`
`111111111111111111111111I1111111111111JillF1)101)11111111111111111111111111IIIIII
`
`US 2013 0191919A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2013/0191919 A1
`(12) Patent Application Publication (10) Pub. No.: US 2013/0191919 Al
`Basavapatna et al.
`(43) Pub. Date:
`Jul. 25, 2013
`Jul. 25, 2013
`Basavapatna et al.
`(43) Pub. Date:
`
`(54) CALCULATING QUANTITATIVE ASSET RISK
`(54) CALCULATING QUANTITATIVE ASSET RISK
`
`(75) Inventors: Prasanna Ganapathi Basavapatna,
`(75)
`Inventors: Prasanna Ganapathi Basavapatna,
`Bangalore (IN); Deepakeshwaran
`Bangalore (IN); Deepakeshwaran
`Kolingivadi San Jose, CA (US); Sven
`Kolingivadi, San Jose, CA (US); Sven
`Schrecker, San Marcos, CA (US)
`Schrecker, San Marcos, CA (US)
`s
`s
`
`(73) Assignee: McAfee, Inc
`(73) Assignee: McAfee, Inc.
`9
`We
`
`(21) Appl. No.: 13/354,181
`(21) Appl. No.: 13/354,181
`
`(22) Filed:
`(22) Filed:
`
`Jan. 19, 2012
`Jan. 19, 2012
`e - 19
`
`Publication Classification
`Publication Classification
`
`(51) Int. Cl.
`(51) Int. Cl.
`G06F2L/00
`G06F 21/00
`
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`(52) U.S. Cl.
`USPC ............................................................ 726/25
` 726/25
`USPC
`ABSTRACT
`(57)
`(57)
`ABSTRACT
`A standardized vulnerability score is identified for a particu
`A standardized vulnerability score is identified for a particu-
`lar vulnerability in a plurality of known vulnerabilities, the
`lar vulnerability in a plurality of known vulnerabilities, the
`standardized vulnerability score indicating a relative level of
`standardized vulnerability score indicating a relative level of
`risk associated with the particular vulnerability relative other
`risk associated with the particular vulnerability relative other
`Vulnerabilities. A vulnerability detection score is determined
`vulnerabilities. A vulnerability detection score is determined
`that indicates an estimated probability that a particular asset
`that indicates an estimated probability that a particular asset
`possess the particular Vulnerability and a Vulnerability com
`possess the particular vulnerability and a vulnerability com-
`posite score is determined for the particular asset to the par
`posite score is determined for the particular asset to the par-
`ticular vulnerability, the Vulnerability composite score
`ticular vulnerability, the vulnerability composite score
`derived from the standardized vulnerability score and the
`derived from the standardized vulnerability score and the
`Vulnerability detection score. A countermeasure component
`vulnerability detection score. A countermeasure component
`score is identified that indicates an estimated probability that
`score is identified that indicates an estimated probability that
`a countermeasure will mitigate risk associated with the par-
`a countermeasure will mitigate risk associated with the par
`ticular vulnerability on the particular asset. A risk metric for
`ticular vulnerability on the particular asset. A risk metric for
`the particular asset and the particular vulnerability is deter
`the particular asset and the particular vulnerability is deter-
`mined from the Vulnerability composite score and the coun
`mined from the vulnerability composite score and the coun-
`termeasure component score. In some instances, aggregate
`termeasure component score. In some instances, aggregate
`risk scores can be calculated from a plurality of calculated
`risk scores can be calculated from a plurality of calculated
`risk metrics.
`risk metrics.
`
`COUNTERMEASURES
`COUNTERMEASURES
`NOT PROTECTING ASSET
`NOT PROTECTING ASSET
`COUNTERMEASURES
`COUNTERMEASURES
`PROTECTING ASSET
`214
`21
`PROTECTING ASSET
`208
`COUNTERMEASURE
`208
`COUNTERMEASURE
`SOURCE(S)
`SOURCE(S)
`NETWORK-BASED
`NETWORK-BASED
`
`COUNTERMEASURE
`COUNTERMEASURE
`DETECTION DATA
`DETECTION DATA
`
`200
`200
`y
`
`205
`205
`
`WULNERABILITY
`VULNERABILITY
`DEFINITION DATA
`DEFINITIONDATA
`
`VULNERABILITY
`VULNERABILITY
`INFORMATION SERVICES
`INFORMATION SERVICES
`
`214
`214
`
`L VULNERABILITY IDENTIFIER
`WULNERABILITY DENTIFIER
`- COUNTERMEASURES
`H COUNTERMEASURES
`PROTECTIONS SCORE
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`REQUIRED CONFIGURATION
`- APPLICABILITY
`H APPLICABILITY
`- SEVERITY SCORE
`H SEWERTY SCORE
`- DETECTION DETAILS
`H DETECTION DETAILS
`- OTHERWULNERABILITY DETALS
`- OTHER VULNERABILITY DETAILS
`
`102
`102
`O
`
`HOST-BASED
`HOST-BASED
`
`
`
`204
`204
`
`
`
`THREAT
`THREAT
`DEFINITION DATA
`DEFINITION DATA
`
`THREAT
`THREAT
`INFORMATION
`INFORMATION
`SERVICE
`SERVICE
`210
`210
`
`THREAT IDENTIFIER
`THREAT IDENTIFIER
`THREAT VECTOR(s)
`— THREAT VECTOR(s)
`COUNTERMEASURES
`COUNTERMEASURES
`PROTECTIONS SCORE
`PROTECTIONS SCORE
`REQUIRED CONFIGURAT ON
`REQUIRED CONFIGURATION
`APPLICABILITY
`- APPLICABILITY
`SEVERITY SCORE
`SEVERITY SCORE
`DETECTION DETALS
`- DETECTION DETAILS
`OTHER THREAT DETAILS
`OTHER THREAT DETAILS
`
`
`
`ASSET
`ASSET
`CONFIGURATION
`CONFIGURATION
`DATA
`DATA
`
`207
`
`216 NETWORK
`216 NETWORK
`MONITOR
`MONITOR
`
`LI
`
`I
`RECONCLERS
`L RECONCILERS
`
`
`
`
`
`
`
`206
`206
`
`VULNERABILITY
`VULNERABILITY
`DETECTION
`DETECTION
`DATA
`DATA
`
`L ASSET TEST
`
`ASSETTEST
`OUTCOMES
`OUTCOMES
`
`VULNERABILITY
`VULNERABILITY
`DATASOURCE(S)
`DATA SOURCE(S)
`NETWORK-BASED
`NETWORK-BASED
`
`HOST-BASED
`HOST-BASED
`
`212
`212
`
`CONFIGURATION
`CONFIGURATION
`DATA SOURCE(s)
`DATASOURCE(s)
`
`209
`
`HARDWARE CONFIGURATION
`HARDWARE CONFIGURATION
`SOFTWARE CONFIGURATION
`SOFTWARE CONFIGURATION
`
`WIZ, Inc. EXHIBIT - 1048
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1048
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Jul. 25, 2013 Sheet 1 of 4
`
`US 2013/0191919 Al
`
`100
`
`104b
`
`104d
`
`104a
`
`108a
`
`-A; I
`
`•
`
`104c
`
`104e
`
`108b-\ .
`
`A
`
`108c -N
`
`A
`
`SENSOR
`
`SENSOR
`
`110a
`
`110b
`
`106
`
`NETWORK
`
`102
`
`
`
`NETWORK MONITOR
`
`FIG. 1
`
`Patent Application Publication
`
`Jul. 25,2013 Sheet 1 of 4
`
`US 2013/0191919 Al
`
`
`
`
`
`
`SENSOR
`SENSOR
`
`
`
`
`
`
`
`
`106
`
`
`NETWORK MONITOR
`102 一 |
`
`
`
`
`FIG. 1
`
`
`
`

`

`Patent Application Publication
`
`r Jo Z JamiS
`
`TV 6161610/£10Z SR
`
`COUNTERMEASURES
`NOT PROTECTING ASSET
`COUNTERMEASURES
`PROTECTING ASSET
`
`214
`
`200)4
`
`COUNTERMEASURE
`SOURCE(S)
`
`NETWORK-BASED
`
`HOST-BASED
`
`208
`
`COUNTERMEASURE
`DETECTION DATA
`
`>02
`
`204
`
`THREAT
`INFORMATION
`SERVICE
`210
`
`-INH
`
`THREAT
`DEFINITION DATA
`
`216 NETWORK
`\.)4 MONITOR
`
`LL
`
`i I
`RECONCILERS
`
`VULNERABILITY
`DEFINITION DATA
`
`205
`
`FIG. 2
`VULNERABILITY
`INFORMATION SERVICES
`
`214
`
`H
`
`VULNERABILITY IDENTIFIER
`- COUNTERMEASURES
`PROTECTIONS SCORE
`REQUIRED CONFIGURATION
`- APPLICABILITY
`- SEVERITY SCORE
`- DETECTION DETAILS
`- OTHER VULNERABILITY DETAILS
`206
`
`-.-11
`
`VULNERABILITY
`DETECTION
`DATA
`
`THREAT IDENTIFIER
`— THREAT VECTOR(s)
`— COUNTERMEASURES
`
`H PROTECTIONS SCORE
`
`REQUIRED CONFIGURATION
`- APPLICABILITY
`- SEVERITY SCORE
`- DETECTION DETAILS
`- OTHER THREAT DETAILS
`
`- ASSET TEST
`OUTCOMES
`
`ASSET
`CONFIGURATION
`DATA
`
`207
`
`HARDWARE CONFIGURATION
`SOFTWARE CONFIGURATION
`
`VULNERABILITY
`DATA SOURCE(S)
`
`NETWORK-BASED
`
`HOST-BASED
`
`212
`
`CONFIGURATION
`DATA SOURCE(s)
`
`209
`
`Patent Application Publication
`
`Jul. 25,2013 Sheet 2 of 4
`
`US 2013/0191919 Al
`
`Gdz
`
`ALNIGVYAN TINA
`VLIVU NOILINI43q
`
`~ Ola
`
`
`ALIMIGVYANTNA
`SOIAM3S NOILVNMO4NI
`\
`ble
`
`
`
`
`
`MSISLLNSO! ALIMIGVYaNINA
`SAYNSVANYALNNOD 一
`JYOIS SNOHO93lOad 圖
`NOlLVdnolJNoo qddIno3y
`人 LmIgvyonddy 一
`3d09S 人 LId3A3s 一
`STIVL30 NOILOSL30 一
`STIVL4U ALITIGVYANINA YSHLO 一
`
`gdz
`
`JanA
`Wale
`
`
`
`
`人 LHIdVMNTnA
`(aodnos viva
`
`ONML3N
`CaS Ve
`
`dasve-lSOH
`
`
`
`
`
`
`
`
`
`
`
`i
`
`SaYNSVAWYALNNOO
`J13SSYD9NILO53LOyd LON
`SAYNSVAWYALNNOD
`L3SSV ONILOALOYd
`
`002
`人
`
`blz
`人
`
`JUNSVAWYSLNNOD
`(S)30dnos
`
`
`dasSVg-yHONL3N
`qdasve-LSOH
`
`
`
`
`
`802
`
`
`3ynsSv3NdaLlNnoo
`VIVU NOILOIL3I0
`
`
`
`
`
`
`
`
`
`JY3HHL
`NOLLVAJOJNI
`35IAd3S
`0Lz
`
`
`
`JV3dHL
`VIVU NOJINIjJ30
`
`=_o—_ 9be
`NO
`
`
`
`
`
`[一 |
`
`SUTTIONOOSY
`
`
`
`
`
`
`
`
`
`YSISLLNSCI LVAYHL
`(S)HOLOJA LVIYHL 一
`S3YUNSVAWYSLNNOD 一
`3d00S SNOLO3LOHd
`NOILIVMnSI4NO9 qdIno3y
`Alilavoliddy 一
`3yO0S 人 LIH3A3s 一
`STIVL30 NOILOSL30 一
`S1IVL30 LVAYHL YSHLO 一
`
`
`
`Lassv
`NOIIVMnIOINO9
`Aa Viva
`
`|
`
`L0¢
`
`sf
`
`1S31J3SSV
`SAWODLNO
`
`NS
`zlz
`
`
`NOLLVYNDISNOD
`(sj3oynos VV
`\
`60z
`
`
`
`NOIIVMn9I4NO9 SYVMGYVH
`NOLLWYNDISNOD SHVMLIOS
`
`

`

`Patent Application Publication
`
`Jul. 25, 2013 Sheet 3 of 4
`
`US 2013/0191919 Al
`
`300
`
`302 -NI
`
`DETERMINE A THREAT FACTOR
`FOR AN ASSET AND A THREAT
`
`304 -.
`
`. DETERMINE AN EXPOSURE FACTOR
`FOR THE ASSET AND THE THREAT
`FROM THE THREAT FACTOR
`
`306 -z"
`
`DETERMINE A RISK METRIC FOR
`THE ASSET AND THE THREAT FROM
`THE EXPOSURE FACTOR AND A
`CRITICALITY SCORE FOR THE ASSET
`
`FIG. 3A
`
`350
`p
`
`IDENTIFY A STANDARDIZED VULNERABILITY
`SCORE FORA VULNERABILITY
`
`ly -
`
`352
`
`DETERMINE A VULNERABILITY
`DETECTION SCORE FOR AN ASSET
`
`y - 354
`
`DETERMINE A COUNTERMEASURE SCORE
`FOR THE ASSET AND THE VULNERABILITY
`
`x -
`F
`
`356
`
`DETERMINE A RISK METRIC FOR THE
`ASSET AND THE VULNERABILITY FROM
`THE STANDARDIZED VULNERABILITY
`SCORE, VULNERABILITY DETECTION
`SCORE, AND COUNTERMEASURE SCORE
`FOR THE VULNERABILITY AND THE ASSET
`
`"'- 358
`
`FIG. 3B
`
`

`

`Patent Application Publication
`
`Jul. 25, 2013 Sheet 4 of 4
`
`US 2013/0191919 Al
`
`400
`
`402 H RECEIVE RISK METRICS FOR ASSETS
`FOR A PARTICULAR VULNERABILITY
`
`404 -z-
`
`CALCULATE AN AGGREGATE RISK
`METRIC FOR THE PARTICULAR
`VULNERABILITY FROM THE RISK
`METRICS FOR THE ASSETS FOR
`THE PARTICULAR VULNERABILITY
`
`FIG. 4
`
`500
`
`D
`
`RECEIVE RISK METRICS FOR A
`PARTICULAR ASSET FOR EACH
`OF SEVERAL VULNERABILITIES
`
`502
`
`CALCULATE AN AGGREGATE RISK
`METRIC FOR THE PARTICULAR
`ASSET FROM THE RISK METRICS
`FOR THE ASSET AND EACH OF
`SEVERAL VULNERABILITIES
`
`-N-504
`
`FIG. 5
`
`600
`
`TOP TEN MOST-AT-RISK ASSETS ACCORDING TO RISK METRIC
`
`ASSET NAME --- 602
`ASSET 12345 ("mailserver")
`ASSET 16549 ("webserverA")
`ASSET 16429 ("webserverB")
`ASSET 26430 ("webserverC")
`ASSET 15350 ("mailserverB")
`ASSET 18529 ("mailserverD")
`ASSET 25405 ("webserverD")
`ASSET 16429 ("usercomputer1")
`ASSET 14345 ("usercomputer2")
`ASSET 15420 ("usercomputer3")
`
`604-N- RISK METRIC
`58.1
`57.9
`57.8
`56.0
`55.9
`53.0
`52.4
`52.3
`51.9
`51.5
`
`FIG. 6
`
`606---- LAST DATE PATCHED
`
`1/4/2010
`2/2/2010
`2/2/2009
`5/12/2010
`3/28/2010
`6/5/2010
`1/5/2009
`1/6/2009
`5/9/2010
`8/10/2010
`
`

`

`US 2013/0191919 Al
`
`1
`
`Jul. 25, 2013
`
`CALCULATING QUANTITATIVE ASSET RISK
`
`TECHNICAL FIELD
`
`[0001] This disclosure relates in general to the field of
`computer security assessment and, more particularly, to cal-
`culating risk metrics for assets in a system of computing
`assets.
`
`BACKGROUND
`
`[0002] An asset is a computer or other electronic device. A
`system of assets can be connected over one or more networks.
`For example, a home might have five assets, each of which are
`networked to each other and connected to the outside world
`through the Internet. As another example, a business might
`have three physically separate offices, each of which has
`many assets. The assets within each office and the assets
`across the offices can be connected over a network.
`[0003] Each asset in a system of assets can be at risk from
`multiple threats at any given time. Each threat can correspond
`to a potential attack on the asset by a particular virus, mal-
`ware, or other unauthorized entity. An attack occurs when the
`unauthorized entity exploits a known vulnerability of the
`asset in an attempt to access or control the asset. Some threats
`and vulnerabilities have known remediations that, if put in
`place for an asset, eliminate or reduce the risk that the threat
`will affect the asset. Some threats do not have known reme-
`diations. Further, some known vulnerabilities may not be
`associated with known threats.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0004] FIG. 1 is a simplified schematic diagram of an
`example asset system monitored by a network monitor;
`[0005] FIG. 2 is a simplified block diagram of an example
`of the sources of data used by a network monitor;
`[0006] FIG. 3A is a flow diagram of an example process for
`generating a threat-centric risk metric for an asset and a
`threat;
`[0007] FIG. 3B is a flow diagram of an example process for
`generating a vulnerability-centric risk metric for an asset and
`a vulnerability;
`[0008] FIG. 4 is a flow diagram of an example process for
`aggregating risk metrics for assets on a per-threat or per-
`vulnerability basis; and
`[0009] FIG. 5 is a flow diagram of an example process for
`aggregating risk metrics on a per asset basis.
`[0010] FIG. 6 is an example user interface presenting the
`top ten most at-risk assets according to the aggregate risk
`metric for the assets.
`[0011] Like reference numbers and designations in the
`various drawings indicate like elements.
`
`DETAILED DESCRIPTION OF EXAMPLE
`EMBODIMENTS
`
`Overview
`
`In general, one aspect of the subject matter
`[0012]
`described in this specification can be embodied in methods
`that include the actions of identifying a standardized vulner-
`ability score for a particular vulnerability in a plurality of
`known vulnerabilities, the standardized vulnerability score
`indicating a relative level of risk associated with the particular
`vulnerability relative other vulnerabilities. A vulnerability
`detection score can be determined that indicates an estimated
`
`probability that a particular asset possess the particular vul-
`nerability and a vulnerability composite score can be deter-
`mined for the particular asset to the particular vulnerability,
`the vulnerability composite score derived from the standard-
`ized vulnerability score and the vulnerability detection score.
`A countermeasure component score can be identified that
`indicates an estimated probability that a countermeasure will
`mitigate risk associated with the particular vulnerability on
`the particular asset. A risk metric for the particular asset and
`the particular vulnerability can be determined from the vul-
`nerability composite score and the countermeasure compo-
`nent score.
`[0013] Further, in another general aspect, a system can be
`provided including at least one processor device, at least one
`memory element, and a network monitor. The network moni-
`tor, when executed by the processor, can identify a standard-
`ized vulnerability score for a particular vulnerability in a
`plurality of known vulnerabilities, the standardized vulner-
`ability score indicating a relative level of risk associated with
`the particular vulnerability relative other vulnerabilities. The
`network monitor can further determine a vulnerability detec-
`tion score indicating an estimated probability that a particular
`asset possess the particular vulnerability, determine a vulner-
`ability composite score for the particular asset to the particu-
`lar vulnerability derived from the standardized vulnerability
`score and the vulnerability detection score. Further, the net-
`work monitor can identify a countermeasure component
`score indicating an estimated probability that a countermea-
`sure will mitigate risk associated with the particular vulner-
`ability on the particular asset and determine a risk metric for
`the particular asset and the particular vulnerability from the
`vulnerability composite score and the countermeasure com-
`ponent score.
`[0014] Further, one aspect of the subject matter described
`in this specification can be embodied in methods that include
`the actions of receiving vulnerability definition data includ-
`ing, for each of a plurality of vulnerabilities, an indication of
`the vulnerability, an identification of one or more counter-
`measures that reduce a risk associated with possession of the
`vulnerability by an asset, an indication of a level of protection
`potentially afforded by each countermeasure for the vulner-
`ability, and applicability information describing one or more
`configurations of assets to which the vulnerability applies.
`Vulnerability detection data, countermeasure detection data,
`and configuration data can also be received for each of one or
`more assets, the vulnerability detection data identifies vulner-
`abilities applicable to the asset, the countermeasure detection
`data for each asset identifying one or more countermeasures
`protecting the asset, and the configuration data for each asset
`describes a configuration of the asset. A respective risk metric
`can be determined for each of the one or more assets for each
`of the one or more vulnerabilities. Determining the risk met-
`ric can include, for each asset and each vulnerability: identi-
`fying a standardized vulnerability score for the vulnerability,
`the standardized vulnerability score indicating a relative level
`of risk associated with the vulnerability relative other vulner-
`abilities; determining a vulnerability detection score for the
`asset from the vulnerability detection data for the asset; deter-
`mining a vulnerability composite score for the particular asset
`to the particular vulnerability derived from the standardized
`vulnerability score and the vulnerability detection score;
`determining a countermeasure component score from the
`vulnerability definition data and the countermeasure detec-
`tion data by analyzing the level of protection afforded by each
`
`

`

`US 2013/0191919 Al
`
`Jul. 25, 2013
`
`2
`
`countermeasure identified in both the vulnerability definition
`data for the vulnerability and in the countermeasure data as
`protecting the asset; and determining the risk metric for the
`asset and the vulnerability from the vulnerability composite
`score and the countermeasure component score.
`[0015] These and other embodiments can each optionally
`include one or more of the following features. The standard-
`ized vulnerability score can include a standardized compo-
`nent and an environmental component adjusting the standard-
`ized component to features of a particular system including
`the particular asset. The environmental component can rep-
`resent criticality of the particular asset within the particular
`system and can be derived based on criticality data informa-
`tion for the particular asset, the criticality information defin-
`ing an impact of losing the particular asset. Each of the
`standardized component and environmental component can
`include data describing a confidentiality impact to assets
`based on the particular vulnerability, an integrity impact to
`assets based on the particular vulnerability, and an availability
`impact to assets based on the particular vulnerability. The
`standardized component can include a temporal component
`reflecting changes to risk posed by the particular vulnerability
`over time. The standardized vulnerability score can be based,
`at least in part, on the standard score of the Common Vulner-
`ability Scoring System (CVSS). Vulnerability definition data
`can be received for the particular vulnerability, the vulner-
`ability definition data including an identification of the par-
`ticular vulnerability, an identification of one or more coun-
`termeasures that reduce a risk that the vulnerability will affect
`an asset, countermeasure protection data indicating a level of
`protection potentially afforded by each countermeasure for
`the vulnerability, and applicability data describing one or
`more configurations of assets to which the vulnerability
`applies. Vulnerability detection data, countermeasure detec-
`tion data, and configuration data for the particular asset can
`also be received; the vulnerability detection data for the par-
`ticular asset including information suggesting whether the
`vulnerability is possessed by the particular asset, the counter-
`measure detection data for the asset identifying one or more
`countermeasures protecting the particular asset, and the con-
`figuration data for the particular asset describing a configu-
`ration of the particular asset. The countermeasure component
`score can be derived from at least the countermeasure protec-
`tion data and the countermeasure detection data. The coun-
`termeasure component score can be further derived from the
`configuration data for the particular asset. Identifying the
`countermeasure component score can include calculating the
`countermeasure component score. The vulnerability detec-
`tion score can be derived from at least the vulnerability detec-
`tion data. The vulnerability detection score can be further
`derived from the configuration data for the particular asset.
`[0016] Further, embodiments can each optionally include
`one or more of the following features. The determined risk
`metric for the particular asset can be a vulnerability-centric
`risk metric, a threat-centric risk metric can also be determined
`for the particular asset. Determining a threat-centric risk met-
`ric for the particular asset can include: determining a threat
`factor for the particular asset and particular threat derived
`from a threat severity score estimating a severity of the par-
`ticular threat and an applicability score estimating the appli-
`cability of the particular threat to the particular asset; deter-
`mining a threat exposure factor for the particular asset and the
`particular threat derived from the threat factor, a vulnerability
`component score, and a threat countermeasure component
`
`score, the vulnerability component score indicating whether
`the particular asset is vulnerable to the particular threat, and
`the countermeasure component score derived from an esti-
`mate of a likelihood that a second countermeasure will miti-
`gate the effect of an attack on the particular asset relating to
`the particular threat. The threat-centric risk metric for the
`particular asset and the particular threat can be determined
`from the threat exposure factor and a criticality score for the
`particular asset, the criticality score representing an impact of
`losing the asset. The particular threat can take advantage of
`the particular vulnerability, the vulnerability component
`score can be equal to the vulnerability detection score, and the
`particular countermeasure can be the second countermeasure.
`Respective calculated values of the determined vulnerability-
`centric metric and threat-centric metric can be different.
`[0017] Further, embodiments can each optionally include
`one or more of the following features. The standardized vul-
`nerability score can have a value within a predefined range.
`The standardized countermeasure component score can also
`have a value within a predefined range. At least some vulner-
`abilities in the plurality of known vulnerabilities may be
`associated with at least one in a plurality of known threats,
`while the particular vulnerability is not associated with any of
`the known threats. A respective risk metric can be determined
`for the asset and each of the plurality of vulnerabilities and an
`aggregate risk metric can be determined for the asset from the
`respective risk metrics for the asset and each of the plurality
`of vulnerabilities. The aggregate risk metric can be one of: a
`sum of the respective risk metrics, a mean of the respective
`risk metrics, a maximum of the respective risk metrics, a
`minimum of the respective risk metrics, or a mode of the
`respective risk metrics. A group of assets including the par-
`ticular asset can be selected and an aggregate risk metric can
`be determined for each asset in the group to then determine an
`aggregate risk metric for the group of assets from the assets'
`respective aggregate risk metrics. In other instances, a respec-
`tive risk metric can be determined for each of a plurality of
`assets and the vulnerability and an aggregate risk metric can
`be determined for the vulnerability from the respective risk
`metrics for each of the plurality of assets and the vulnerabil-
`ity.
`[0018] Some or all of the features may be computer-imple-
`mented methods or further included in respective systems or
`other devices for performing this described functionality. The
`details of these and other features, aspects, and implementa-
`tions of the present disclosure are set forth in the accompa-
`nying drawings and the description below. Other features,
`objects, and advantages of the disclosure will be apparent
`from the description and drawings, and from the claims.
`
`Example Embodiments
`
`§1.0 Asset System Overview
`
`[0019] FIG. 1 illustrates an example asset system 100
`monitored by a network monitor 102. The assets 104 in the
`system 100 are connected to each other, and optionally to
`other systems, by a network 106.
`[0020] Each asset 104 can be vulnerable to one or more
`threats. These threats include, for example, viruses, malware,
`and other software or agents that cause unauthorized attacks.
`Each asset can be protected by a variety of countermeasures.
`These countermeasures include passive countermeasures and
`active countermeasures.
`
`

`

`US 2013/0191919 Al
`
`Jul. 25, 2013
`
`3
`
`[0021] Active countermeasures can be countermeasures
`that eliminate, in whole or in part, the existence of the vul-
`nerability. For example, applying a patch to a vulnerable
`application or OS component removes the vulnerability.
`Similarly, reconfiguring may eliminate a vulnerability in the
`case where a browser setting is too loose, or a password is too
`short (and you create a new, stronger password). Other active
`countermeasures include uninstalling vulnerable applica-
`tions, turning off vulnerable services, and even turning off
`vulnerable machines or unplugging their network cables.
`[0022] Passive countermeasures cover up the existence of
`the vulnerability to shield it from exploitation (e.g., by a
`threat). For example, a passive countermeasure can include
`leveraging a firewall to protect a port that is being listened to
`by an application that is vulnerable, or activating a host intru-
`sion protection system (HIPS) to detect signatures that
`attempt to exploit a buffer overflow on a vulnerable piece of
`code in an application or operating system component. Active
`and passive countermeasures can be network- or host-based
`and may be sensor-related (such as antivirus or HIPS), or
`configured as shields for the host (such as network or host
`firewall, proxy server, packet filter, etc). Passive countermea-
`sures generally protect the host until vulnerabilities can have
`active countermeasures applied, or to protect against
`unknown vulnerabilities.
`[0023] Passive countermeasures can be provided by two
`kinds of sensors: host-based sensors 108 and network-based
`sensors 110. The host-based sensors 108 and the network
`based sensors 110 monitor the assets themselves and/or net-
`work traffic to and from the assets. For illustrative purposes,
`the sensors are described below as both monitoring the assets
`and protecting the assets by providing one or more counter-
`measures. However, the monitoring and countermeasure
`functionalities do not have to be provided by the same sensor.
`In the description below, sensor is used to refer to various
`types of monitoring and protection systems including, for
`example, firewalls, host intrusion prevention systems, net-
`work intrusion prevention systems, network access control
`systems, intrusion detection systems, anti-virus software, and
`spam filters.
`[0024] The host-based sensors 108 and the network-based
`sensors 110 can include one or more passive countermeasures
`that are part of the sensor. These passive countermeasures are
`software programs and/or hardware that protect assets from
`various threats. Each passive countermeasure reduces the risk
`that a threat will affect an asset. A passive countermeasure
`protects against a threat by detecting and stopping an attack
`associated with the threat, by detecting and stopping activities
`associated with the attack, or by mitigating damage caused by
`an attack. For example, a passive countermeasure may be
`configured to detect data having a signature associated with a
`particular attack, and block data with that signature. As
`another example, a passive countermeasure may generate
`back-up copies of particular files targeted by an attack, so that
`even if the attack attacks the files, the files can be restored.
`Example passive countermeasures include, but are not lim-
`ited to, hardware firewalls, software firewalls, data loss pre-
`vention systems, web proxies, mail filters, host-based intru-
`sion prevention systems, network-based intrusion prevention
`systems, rate-based intrusion prevention systems, content-
`based intrusion prevention systems, intrusion detection sys-
`tems, and virus detection software.
`[0025] Passive countermeasures can also be partial coun-
`termeasures that do not completely protect from or mitigate
`
`the effects of an attack. For example, a partial passive coun-
`termeasure might block some, but not all, of the network
`traffic associated with a particular attack. As another
`example, if a threat needs either direct physical access or
`network access to compromise an asset, an example partial
`passive countermeasure would block network access to the
`asset, but not physical access.
`[0026] The host-based sensors 108 can include agent-based
`or otherwise software-based sensors that are installed on
`respective assets 104. For example, host-based sensor 108a is
`installed on asset 104a, host-based sensor 108b is installed on
`asset 104c, and host-based sensor 108c is installed on asset
`104e. The host-based sensors 108 run various analyses on
`their respective assets 104, for example, to identify vulner-
`abilities on the assets 104 or to identify viruses or other
`malware executing on the assets 104. The host-based sensors
`may also provide one or more passive countermeasures for
`threats, as described above. Example host-based sensors can
`include antivirus and other antimalware software.
`[0027] The network-based sensors 110 are hardware
`devices and/or software in a data communication path
`between assets 104 protected by the sensor and the network
`resources that the asset is attempting to access. For example,
`sensor 110a is connected to assets 104a and 104b, and sensor
`110b is connected to assets 104c, 104d, and 104e. While FIG.
`1 illustrates a single network-based sensor 110 in a commu-
`nication path with each asset, other configurations are pos-
`sible. For example, multiple network-based sensors 110 can
`be connected to the same asset 104, and some assets 104 may
`not be connected to any network-based sensors 110.
`[0028] When an asset 104 tries to send information through
`the network 106 or receive information over the network 106
`through a network-based sensor 110, the sensor analyzes
`information about the asset 104 and the information being
`sent or received and determines whether to allow the commu-
`nication. An example network-based sensor includes one or
`more processors, a memory subsystem, and an input/output
`subsystem. The one or more processors are programmed
`according to instructions stored in the memory subsystem,
`and monitor the network traffic passing through the input/
`output subsystem. The one or more processors are pro-
`grammed to take one or more protective actions on their own,
`or to query a sensor control system (not shown) and take
`further actions as instructed by the sensor control system 102.
`Example network-based sensors include network access con-
`trol systems, firewalls, routers, switches, bridges, hubs, web
`proxies, application proxies, gateways, network access con-
`trol systems, mail filters, virtual private networks, intrusion
`prevention systems and intrusion detection systems.
`[0029] The assets 104 can also be protected by one or more
`active countermeasures that are applied to the asset. Active
`countermeasures make changes to the configuration of assets
`or the configuration of existing passive countermeasures to
`actively eliminate a vulnerability. In contrast, passive coun-
`termeasures hide the effects of a vulnerability, but do not
`remove the vulnerability. Each active countermeasure elimi-
`nates, or at least reduces, the risk that a threat will affect an
`asset when the active countermeasure is applied to the asset
`by eliminating, or at least reducing, a vulnerability. An active
`countermeasure protects against a threat by modifying the
`configuration of an asset 104 so that the asset is no longer
`vulnerable to the threat. For example, an active countermea-
`sure can close a back door that was open on an asset or correct
`
`

`

`US 2013/0191919 Al
`
`Jul. 25, 2013
`
`4
`
`another type of system vulnerability. Example active coun-
`termeasures include, but are not limited to, software patches
`that are applied to assets.
`[0030] The assets 104 may be vulnerable to many different