(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2013/0191919 A1
`Basavapatna et al.
`(43) Pub. Date:
`Jul. 25, 2013
`
`US 2013 0191919A1
`
`(54) CALCULATING QUANTITATIVE ASSET RISK
`
`(75) Inventors: Prasanna Ganapathi Basavapatna,
`Bangalore (IN); Deepakeshwaran
`Kolingivadi San Jose, CA (US); Sven
`Schrecker, San Marcos, CA (US)
`s
`s
`
`(73) Assignee: McAfee, Inc
`9
`We
`
`(21) Appl. No.: 13/354,181
`
`(22) Filed:
`
`Jan. 19, 2012
`e - 19
`
`Publication Classification
`
`(51) Int. Cl.
`G06F2L/00
`
`(2006.01)
`
`(52) U.S. Cl.
`USPC ............................................................ 726/25
`ABSTRACT
`(57)
`A standardized vulnerability score is identified for a particu
`lar vulnerability in a plurality of known vulnerabilities, the
`standardized vulnerability score indicating a relative level of
`risk associated with the particular vulnerability relative other
`Vulnerabilities. A vulnerability detection score is determined
`that indicates an estimated probability that a particular asset
`possess the particular Vulnerability and a Vulnerability com
`posite score is determined for the particular asset to the par
`ticular vulnerability, the Vulnerability composite score
`derived from the standardized vulnerability score and the
`Vulnerability detection score. A countermeasure component
`score is identified that indicates an estimated probability that
`a countermeasure will mitigate risk associated with the par
`ticular vulnerability on the particular asset. A risk metric for
`the particular asset and the particular vulnerability is deter
`mined from the Vulnerability composite score and the coun
`termeasure component score. In some instances, aggregate
`risk scores can be calculated from a plurality of calculated
`risk metrics.
`
`COUNTERMEASURES
`NOT PROTECTING ASSET
`COUNTERMEASURES
`PROTECTING ASSET
`214
`COUNTERMEASURE
`208
`SOURCE(S)
`NETWORK-BASED
`
`COUNTERMEASURE
`DETECTION DATA
`
`200
`y
`
`205
`
`WULNERABILITY
`DEFINITIONDATA
`
`VULNERABILITY
`INFORMATION SERVICES
`
`214
`
`WULNERABILITY DENTIFIER
`H COUNTERMEASURES
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`H APPLICABILITY
`H SEWERTY SCORE
`H DETECTION DETAILS
`- OTHERWULNERABILITY DETALS
`
`102
`O
`
`VULNERABILITY
`DATASOURCE(S)
`NETWORK-BASED
`
`HOST-BASED
`
`212
`
`CONFIGURATION
`DATASOURCE(s)
`
`HOST-BASED
`
`
`
`204
`
`
`
`THREAT
`DEFINITION DATA
`
`THREAT
`INFORMATION
`SERVICE
`210
`
`216 NETWORK
`MONITOR
`
`RECONCLERS
`
`
`
`
`
`
`
`206
`
`VULNERABILITY
`DETECTION
`DATA
`
`THREAT IDENTIFIER
`THREAT VECTOR(s)
`COUNTERMEASURES
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`APPLICABILITY
`SEVERITY SCORE
`DETECTION DETALS
`OTHER THREAT DETAILS
`
`ASSETTEST
`OUTCOMES
`
`
`
`ASSET
`CONFIGURATION
`DATA
`
`HARDWARE CONFIGURATION
`SOFTWARE CONFIGURATION
`
`WIZ, Inc. EXHIBIT - 1025
`WIZ, Inc. v. Orca Security LTD.
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2013/0191919 A1
`Basavapatna et al.
`(43) Pub. Date:
`Jul. 25, 2013
`
`US 2013 0191919A1
`
`(54) CALCULATING QUANTITATIVE ASSET RISK
`
`(75) Inventors: Prasanna Ganapathi Basavapatna,
`Bangalore (IN); Deepakeshwaran
`Kolingivadi San Jose, CA (US); Sven
`Schrecker, San Marcos, CA (US)
`s
`s
`
`(73) Assignee: McAfee, Inc
`9
`We
`
`(21) Appl. No.: 13/354,181
`
`(22) Filed:
`
`Jan. 19, 2012
`e - 19
`
`Publication Classification
`
`(51) Int. Cl.
`G06F2L/00
`
`(2006.01)
`
`(52) U.S. Cl.
`USPC ............................................................ 726/25
`ABSTRACT
`(57)
`A standardized vulnerability score is identified for a particu
`lar vulnerability in a plurality of known vulnerabilities, the
`standardized vulnerability score indicating a relative level of
`risk associated with the particular vulnerability relative other
`Vulnerabilities. A vulnerability detection score is determined
`that indicates an estimated probability that a particular asset
`possess the particular Vulnerability and a Vulnerability com
`posite score is determined for the particular asset to the par
`ticular vulnerability, the Vulnerability composite score
`derived from the standardized vulnerability score and the
`Vulnerability detection score. A countermeasure component
`score is identified that indicates an estimated probability that
`a countermeasure will mitigate risk associated with the par
`ticular vulnerability on the particular asset. A risk metric for
`the particular asset and the particular vulnerability is deter
`mined from the Vulnerability composite score and the coun
`termeasure component score. In some instances, aggregate
`risk scores can be calculated from a plurality of calculated
`risk metrics.
`
`COUNTERMEASURES
`NOT PROTECTING ASSET
`COUNTERMEASURES
`PROTECTING ASSET
`214
`COUNTERMEASURE
`208
`SOURCE(S)
`NETWORK-BASED
`
`COUNTERMEASURE
`DETECTION DATA
`
`200
`y
`
`205
`
`WULNERABILITY
`DEFINITIONDATA
`
`VULNERABILITY
`INFORMATION SERVICES
`
`214
`
`WULNERABILITY DENTIFIER
`H COUNTERMEASURES
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`H APPLICABILITY
`H SEWERTY SCORE
`H DETECTION DETAILS
`- OTHERWULNERABILITY DETALS
`
`102
`O
`
`VULNERABILITY
`DATASOURCE(S)
`NETWORK-BASED
`
`HOST-BASED
`
`212
`
`CONFIGURATION
`DATASOURCE(s)
`
`HOST-BASED
`
`
`
`204
`
`
`
`THREAT
`DEFINITION DATA
`
`THREAT
`INFORMATION
`SERVICE
`210
`
`216 NETWORK
`MONITOR
`
`RECONCLERS
`
`
`
`
`
`
`
`206
`
`VULNERABILITY
`DETECTION
`DATA
`
`THREAT IDENTIFIER
`THREAT VECTOR(s)
`COUNTERMEASURES
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`APPLICABILITY
`SEVERITY SCORE
`DETECTION DETALS
`OTHER THREAT DETAILS
`
`ASSETTEST
`OUTCOMES
`
`
`
`ASSET
`CONFIGURATION
`DATA
`
`HARDWARE CONFIGURATION
`SOFTWARE CONFIGURATION
`
`WIZ, Inc. EXHIBIT - 1025
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Patent Application Publication
`
`Jul. 25,2013 Sheet 1 of 4
`
`US 2013/0191919 Al
`
`
`
`
`
`
`SENSOR
`SENSOR
`
`
`
`
`
`
`
`
`106
`
`
`NETWORK MONITOR
`102 一 |
`
`
`
`
`FIG. 1
`
`
`
`
`
`Patent Application Publication
`
`Jul. 25,2013 Sheet 2 of 4
`
`US 2013/0191919 Al
`
`
`
`
`
`
`
`
`
`
`CaS Ve
`ONML3N
`(aodnos viva
`人 LHIdVMNTnA
`
`
`
`
`
`
`
`
`
`
`
`
`
`JanA
`
`Wale
`
`gdz
`
`
`
`
`
`
`
`NO
`=_o—_ 9be
`
`
`
`
`
`
`
`
`
`
`
`
`
`SUTTIONOOSY
`[一 |
`
`
`
`
`
`
`
`VIVU NOJINIjJ30
`
`JV3dHL
`
`NOLLWYNDISNOD SHVMLIOS
`NOIIVMn9I4NO9 SYVMGYVH
`
`60z
`\
`
`
`
`
`Aa Viva
`
`
`
`
`|
`
`L0¢
`
`sf
`
`NOIIVMnIOINO9
`
`
`
`
`
`
`
`
`
`
`Lassv
`
`SAWODLNO
`1S31J3SSV
`
`
`
`
`(sj3oynos VV
`NOLLVYNDISNOD
`zlz
`NS
`
`S1IVL30 LVAYHL YSHLO 一
`STIVL30 NOILOSL30 一
`3yO0S 人 LIH3A3s 一
`Alilavoliddy 一
`
`NOILIVMnSI4NO9 qdIno3y
`3d00S SNOLO3LOHd
`
`S3YUNSVAWYSLNNOD 一
`(S)HOLOJA LVIYHL 一
`YSISLLNSCI LVAYHL
`
`
`
`
`
`
`
`
`
`
`
`
`
`dasve-lSOH
`
`
`
`
`0Lz
`
`STIVL4U ALITIGVYANINA YSHLO 一
`STIVL30 NOILOSL30 一
`3d09S 人 LId3A3s 一
`人 LmIgvyonddy 一
`
`NOlLVdnolJNoo qddIno3y
`
`JYOIS SNOHO93lOad 圖
`
`ble
`\
`
`SAYNSVANYALNNOD 一
`MSISLLNSO! ALIMIGVYaNINA
`
`
`
`
`
`
`
`SOIAM3S NOILVNMO4NI
`
`
`
`
`
`
`
`ALIMIGVYANTNA
`
`~ Ola
`
`
`
`
`VLIVU NOILINI43q
`ALNIGVYAN TINA
`
`Gdz
`
`i
`
`
`
`
`
`
`
`
`
`
`VIVU NOILOIL3I0
`3ynsSv3NdaLlNnoo
`
`
`
`
`802
`
`人
`002
`
`L3SSV ONILOALOYd
`SAYNSVAWYALNNOD
`J13SSYD9NILO53LOyd LON
`SaYNSVAWYALNNOO
`
`
`
`
`NOLLVAJOJNI
`
`JY3HHL
`
`35IAd3S
`
`
`
`
`
`
`
`
`
`
`
`
`qdasve-LSOH
`
`
`
`
`
`
`
`
`
`
`
`
`
`dasSVg-yHONL3N
`
`
`
`
`(S)30dnos
`
`
`
`
`JUNSVAWYSLNNOD
`
`
`
`
`
`
`
`人
`blz
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jul. 25, 2013 Sheet 3 of 4
`Jul. 25, 2013 Sheet 3 of 4
`
`US 2013/0191919 A1
`US 2013/0191919 Al
`
`300
`300
`
`302
`302
`
`304
`304
`
`306
`306
`
`DETERMINEATHREATFACTOR
`DETERMINE A THREAT FACTOR
`FOR ANASSET ANDATHREAT
`FOR AN ASSETAND A THREAT
`
`DETERMINEAN EXPOSURE FACTOR
`DETERMINE AN EXPOSURE FACTOR
`FOR THE ASSET AND THE THREAT
`FOR THE ASSET AND THE THREAT
`FROM THE THREATFACTOR
`FROM THE THREAT FACTOR
`
`DETERMINEARISKMETRICFOR
`DETERMINE A RISK METRIC FOR
`THE ASSET AND THE THREAT FROM
`THE ASSET AND THE THREAT FROM
`THE EXPOSURE FACTOR ANDA
`THE EXPOSURE FACTOR AND A
`CRITICALITY SCORE FOR THE ASSET
`CRITICALITY SCORE FOR THE ASSET
`
`FIG. 3A
`FIG. 3A
`
`
`
`350
`350
`
`
`FOR THE VULNERABILITY AND THE ASSET
`
`IDENTIFY ASTANDARDIZED VULNERABILITY
`IDENTIFY A STANDARDIZED VULNERABILITY
`SCORE FOR AWULNERABILITY
`SCORE FOR A VULNERABILITY
`
`DETERMINEAVULNERABILITY
`DETERMINE A VULNERABILITY
`DETECTION SCORE FOR ANASSET
`DETECTION SCORE FORAN ASSET
`
`DETERMINE A COUNTERMEASURE SCORE
`DETERMINE A COUNTERMEASURE SCORE
`FOR THE ASSET AND THE VULNERABILITY
`FOR THE ASSET AND THE VULNERABILITY
`
`DETERMINEARISK METRICFOR THE
`DETERMINE A RISK METRIC FOR THE
`ASSET AND THEVULNERABILITY FROM
`ASSET AND THE VULNERABILITY FROM
`THE STANDARDIZED VULNERABILITY
`THE STANDARDIZED VULNERABILITY
`SCORE, VULNERABILITY DETECTION
`SCORE, VULNERABILITY DETECTION
`SCORE, AND COUNTERMEASURE SCORE
`SCORE, AND COUNTERMEASURE SCORE
`FOR THE VULNERABILITY AND THE ASSET
`
`FIG. 3B
`FIG. 3B
`
`352
`352
`
`354
`354
`
`356
`356
`
`358
`358
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Jul. 25, 2013 Sheet 4 of 4
`Jul. 25, 2013 Sheet 4 of 4
`
`US 2013/0191919 A1
`US 2013/0191919 Al
`
`400
`400
`
`402
`402
`
`404
`404
`
`RECEIVERISKMETRICS FOR ASSETS
`RECEIVE RISK METRICS FOR ASSETS
`FOR A PARTICULARWULNERABILITY
`FOR A PARTICULAR VULNERABILITY
`
`
`
`CALCULATE ANAGGREGATERISK
`CALCULATE AN AGGREGATERISK
`METRICFOR THE PARTICULAR
`METRIC FOR THE PARTICULAR
`VULNERABILITY FROM THE RISK
`VULNERABILITY FROM THE RISK
`METRICS FOR THE ASSETS FOR
`METRICS FOR THE ASSETS FOR
`THE PARTICULAR VULNERABILITY
`THE PARTICULAR VULNERABILITY
`
`
`
`500
`500
`
`FIG. 4
`FIG.4
`
`RECEIVERISKMETRICS FORA
`RECEIVE RISK METRICS FOR A
`PARTICULARASSET FOREACH
`PARTICULAR ASSET FOR EACH
`OF SEVERALWULNERABILITIES
`OF SEVERAL VULNERABILITIES
`
`502
`502
`
`CALCULATE ANAGGREGATERISK
`CALCULATE AN AGGREGATERISK
`METRICFOR THE PARTICULAR
`METRIC FOR THE PARTICULAR
`ASSET FROM THE RISKMETRICS
`ASSET FROM THE RISK METRICS
`FOR THE ASSET AND EACH OF
`FOR THE ASSET AND EACH OF
`SEVERALWULNERABILITIES
`SEVERAL VULNERABILITIES
`
`504
`504
`
`FIG. 5
`FIG. 5
`
`
`8/10/2010
`
`
`
`600
`600
`
`TOP TENMOST-AT-RISKASSETS ACCORDING TO RISKMETRIC
`TOP TEN MOST-AT-RISK ASSETS ACCORDING TO RISK METRIC
`ASSETNAME-602
`604 NRISKMETRIC 606 NLASTDATEPATCHED
`ASSET NAME -~ 602
`604~ Risk meTRIC
`606—~ LAST DATE PATCHED
`ASSET 12345 ("mailserver")
`58.1
`114/2010
`ASSET12345("mailserver")
`58.1
`1/4/2010
`ASSET 16549 ("webserverA")
`57.9
`222010
`ASSET 16549 ("webserverA")
`57.9
`2/2/2010
`ASSET 16429 ("webserverB")
`57.8
`22.2009
`ASSET 16429 ("webserverB")
`57.8
`2/2/2009
`ASSET 26430 ("webserverC")
`56.0
`5/12/2010
`ASSET 26430 ("webserverC")
`56.0
`5/12/2010
`ASSET 15350 ("mailserverB")
`55.9
`3.28.2010
`ASSET15350 ("mailserverB")
`55.9
`3/28/2010
`ASSET 18529 ("mailserverD")
`53.0
`6/5/2010
`ASSET 18529 ("mailserverD")
`53.0
`6/5/2010
`ASSET 25405 ("webserverD")
`52.4
`115/2009
`ASSET 25405 ("webserverD")
`52.4
`1/5/2009
`ASSET 16429 ("usercomputer 1")
`52.3
`16/2009
`ASSET 16429 ("usercomputer1")
`52.3
`1/6/2009
`ASSET 14345 ("usercomputer2")
`519
`5/9/2010
`ASSET14345 ("usercomputer2")
`51.9
`5/9/2010
`ASSET 15420 ("usercomputer3")
`515
`8110/2010
`ASSET 15420 ("usercomputer3")
`51.5
`
`FIG. 6
`FIG. 6
`
`
`
`US 2013/019 1919 A1
`US 2013/0191919 Al
`
`Jul. 25, 2013
`Jul. 25, 2013
`
`CALCULATING QUANTITATIVE ASSET RISK
`CALCULATING QUANTITATIVE ASSET RISK
`
`TECHNICAL FIELD
`TECHNICAL FIELD
`0001. This disclosure relates in general to the field of
`[0001] This disclosure relates in general to the field of
`computer security assessment and, more particularly, to cal
`computer security assessment and, more particularly, to cal-
`culating risk metrics for assets in a system of computing
`culating risk metrics for assets in a system of computing
`assets.
`aSSetS.
`
`probability that a particular asset possess the particular Vul
`probability that a particular asset possess the particular vul-
`nerability and a vulnerability composite score can be deter
`nerability and a vulnerability composite score can be deter-
`mined for the particular asset to the particular vulnerability,
`minedfor the particular asset to the particular vulnerability,
`the Vulnerability composite score derived from the standard
`the vulnerability composite score derived from the standard-
`ized vulnerability score and the Vulnerability detection score.
`ized vulnerability score and the vulnerability detection score.
`A countermeasure component score can be identified that
`A countermeasure component score can be identified that
`indicates an estimated probability that a countermeasure will
`indicates an estimated probability that a countermeasure will
`mitigate risk associated with the particular Vulnerability on
`mitigate risk associated with the particular vulnerability on
`the particular asset. A risk metric for the particular asset and
`BACKGROUND
`BACKGROUND
`the particular asset. A risk metric for the particular asset and
`the particular vulnerability can be determined from the Vul
`the particular vulnerability can be determined from the vul-
`0002 An asset is a computer or other electronic device. A
`nerability composite score and the countermeasure compo
`[0002] An asset is a computeror other electronic device. A
`nerability composite score and the countermeasure compo-
`system of assets can be connected over one or more networks.
`nentscore.
`nent SCOre.
`system of assets can be connected over one or more networks.
`For example, a home might have five assets, each of which are
`For example, a home mighthavefive assets, each ofwhich are
`0013 Further, in another general aspect, a system can be
`[0013]
`Further, in another general aspect, a system can be
`networked to each other and connected to the outside world
`networked to each other and connected to the outside world
`provided including at least one processor device, at least one
`provided includingat least one processor device, at least one
`through the Internet. As another example, a business might
`through the Internet. As another example, a business might
`memory element, and a network monitor. The network moni
`memory element, and a network monitor. The network moni-
`have three physically separate offices, each of which has
`have three physically separate offices, each of which has
`tor, when executed by the processor, can identify a standard
`tor, when executed by the processor, can identify a standard-
`many assets. The assets within each office and the assets
`ized vulnerability score for a particular vulnerability in a
`many assets. The assets within each office and the assets
`ized vulnerability score for a particular vulnerability in a
`across the offices can be connected over a network.
`across the offices can be connected over a network.
`plurality of known vulnerabilities, the standardized vulner
`plurality of known vulnerabilities, the standardized vulner-
`0003. Each asset in a system of assets can be at risk from
`[0003] Each asset in a system ofassets can be at risk from
`ability score indicating a relative level of risk associated with
`ability score indicatingarelative level of risk associated with
`multiple threats at any given time. Each threat can correspond
`multiple threats at any given time. Eachthreat can correspond
`the particular vulnerability relative other vulnerabilities. The
`the particular vulnerability relative other vulnerabilities. The
`to a potential attack on the asset by a particular virus, mal
`to a potential attack on the asset by a particular virus, mal-
`network monitor can further determine a vulnerability detec
`network monitor can further determine a vulnerability detec-
`ware, or other unauthorized entity. An attack occurs when the
`ware, or other unauthorized entity. An attack occurs when the
`tion score indicating an estimated probability that a particular
`tion score indicating an estimated probability thata particular
`unauthorized entity exploits a known vulnerability of the
`unauthorized entity exploits a known vulnerability of the
`asset possess the particular Vulnerability, determine a Vulner
`asset possess the particular vulnerability, determine a vulner-
`asset in an attempt to access or control the asset. Some threats
`ability composite score for the particular asset to the particu
`asset in an attempt to access or controlthe asset. Somethreats
`ability composite score forthe particular asset to the particu-
`and Vulnerabilities have known remediations that, if put in
`and vulnerabilities have known remediations that, if put in
`lar vulnerability derived from the standardized vulnerability
`lar vulnerability derived from the standardized vulnerability
`place for an asset, eliminate or reduce the risk that the threat
`place for an asset, eliminate or reducethe risk that the threat
`score and the Vulnerability detection score. Further, the net
`score and the vulnerability detection score. Further, the net-
`will affect the asset. Some threats do not have known reme-
`will affect the asset. Some threats do not have known reme
`work monitor can identify a countermeasure component
`work monitor can identify a countermeasure component
`diations. Further, some known vulnerabilities may not be
`diations. Further, some known vulnerabilities may not be
`score indicating an estimated probability that a countermea
`score indicating an estimated probability that a countermea-
`associated with knownthreats.
`associated with known threats.
`sure will mitigate risk associated with the particular vulner
`sure will mitigate risk associated with the particular vulner-
`ability on the particular asset and determine a risk metric for
`ability on the particular asset and determinea risk metric for
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`the particular asset and the particular vulnerability from the
`the particular asset and the particular vulnerability from the
`0004 FIG. 1 is a simplified schematic diagram of an
`Vulnerability composite score and the countermeasure com
`[0004]
`FIG. 1 is a simplified schematic diagram of an
`vulnerability composite score and the countermeasure com-
`example asset system monitored by a network monitor,
`ponent score.
`example asset system monitored by a network monitor;
`ponent score.
`0005 FIG. 2 is a simplified block diagram of an example
`0014 Further, one aspect of the subject matter described
`[0005]
`FIG. 2 is a simplified block diagram of an example
`[0014]
`Further, one aspect of the subject matter described
`of the sources of data used by a network monitor;
`of the sources of data used by a network monitor;
`in this specification can be embodied in methods that include
`in this specification can be embodied in methodsthat include
`0006 FIG. 3A is a flow diagram of an example process for
`the actions of receiving vulnerability definition data includ
`[0006] FIG.3A is a flow diagram of an example process for
`the actions of receiving vulnerability definition data includ-
`generating a threat-centric risk metric for an asset and a
`ing, for each of a plurality of Vulnerabilities, an indication of
`generating a threat-centric risk metric for an asset and a
`ing, for each of a plurality of vulnerabilities, an indication of
`threat;
`threat;
`the Vulnerability, an identification of one or more counter
`the vulnerability, an identification of one or more counter-
`0007 FIG. 3B is a flow diagram of an example process for
`measures that reduce a risk associated with possession of the
`[0007]
`FIG.3Bisa flow diagram of an example process for
`measuresthat reduce a risk associated with possession of the
`generating a Vulnerability-centric risk metric for an asset and
`Vulnerability by an asset, an indication of a level of protection
`generating a vulnerability-centric risk metric for an asset and
`vulnerability by an asset, an indication ofa level ofprotection
`a vulnerability;
`potentially afforded by each countermeasure for the Vulner
`a vulnerability;
`potentially afforded by each countermeasure for the vulner-
`0008 FIG. 4 is a flow diagram of an example process for
`ability, and applicability information describing one or more
`[0008]
`FIG. 4 is a flow diagram of an example process for
`ability, and applicability information describing one or more
`aggregating risk metrics for assets on a per-threat or per
`configurations of assets to which the Vulnerability applies.
`aggregating risk metrics for assets on a per-threat or per-
`configurations of assets to which the vulnerability applies.
`Vulnerability basis; and
`Vulnerability detection data, countermeasure detection data,
`vulnerability basis; and
`Vulnerability detection data, countermeasure detection data,
`0009 FIG. 5 is a flow diagram of an example process for
`and configuration data can also be received for each of one or
`[0009] FIG.5 is a flow diagram of an example process for
`and configuration data can also be received for each of one or
`aggregating risk metrics on a per asset basis.
`more assets, the Vulnerability detection data identifies vulner
`aggregating risk metrics onaperassetbasis.
`moreassets, the vulnerability detection data identifies vulner-
`0010 FIG. 6 is an example user interface presenting the
`[0010]
`FIG. 6 is an example user interface presenting the
`abilities applicable to the asset, the countermeasure detection
`abilities applicable to the asset, the countermeasure detection
`top ten most at-risk assets according to the aggregate risk
`top ten mostat-risk assets according to the aggregate risk
`data for each asset identifying one or more countermeasures
`data for each asset identifying one or more countermeasures
`metric for the assets.
`metric for the assets.
`protecting the asset, and the configuration data for each asset
`protecting the asset, and the configuration data for each asset
`0011
`Like reference numbers and designations in the
`describes a configuration of the asset. A respective risk metric
`[0011] Like reference numbers and designations in the
`describes a configuration ofthe asset. A respective risk metric
`various drawings indicate like elements.
`various drawings indicate like elements.
`can be determinedfor each of the one or moreassets for each
`can be determined for each of the one or more assets for each
`of the one or more vulnerabilities. Determining the risk met
`of the one or more vulnerabilities. Determining the risk met-
`DETAILED DESCRIPTION OF EXAMPLE
`DETAILED DESCRIPTION OF EXAMPLE
`ric can include, for each asset and each Vulnerability: identi
`ric can include, for each asset and each vulnerability: identi-
`EMBODIMENTS
`EMBODIMENTS
`fying a standardized vulnerability score for the vulnerability,
`fying a standardized vulnerability score for the vulnerability,
`the standardized vulnerability score indicating a relative level
`the standardized vulnerability score indicating a relative level
`of risk associated with the Vulnerability relative other vulner
`ofrisk associated with the vulnerability relative other vulner-
`abilities; determining a vulnerability detection score for the
`abilities; determining a vulnerability detection score for the
`asset from the Vulnerability detection data for the asset; deter
`asset from the vulnerability detection data for the asset; deter-
`mining a Vulnerability composite score for the particular asset
`mining a vulnerability composite score for the particular asset
`to the particular vulnerability derived from the standardized
`to the particular vulnerability derived from the standardized
`Vulnerability score and the Vulnerability detection score;
`vulnerability score and the vulnerability detection score;
`determining a countermeasure component score from the
`determining a countermeasure component score from the
`Vulnerability definition data and the countermeasure detec
`vulnerability definition data and the countermeasure detec-
`tion data by analyzing the level of protection afforded by each
`tion data by analyzing the level ofprotection afforded by each
`
`Overview
`Overview
`0012. In general, one aspect of the subject matter
`[0012]
`In general, one aspect of the subject matter
`described in this specification can be embodied in methods
`described in this specification can be embodied in methods
`that include the actions of identifying a standardized Vulner
`that includethe actions of identifying a standardized vulner-
`ability score for a particular vulnerability in a plurality of
`ability score for a particular vulnerability in a plurality of
`known vulnerabilities, the standardized vulnerability score
`known vulnerabilities, the standardized vulnerability score
`indicating a relative level of risk associated with the particular
`indicating a relative level ofrisk associated with the particular
`Vulnerability relative other vulnerabilities. A vulnerability
`vulnerability relative other vulnerabilities. A vulnerability
`detection score can be determinedthat indicates an estimated
`detection score can be determined that indicates an estimated
`
`
`
`US 2013/019 1919 A1
`US 2013/0191919 Al
`
`Jul. 25, 2013
`Jul. 25, 2013
`
`countermeasure identified in both the Vulnerability definition
`countermeasure identified in both the vulnerability definition
`data for the Vulnerability and in the countermeasure data as
`data for the vulnerability and in the countermeasure data as
`protecting the asset; and determining the risk metric for the
`protecting the asset; and determining the risk metric for the
`asset and the Vulnerability from the Vulnerability composite
`asset and the vulnerability from the vulnerability composite
`score and the countermeasure component score.
`score and the countermeasure componentscore.
`0015 These and other embodiments can each optionally
`[0015] These and other embodiments can each optionally
`include one or more of the following features. The standard
`include one or more ofthe following features. The standard-
`ized Vulnerability score can include a standardized compo
`ized vulnerability score can include a standardized compo-
`nent and an environmental component adjusting the standard
`nent and an environmental componentadjusting the standard-
`ized component to features of a particular system including
`ized componentto features of a particular system including
`the particular asset. The environmental component can rep
`the particular asset. The environmental component can rep-
`resent criticality of the particular asset within the particular
`resentcriticality of the particular asset within the particular
`system and can be derived based on criticality data informa
`system and can be derived based oncriticality data informa-
`tion for the particular asset, the criticality information defin
`tion for the particular asset, the criticality information defin-
`ing an impact of losing the particular asset. Each of the
`ing an impact of losing the particular asset. Each of the
`standardized component and environmental component can
`standardized component and environmental component can
`include data describing a confidentiality impact to assets
`include data describing a confidentiality impact to assets
`based on the particular Vulnerability, an integrity impact to
`based on the particular vulnerability, an integrity impact to
`assets based on the particular Vulnerability, and an availability
`assets based on the particular vulnerability, and an availability
`impact to assets based on the particular vulnerability. The
`impact to assets based on the particular vulnerability. The
`standardized component can include a temporal component
`standardized component can include a temporal component
`reflecting changes to risk posed by the particular Vulnerability
`reflecting changesto risk posed by theparticular vulnerability
`over time. The standardized vulnerability score can be based,
`over time. The standardized vulnerability score can be based,
`at least in part, on the standard score of the Common Vulner
`at least in part, on the standard score of the Common Vulner-
`ability Scoring System (CVSS). Vulnerability definition data
`ability Scoring System (CVSS). Vulnerability definition data
`can be received for the particular vulnerability, the Vulner
`can be received for the particular vulnerability, the vulner-
`ability definition data including an identification of the par
`ability definition data including an identification of the par-
`ticular Vulnerability, an identification of one or more coun
`ticular vulnerability, an identification of one or more coun-
`termeasures that reduce a risk that the Vulnerability will affect
`termeasuresthat reduce a risk that the vulnerability will affect
`an asset, countermeasure protection data indicating a level of
`an asset, countermeasure protection data indicating a level of
`protection potentially afforded by each countermeasure for
`protection potentially afforded by each countermeasure for
`the Vulnerability, and applicability data describing one or
`the vulnerability, and applicability data describing one or
`more configurations of assets to which the Vulnerability
`more configurations of assets to which the vulnerability
`applies. Vulnerability detection data, countermeasure detec
`applies. Vulnerability detection data, countermeasure detec-
`tion data, and configuration data for the particular asset can
`tion data, and configuration data for the particular asset can
`also be received; the Vulnerability detection data for the par
`also be received; the vulnerability detection data for the par-
`ticular asset including information Suggesting whether the
`ticular asset including information suggesting whether the
`Vulnerability is possessed by the particular asset, the counter
`vulnerability is possessed by the particularasset, the counter-
`measure detection data for the asset identifying one or more
`measure detection data for the asset identifying one or more
`countermeasures protecting the particular asset, and the con
`countermeasures protecting the particular asset, and the con-
`figuration data for the particular asset describing a configu
`figuration data for the particular asset describing a configu-
`ration of the particular asset. The countermeasure component
`rationofthe particular asset. The countermeasure component
`score can be derived from at least the countermeasure protec
`score can be derived from at least the countermeasure protec-
`tion data and the countermeasure detection data. The coun-
`tion data and the countermeasure detection data. The coun
`termeasure component score can be further derived from the
`termeasure componentscore can be further derived from the
`configuration data for the particular asset. Identifying the
`configuration data for the particular asset. Identifying the
`countermeasure component score can include calculating the
`countermeasure componentscore can include calculating the
`countermeasure component score. The Vulnerability detec
`countermeasure component score. The vulnerability detec-
`tion score can be derived from at least the Vulnerability detec
`tion score can be derived from at least the vulnerability detec-
`tion data. The Vulnerability detection score can be further
`tion data. The vulnerability detection score can be further
`derived from the configuration data for the particular asset.
`derived from the configuration data for the particular asset.
`0016 Further, embodiments can each optionally include
`[0016]
`Further, embodiments can each optionally include
`one or more of the following features. The determined risk
`one or more of the following features. The determined risk
`metric for the particular asset can be a vulnerability-centric
`metric for the particular asset can be a vulnerability-centric
`risk metric, a threat-centric risk metric can also be determined
`risk metric, a threat-centric risk metric can also be determined
`for the particular asset. Determining a threat-centric risk met
`for the particular asset. Determining a threat-centric risk met-
`ric for the particular asset can include: determining a threat
`ric for the particular asset can include: determining a threat
`factor for the particular asset and particular threat derived
`factor for the particular asset and particular threat derived
`from a threat severity score estimating a severity of the par
`from a threat severity score estimating a severity of the par-
`ticular threat and an applicability score estimating the appli
`ticular threat and an applicability score estimating the appli-
`cability of the particular threat to the particular asset; deter
`cability of the particular threat to the particular asset; deter-
`mining a threat exposure factor for the particular asset and the
`mining a threat exposurefactorforthe particular asset and the
`particular threat derived from the threat factor, a vulnerability
`particular threat derived from the threat factor, a vulnerability
`component score, and a threat countermeasure component
`component score, and a threat countermeasure component
`
`score, the Vulnerability component score indicating whether
`score, the vulnerability component score indicating whether
`the particular asset is vulnerable to the particular threat, and
`the particular asset is vulnerable to the particular threat, and
`the countermeasure component score derived from an esti
`the countermeasure component score derived from an esti-
`mate ofa likelihood that a second countermeasure will miti-
`mate of a likelihood that a second countermeasure will miti
`gate the effect of an attack on the particular asset relating to
`gate the effect of an attack on the particular assetrelating to
`the particular threat. The threat-centric risk metric for the
`the particular threat. The threat-centric risk metric for the
`particular asset and the particular threat can be determined
`particular asset and the particular threat can be determined
`from the threat exposure factor and a criticality score for the
`from the threat exposure factor and a criticality score for the
`particular asset, the criticality score representing an impact of
`particularasset, the criticality score representing an impact of
`losing the asset. The particular threat can take advantage of
`losing the asset. The particular threat can take advantage of
`the particular vulnerability, the Vulnerability component
`the particular vulnerability,
`the vulnerability component
`score can be equal to the Vulnerability detection score, and the
`score can be equalto the vulnerability detection score, and the
`particular countermeasure can be the second countermeasure.
`particular countermeasure can be the second countermeasure.
`Respective calculated values of the determined vulnerability
`Respective calculated values ofthe determined vulnerability-
`centric metric and threat-centric metric can be different.
`centric metric and threat-centric metric can be different.
`0017. Further, embodiments can each optionally include
`[0017]
`Further, embodiments can each optionally include
`one or more of the following features. The standardized Vul
`one or more ofthe following features. The standardized vul-
`nerability Score can have a value within a predefined range.
`nerability score can have a value within a predefined range.
`The standardized countermeasure component score can also
`The standardized countermeasure component score can also
`have a value within a predefined range. At least Some Vulner
`have a value within a predefined range. At least some vulner-
`abilities in the plurality of known vulnerabilities may be
`abilities in the plurality of known vulnerabilities may be
`associated with at least one in a plurality of known threats,
`associated with at least one in a plurality of knownthreats,
`while the particular vulnerability is not associated with any of
`while the particular vulnerability is not associated with any of
`the known threats. A respective risk metric can be determined
`the knownthreats. A respective risk metric can be determined
`for the asset and each of the plurality of vulnerabilities and an
`fo
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
