`Exploits
`21Q
`
`Threat Data DI
`
`1
`
`Incidents
`216
`
`1
`
`TTPs
`
`222
`
`-
`I
`I
`I
`I
`
`^__1__
`Exploits
`I
`I Leveraged
`I
`I
`
`= = ==
`
`
`
`
`- ^__1__
`
`
`I Likely Paths of I
`I Frequency of I
`i I Compromise i
`Exploit
`I
`I Utilization and i I
`I
`i I
`Succes
`I
`224 I _ 1
`
`III
`
`I Prioritization of I
`I Attack Paths I
`
`III
`
`I Severity of
`
`I
`
`Exploits
`
`I
`I
`
`
`
`
`
`
`
`Asset Inventory
`
`202
`
`Prioritize and categorize
`asset types
`
`Asset Categorization
`2Q4
`
`Determine network
`layout and asset
`interactions
`
`Asset Topology
`
`2Q
`
`200
`
`·002
`
`Update priorities
`and categories
`based on
`interdependencies
`
`I Probability of I
`Attack
`I
`I
`I
`I Severity
`Succes
`
`T -226_ J
`
`4r
`
`
`
`
`Network architecture and
`asset interdependencies
`
`L__
`
`2-
`
`J J
`
`|%seoons|
`
`L
`
`r- ----- -
`
`Asset Threat Model 22
`
`FIG. 2
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017. Sheet 4 of 7
`L JO 17 WI'S LJ0Z `91 'VI
`
`IV 99Z81700/LI0Z SR US 2017/0048266 A1
`
`
`
`
`Network 216
`
`Threat Data 3-1B
`
`Exploits
`
`Incidents
`
`2212
`
`312
`
`Adversary Tactics, Techniques,
`and Procedures (TTPs)
`
`124
`
`FIG. 3
`
`Cyber-Risk System 302
`
`Asset
`Topology
`2O
`
`?assy
`
`---........
`,......
`
`Threat Data
`s•-_,
`214
`
`Topology
`Generation
`System=
`
`Vulnerability
`System
`1Q
`
`Scoring
`System
`22
`
`Trend Analysis
`System
`2.4
`
`300
`
`ºst
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017 Sheet 5 of 7
`Feb. 16, 2017 Sheet 5 of 7
`
`US 2017/0048266 A1
`US 2017/0048266 Al
`
`400
`so
`
`
`
`Receive an asset topology that
`Receive an asset topology that
`identifies one or more first
`identifies One of more first
`computer assets each of which
`computer assets each of which
`is directly connected to a
`is directly connected to a
`network that is not controlled by
`network that is not controlled by
`an entity without intervening
`an entity without intervening
`hardware and one or more
`hardware and One or more
`second Computer assets each
`second computer assets each
`of which is not directly
`of which is not directly
`connected to a network that is
`Connected to a network that is
`not controlled by the entity02
`not controlled by the entity
`02
`
`Receive threat data that
`Receive threat data that
`identifies vulnerabilities of
`identifies Wunerabilities of
`Computer assets
`404
`computer assets DA
`
`Determine, using the asset
`Determine, using the asset
`topology, a first Computer asset
`topology, a first computer asset
`that is one of the first computer
`that is one of the first computer
`406
`aSSetS
`406
`assets
`
`identify, using the threat data,
`Identify, using the threat data,
`one or more vulnerabilities of
`one or more vulnerabilities of
`the first computer asset4.08
`the first computer assetaa
`
`Determine, using the asset
`Determine, using the asset
`topology and the threat data, a
`topology and the threat data, a
`path from the first computer
`path from the first computer
`asset to a second computer
`asset to a second computer
`asset that is one of the second
`asset that is one of the second
`computer assets
`Computer assets
`410
`
`Determine, using the threat
`Determine, using the threat
`data, one or more vulnerabilities
`data, one or more vulnerabilities
`of the second computer asset
`of the second computer asset
`412
`412
`
`Determine a probability that the
`Determine a probability that the
`second Computer asset will be
`second computer asset will be
`compromised by an adversary
`compromised by an adversary
`414
`414
`
`Determine, using the asset
`Determine, using the asset
`topology, a change to the asset
`topology, a change to the asset
`topology to reduce the
`topology to reduce the
`probability that the second
`probability that the second
`computer asset will be
`computer asset will be
`Compromised by an adversary
`compromised by an adversary
`416
`416
`
`Provide information about the
`Provide information about the
`change to the asset topology for
`change to the asset topology for
`presentation to a user 48
`presentation to a user 418
`
`implement the change to the
`Implement the change to the
`asset topology
`420
`4.2.0
`asset topology
`
`Receive new threat data over a
`Receive new threat data Over a
`predetermined period of time
`predetermined period of time
`422
`.22
`
`Determine, using the new threat
`Determine, using the new threat
`data, paths from the first
`data, paths from the first
`computer assets to the Second
`computer assets to the second
`computer assets over the
`computer assets over the
`predetermined period of time
`predetermined period of time
`424
`424
`
`Determine trends in the paths
`Determine trends in the paths
`from the first computer assets to
`from the first computer assets to
`the Second Computer assets
`the second computer assets
`over the predetermined period
`over the predetermined period
`of time
`of time
`426
`42.6
`
`FG. 4
`FIG. 4
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017 Sheet 6 of 7
`Feb. 16, 2017 Sheet 6 of 7
`
`US 2017/0048266 A1
`US 2017/0048266 Al
`
`50%
`
`so
`
`
`
`/
`
`4.
`,i
`
`4,
`
`For at least one computer
`For at least one computer
`asset on a path between a first computer
`asset on a path between a first computer
`asset and a second computer asset
`asset and a second computer asset
`
`1
`
`Determine, using an asset topology, all of
`Determine, using an asset topology, all of
`subsequent computer assets directly
`subsequent computer assets directly
`connected to the computer asset not
`connected to the computer asset not
`including any computer assets used to
`including any computer assets used to
`access the Computer asset
`02
`access the computer asset
`502
`
`Determine, for each of the subsequent
`Determine, for each of the subsequent
`Computer assets, one or more vulnerabilities
`computer assets, one or more vulnerabilities
`of the subsequent Computer asset 504
`of the subsequent computer asset 24
`
`Determine, for each of the subsequent
`Determine, for each of the subsequent
`Computer assets using the vulnerabilities of
`computer assets using the vulnerabilities of
`the subsequent computer asset, a probability
`the subsequent computer asset, a probability
`that the subsequent Computer asset will be
`that the subsequent computer asset will be
`Compromised by an adversary
`506
`compromised by an adversary
`2 .6
`
`Select a particular subsequent computer
`Select a particular subsequent computer
`asset with the probability greater than the
`asset with the probability greater than the
`probabilities of the other subsequent
`probabilities of the other subsequent
`Computer assets as the next Computer asset
`computer assets as the next computer asset
`in the path between the first computer asset
`in the path between the first computer asset
`and the second computer asset
`and the second computer asset 508
`22
`
`FIG. 5
`F.G. 5
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Feb. 16, 2017 Sheet 7 of 7
`Feb. 16, 2017 Sheet 7 of 7
`
`US 2017/0048266 A1
`US 2017/0048266 Al
`
`
`
`lJ lJ lJ
`
`0
`
`L7°
`
`1 1 1 1
`
`1 1 1 1
`
`O
`tp
`
`r
`
`O
`E
`
`AJAM.B.R.4 OP/2 .249.
`22222222
`
`a
`
`U
`2
`0
`
`S
`
` /
`
`
`
`
`
`/
`
`/
`
`/
`
`/
`
`0
`
` 1 1
`
`1 1 1 1
`
`co
`
`a)
`O
`
`a)
`
`O
`
`1
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Co
`
`5
`
`LL
`
`
`
`US 2017/0048266 A1
`US 2017/0048266 Al
`
`1
`
`Feb. 16, 2017
`Feb. 16, 2017
`
`COMPUTER ASSET VUILNERABILITIES
`COMPUTER ASSET VULNERABILITIES
`
`BACKGROUND
`BACKGROUND
`0001. Some entities in the security industry face an
`[0001] Some entities in the security industry face an
`increasing necessity to understand the impact and priorities
`increasing necessity to understand the impact and priorities
`of cyber threats against entities, while being constrained by
`of cyber threats against entities, while being constrained by
`limited resources to respond by adapting controls and Vali
`limited resources to respond by adapting controls and vali-
`dating patches. For instance. Some threat actors and vectors
`dating patches. For instance, some threat actors and vectors
`have a significantly disproportionate growth and presence
`have a significantly disproportionate growth and presence
`compared to that of practical, Scalable remediation
`compared
`to
`that of practical, scalable remediation
`approaches.
`approaches.
`
`SUMMARY
`SUMMARY
`0002. In general, one innovative aspect of the subject
`In general, one innovative aspect of the subject
`[0002]
`matter described in this specification can be embodied in
`matter described in this specification can be embodied in
`methods that include the actions of receiving an asset
`methods that include the actions of receiving an asset
`topology that identifies an entity's computer-related assets,
`topology that identifies an entity's computer-related assets,
`how the computer-related assets are connected together via
`how the computer-related assets are connected together via
`one or more networks controlled by the entity, and an
`one or more networks controlled by the entity, and an
`identifier for each computer-related asset that is an external
`identifier for each computer-related asset that is an external
`facing asset, wherein the asset topology identifies one or
`facing asset, wherein the asset topology identifies one or
`more first computer-related assets each of which is an
`more first computer-related assets each of which is an
`external facing asset and one or more second computer
`external facing asset and one or more second computer-
`related assets each of which is not an external facing asset,
`related assets each of which is not an external facing asset,
`receiving threat data that identifies vulnerabilities of com
`receiving threat data that identifies vulnerabilities of com-
`puter-related assets, determining, using the identifiers for the
`puter-related assets, determining, using the identifiers for the
`computer-related assets that may be an entry point for an
`computer-related assets that may be an entry point for an
`attack simulation, a first computer-related asset that is one of
`attack simulation, a first computer-related asset that is one of
`the first computer-related assets, identifying, using the threat
`the first computer-related assets, identifying, using the threat
`data, one or more first vulnerabilities of the first computer
`data, one or more first vulnerabilities of the first computer-
`related asset, determining, using the asset topology and the
`related asset, determining, using the asset topology and the
`threat data, a path from the first computer-related asset to a
`threat data, a path from the first computer-related asset to a
`second computer-related asset that is one of the second
`second computer-related asset that is one of the second
`computer-related assets, determining, using the threat data,
`computer-related assets, determining, using the threat data,
`one or more second Vulnerabilities of the second computer
`one or more second vulnerabilities of the second computer-
`related asset, determining, using the one or more second
`related asset, determining, using the one or more second
`Vulnerabilities of the second computer-related asset, a prob
`vulnerabilities of the second computer-related asset, a prob-
`ability that the second computer-related asset will be com
`ability that the second computer-related asset will be com-
`promised by an adversary's device, determining, using the
`promised by an adversary's device, determining, using the
`asset topology and the threat data, a change to the asset
`asset topology and the threat data, a change to the asset
`topology to reduce the probability that the second computer
`topology to reduce the probability that the second computer-
`related asset will be compromised by an adversary’s device,
`related asset will be compromised by an adversary's device,
`and providing information about the change to the asset
`and providing information about the change to the asset
`topology for presentation to a user or implementing the
`topology for presentation to a user or implementing the
`change to the asset topology. Other embodiments of this
`change to the asset topology. Other embodiments of this
`aspect include corresponding computer systems, apparatus,
`aspect include corresponding computer systems, apparatus,
`and computer programs recorded on one or more computer
`and computer programs recorded on one or more computer
`storage devices, each configured to perform the actions of
`storage devices, each configured to perform the actions of
`the methods. A system of one or more computers can be
`the methods. A system of one or more computers can be
`configured to perform particular operations or actions by
`configured to perform particular operations or actions by
`virtue of having software, firmware, hardware, or a combi
`virtue of having software, firmware, hardware, or a combi-
`nation of them installed on the system that in operation
`nation of them installed on the system that in operation
`causes or cause the system to perform the actions. One or
`causes or cause the system to perform the actions. One or
`more computer programs can be configured to perform
`more computer programs can be configured to perform
`particular operations or actions by virtue of including
`particular operations or actions by virtue of including
`instructions that, when executed by data processing appa
`instructions that, when executed by data processing appa-
`ratus, cause the apparatus to perform the actions.
`ratus, cause the apparatus to perform the actions.
`0003. In general, one innovative aspect of the subject
`[0003]
`In general, one innovative aspect of the subject
`matter described in this specification can be embodied in
`matter described in this specification can be embodied in
`methods that include the actions of receiving an asset
`methods that include the actions of receiving an asset
`topology that identifies an entity's computer-related assets,
`topology that identifies an entity's computer-related assets,
`how the computer-related assets are connected together via
`how the computer-related assets are connected together via
`one or more networks controlled by the entity, and an
`one or more networks controlled by the entity, and an
`
`identifier for each computer-related asset that may be an
`identifier for each computer-related asset that may be an
`entry point for an attack simulation, wherein the asset
`entry point for an attack simulation, wherein the asset
`topology identifies one or more first computer-related assets
`topology identifies one or more first computer-related assets
`each of which is a potential entry point for an attack
`each of which is a potential entry point for an attack
`simulation and one or more second computer-related assets
`simulation and one or more second computer-related assets
`each of which is not a potential entry point for an attack
`each of which is not a potential entry point for an attack
`simulation, receiving threat data that identifies vulnerabili
`simulation, receiving threat data that identifies vulnerabili-
`ties of computer-related assets, determining, using the iden
`ties of computer-related assets, determining, using the iden-
`tifiers for the computer-related assets that may be an entry
`tifiers for the computer-related assets that may be an entry
`point for an attack simulation, a first computer-related asset
`point for an attack simulation, a first computer-related asset
`that is one of the first computer-related assets, identifying,
`that is one of the first computer-related assets, identifying,
`using the threat data, one or more first vulnerabilities of the
`using the threat data, one or more first vulnerabilities of the
`first computer-related asset, determining, using the asset
`first computer-related asset, determining, using the asset
`topology and the threat data, a path from the first computer
`topology and the threat data, a path from the first computer-
`related asset to a second computer-related asset that is one
`related asset to a second computer-related asset that is one
`of the second computer-related assets, determining, using
`of the second computer-related assets, determining, using
`the threat data, one or more second Vulnerabilities of the
`the threat data, one or more second vulnerabilities of the
`second computer-related asset, determining, using the one or
`second computer-related asset, determining, using the one or
`more second vulnerabilities of the second computer-related
`more second vulnerabilities of the second computer-related
`asset, a probability that the second computer-related asset
`asset, a probability that the second computer-related asset
`will be compromised by an adversary, determining, using
`will be compromised by an adversary, determining, using
`the asset topology and the threat data, a change to the asset
`the asset topology and the threat data, a change to the asset
`topology to reduce the probability that the second computer
`topology to reduce the probability that the second computer-
`related asset will be compromised by an adversary, and
`related asset will be compromised by an adversary, and
`providing information about the change to the asset topology
`providing information about the change to the asset topology
`for presentation to a user or implementing the change to the
`for presentation to a user or implementing the change to the
`asset topology. Other embodiments of this aspect include
`asset topology. Other embodiments of this aspect include
`corresponding computer systems, apparatus, and computer
`corresponding computer systems, apparatus, and computer
`programs recorded on one or more computer storage
`programs recorded on one or more computer storage
`devices, each configured to perform the actions of the
`devices, each configured to perform the actions of the
`methods. A system of one or more computers can be
`methods. A system of one or more computers can be
`configured to perform particular operations or actions by
`configured to perform particular operations or actions by
`virtue of having software, firmware, hardware, or a combi
`virtue of having software, firmware, hardware, or a combi-
`nation of them installed on the system that in operation
`nation of them installed on the system that in operation
`causes or cause the system to perform the actions. One or
`causes or cause the system to perform the actions. One or
`more computer programs can be configured to perform
`more computer programs can be configured to perform
`particular operations or actions by virtue of including
`particular operations or actions by virtue of including
`instructions that, when executed by data processing appa
`instructions that, when executed by data processing appa-
`ratus, cause the apparatus to perform the actions.
`ratus, cause the apparatus to perform the actions.
`0004. The foregoing and other embodiments can each
`[0004] The foregoing and other embodiments can each
`optionally include one or more of the following features,
`optionally include one or more of the following features,
`alone or in combination. The method may include deter
`alone or in combination. The method may include deter-
`mining, for each of the first computer related assets and each
`mining, for each of the first computer related assets and each
`of the second computer related assets, a path from the first
`of the second computer related assets, a path from the first
`computer related asset to the second computer related asset.
`computer related asset to the second computer related asset.
`The method may include receiving new threat data over a
`The method may include receiving new threat data over a
`predetermined period of time, determining, using the new
`predetermined period of time, determining, using the new
`threat data, paths from the first computer related assets to the
`threat data, paths from the first computer related assets to the
`second computer related assets over the predetermined
`second computer related assets over the predetermined
`period of time, and determining trends in the paths from the
`period of time, and determining trends in the paths from the
`first computer related assets to the second computer related
`first computer related assets to the second computer related
`assets over the predetermined period of time. Determining
`assets over the predetermined period of time. Determining
`the trends in the paths from the first computer related assets
`the trends in the paths from the first computer related assets
`to the second computer related assets over the predetermined
`to the second computer related assets over the predetermined
`period of time may include determining a recurring path of
`period of time may include determining a recurring path of
`compromise that has a high probability that one or more
`compromise that has a high probability that one or more
`assets on the recurring path will be compromised by an
`assets on the recurring path will be compromised by an
`adversary’s device over at least a threshold value of times
`adversary's device over at least a threshold value of times
`during the predetermined period of time.
`during the predetermined period of time.
`0005. In some implementations, the method may include
`[0005]
`In some implementations, the method may include
`determining, using the trends in the paths from the first
`determining, using the trends in the paths from the first
`computer related assets to the second computer related
`computer related assets to the second computer related
`assets, a probability that a particular second computer
`assets, a probability that a particular second computer
`related asset will be compromised by an adversary’s device
`related asset will be compromised by an adversary's device
`
`
`
`US 2017/0048266 A1
`US 2017/0048266 Al
`
`2
`
`Feb. 16, 2017
`Feb. 16, 2017
`
`over the predetermined period of time that is greater than
`over the predetermined period of time that is greater than
`probabilities that the other second computer related assets
`probabilities that the other second computer related assets
`will be compromised by an adversary’s device over the
`will be compromised by an adversary's device over the
`predetermined period of time, and determining, using the
`predetermined period of time, and determining, using the
`asset topology and the new threat data, a change to the asset
`asset topology and the new threat data, a change to the asset
`topology to reduce the probability that the particular second
`topology to reduce the probability that the particular second
`computer related asset will be compromised by an adver
`computer related asset will be compromised by an adver-
`sary's device. The method may include providing informa
`sary's device. The method may include providing informa-
`tion about the change to the asset topology for presentation
`tion about the change to the asset topology for presentation
`to a user. The method may include implementing the change
`to a user. The method may include implementing the change
`to the asset topology. Determining, using the asset topology
`to the asset topology. Determining, using the asset topology
`and the new threat data, a change to the asset topology to
`and the new threat data, a change to the asset topology to
`reduce the probability that the particular second computer
`reduce the probability that the particular second computer
`related asset will be compromised by an adversary’s device
`related asset will be compromised by an adversary's device
`may include determining a software update to apply to one
`may include determining a software update to apply to one
`of the computer related assets identified by the asset topol
`of the computer related assets identified by the asset topol-
`ogy. Implementing the change to the asset topology may
`ogy. Implementing the change to the asset topology may
`include applying the Software update to the one of the
`include applying the software update to the one of the
`computer related assets identified by the asset topology.
`computer related assets identified by the asset topology.
`0006. In some implementations, the method may include
`[0006]
`In some implementations, the method may include
`determining, for the one or more first vulnerabilities, a first
`determining, for the one or more first vulnerabilities, a first
`probability that the Vulnerability will be compromised by an
`probability that the vulnerability will be compromised by an
`adversary's device. Determining, using the asset topology
`adversary's device. Determining, using the asset topology
`and the threat data, the path from the first computer related
`and the threat data, the path from the first computer related
`asset to the second computer related asset may include
`asset to the second computer related asset may include
`determining, for each computer related asset on the path
`determining, for each computer related asset on the path
`between the first computer related asset and the second
`between the first computer related asset and the second
`computer related asset, one or more vulnerabilities for the
`computer related asset, one or more vulnerabilities for the
`computer related asset, and determining, for the one or more
`computer related asset, and determining, for the one or more
`Vulnerabilities of the computer related asset, corresponding
`vulnerabilities of the computer related asset, corresponding
`probabilities that the computer related asset will be com
`probabilities that the computer related asset will be com-
`promised by an adversary’s device. The method may include
`promised by an adversary's device. The method may include
`for at least one of the computer related assets on the path
`for at least one of the computer related assets on the path
`between the first computer related asset and the second
`between the first computer related asset and the second
`computer related asset: determining, using the asset topol
`computer related asset: determining, using the asset topol-
`ogy, all of Subsequent computer related assets directly
`ogy, all of subsequent computer related assets directly
`connected to the computer related asset not including any
`connected t
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
