Search

US-12627705-B2 - Methods and systems for asset risk determination and utilization for threat mitigation

US12627705B2US 12627705 B2US12627705 B2US 12627705B2US-12627705-B2

Abstract

Disclosed are methods and systems for assessing system risks associated with one or more assets coupled to a network and mitigating against said system risks. According to one implementation, a method for assessing a system risk comprises receiving network data associated with a first asset communicatively coupled to a network, quantifying the network data, and generating a risk parameter using the quantified network data and vulnerability data associated with the network. The method further comprises determining, based on the risk parameter that a security risk of a first asset of the network is higher than the security risk of a second asset of the network. Upon this determining, the method initiates remediation operations that first secure the first asset on the network against a security breach to the network.

Inventors

  • Mehul Krishnanand Revankar
  • Sumedh S. Thakar
  • Anand Paturi

Assignees

  • QUALYS, INC.

Dates

Publication Date
20260512
Application Date
20240906

Claims (20)

  1. 1 . A method comprising: receiving, using one or more computing device processors, network data associated with a first asset communicatively coupled to a network, wherein the network data comprises: first data associated with criticality information associated with the first asset, second data associated with configuration information associated with the first asset, third data associated with malware information associated with the first asset, fourth data associated with software information associated with the first asset, and fifth data associated with location information associated with the first asset; determining, using the one or more computing device processors, based on at least one of the first data, the second data, the third data, the fourth data, or the fifth data, a first vulnerability parameter associated with the first asset; quantifying, using the one or more computing device processors, the second data, the third data, the fourth data, and the fifth data, thereby resulting in quantified second data, quantified third data, quantified fourth data, and quantified fifth data; generating, using the one or more computing device processors, and based on the quantified second data, the quantified third data, the quantified fourth data, the quantified fifth data, and the first vulnerability parameter, a first risk parameter associated with the first asset, wherein the first risk parameter indicates a first exploitability assessment associated with the first asset communicatively coupled to the network relative to a second exploitability assessment associated with a second asset communicatively coupled to the network, within a first time window; determining, using the one or more computing device processors, and based on the first risk parameter, that the first asset is at a higher risk from a security event relative to the second asset communicatively coupled to the network; and initiating, using the one or more computing device processors, based on the first risk parameter, generation of one or more security operations that mitigate against the security event, the one or more security operations comprising a sequence of operations that at least partially secure the first asset against the security event.
  2. 2 . The method of claim 1 , wherein the first data is based on at least one of: an asset type associated with the first asset communicatively coupled to the network, first usage data associated with the first asset communicatively coupled to the network, or second usage data associated with the first asset communicatively coupled to the network relative to third usage data associated with the second asset communicatively coupled to the network.
  3. 3 . The method of claim 2 , wherein the asset type is based on or comprises at least one of: a production system communicatively coupled to the network, a first system hosting the production system communicatively coupled to the network, a second system hosting a production database communicatively coupled to the network, a third system that is not visible to entities outside the network, or a fourth system associated with testing and developing computing operations on the network.
  4. 4 . The method of claim 1 , wherein the first data is based on one or more of: parameterized criticality data associated with at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or a third asset communicatively coupled to the network, synchronized system data derived from at least one security log associated with the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network, software data associated with a first analysis of one or more software being executed using the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network, or hardware data associated with a second analysis of one or more hardware used to implement the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network.
  5. 5 . The method of claim 4 , wherein the first risk parameter comprises or is based on an aggregate of quantified risks associated with the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network.
  6. 6 . The method of claim 1 , wherein at least one of: the first vulnerability parameter is correlated with vulnerability data associated with one or more assets communicatively coupled to the network, the first risk parameter is generated based on the first vulnerability parameter, the software information comprises software cycle information, or the security event comprises a security breach.
  7. 7 . The method of claim 1 , wherein the configuration information comprises or is based on one or more of: first security configuration data associated with one or more software associated with at least one of the first asset communicatively coupled to the network or the second asset communicatively coupled to the network, and second security configuration data associated with one or more hardware associated with the at least one of the first asset communicatively coupled to the network or the second asset communicatively coupled to the network.
  8. 8 . The method of claim 1 , wherein at least one of: the malware information comprises malware data captured within the network or outside the network, or the software information indicates whether one or more software associated with the first asset or associated with the second asset has a software update available.
  9. 9 . The method of claim 1 , wherein the security event comprises or is based on one or more attack execution operations associated with the first asset communicatively coupled to the network or the second asset communicatively coupled to the network.
  10. 10 . The method of claim 1 , wherein the location information comprises data based on at least one of: whether the first asset communicatively coupled to the network or the second asset communicatively coupled to the network are located in approximately the same location or are located in disparate locations, whether the network is isolated from an external network, whether the first asset is communicatively coupled to the network using a first virtual private network (VPN), or whether the second asset is communicatively coupled to the network using a second VPN.
  11. 11 . The method of claim 1 , wherein the first asset comprises a computing device or a computing network.
  12. 12 . The method of claim 1 , further comprising parametrizing the first vulnerability parameter associated with the first asset based on the first data.
  13. 13 . The method of claim 1 , further comprising parametrizing the first vulnerability parameter based on at least one of the first data, the second data, the third data, the fourth data, or the fifth data.
  14. 14 . The method of claim 1 , wherein the one or more computing device processors are comprised in one or more computing systems, wherein the one or more computing systems are located in one or more locations.
  15. 15 . A system comprising: one or more computing system processors; and memory storing instructions, such that, when executed by the one or more computing system processors, causes the system to: receive network data associated with a first asset communicatively coupled to a network, wherein the network data comprises: first data associated with criticality information associated with the first asset, second data associated with configuration information associated with the first asset, third data associated with malware information associated with the first asset, fourth data associated with software information associated with the first asset, and fifth data associated with location information associated with the first asset; determine based on at least one of the first data, the second data, the third data, the fourth data, or the fifth data, a first vulnerability parameter associated with the first asset; quantify the second data, the third data, the fourth data, and the fifth data, thereby resulting in quantified second data, quantified third data, quantified fourth data, and quantified fifth data; generate, based on the quantified second data, the quantified third data, the quantified fourth data, the quantified fifth data, and the first vulnerability parameter, a first risk parameter associated with the first asset, wherein the first risk parameter indicates a first exploitability assessment associated with the first asset communicatively coupled to the network relative to a second exploitability assessment associated with a second asset communicatively coupled to the network within a first time window; determine, based on the first risk parameter, that the first asset is at a higher risk from a security event relative to the second asset communicatively coupled to the network; and initiate, based on the first risk parameter, generation of one or more security operations that mitigate against the security event, the one or more security operations comprising a sequence of operations that at least partially secure the first asset against the security event.
  16. 16 . The system of claim 15 , wherein the first data is based on at least one of: an asset type associated with the first asset communicatively coupled to the network, first usage data associated with the first asset communicatively coupled to the network, or second usage data associated with the first asset communicatively coupled to the network relative to third usage data associated with the second asset communicatively coupled to the network.
  17. 17 . The system of claim 16 , wherein the asset type is based on or comprises at least one of: a production system communicatively coupled to the network, a first system hosting the production system communicatively coupled to the network, a second system hosting a production database communicatively coupled to the network, a third system that is not visible to entities outside the network, or a fourth system associated with testing and developing computing operations on the network.
  18. 18 . The system of claim 15 , wherein the first data is based on one or more of: parameterized criticality data associated with at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or a third asset communicatively coupled to the network, synchronized system data derived from at least one security log associated with the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network, software data associated with a first analysis of one or more software being executed using the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network, or hardware data associated with a second analysis of one or more hardware used to implement the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network.
  19. 19 . The system of claim 18 , wherein the first risk parameter comprises or is based on an aggregate of quantified risks associated with the at least one of the first asset communicatively coupled to the network, the second asset communicatively coupled to the network, or the third asset communicatively coupled to the network.
  20. 20 . The system of claim 15 , wherein at least one of: the first vulnerability parameter is correlated with vulnerability data associated with one or more assets communicatively coupled to the network, the first risk parameter is generated based on the first vulnerability parameter, the software information comprises software cycle information, or the security event comprises a security breach.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This U.S. application claims priority to, and is a continuation of U.S. patent application Ser. No. 17/844,566, filed on Jun. 20, 2022, the disclosure of which is incorporated by reference herein in its entirety for all purposes. TECHNICAL FIELD Disclosed embodiments herein relate generally to computer security, and more particularly to systems and methods for locally or remotely determining asset/system risk and vulnerabilities and mitigating against said asset/system risk and vulnerabilities in a computing network. BACKGROUND Computer networks offer users ease and efficiency in exchanging information. Computer networks are typically comprised of systems/devices (e.g., integrated servers, routers, terminals and other components) that interoperate and share information. Such networks manage a growing list of a variety of needs including transportation, agriculture, energy management, communications, and defense applications. Unfortunately, the very interoperability and sophisticated integration of technology that make computer networks such valuable assets also make them vulnerable to security attacks or security breaches, and make dependence on networks a potential liability. Numerous examples of planned network attacks, such as viruses, worms, and spyware have shown how interconnectivity can be used to spread harmful program code. In addition, public or open network architectures, such as the Internet, permit hackers to have access to information on many different computers. These malicious attackers attempt to gain unauthorized access to messages generated by a user's computer and to resources of the user's computer, as well as to use knowledge regarding the operations of the protocol stack and operating systems of users' computers in an effort to gain access to their computers without authorization. Such illicit activity presents a significant security risk to any computer communicatively coupled to the network. Furthermore, organized groups have performed malicious and coordinated attacks against various large online targets having multiple different network configurations. Moreover, security and IT teams that manage computer networks are often overwhelmed with the sheer number of vulnerabilities to which assets or systems coupled to such networks are exposed to on a daily basis. In some cases, about 40% or so of the vulnerabilities associated with most computer networks that are reported are either rated as either high or critical in severity. Because security and IT teams usually have limited resources to patch such vulnerabilities, it is often the case that patches needed to resolve vulnerability issues of computer networks are often not deployed at all or deployed after a long time leaving organizations exposed to unnecessary risks before the patches are deployed. Thus, it is important that security and IT teams identify the right set of vulnerabilities or the most critical vulnerabilities and resolve security issues associated with said vulnerabilities before proceeding to resolve other less prioritized vulnerabilities of a network in order to mitigate against the most significant security risks to which the computer network is exposed to. Assessing risk for a given vulnerability or misconfiguration of a given computer network is easier said than done. For example, while network administrators or computer security experts may prioritize vulnerabilities today based on the Common Vulnerability Scoring System (CVSS) rating system which represents the technical severity of the vulnerability, this approach does not account for the risks identified vulnerabilities from the vulnerability assessment pose to the computer network or organization within which the computer network is implemented. Moreover, the CVSS method of quantifying risk provides an inefficient model because network administrators or computer security experts may end up patching vulnerabilities associated with the CVSS model that may not reduce significant risks to the computer network. As an example, some network administrators may use a CVSS rating to rate CVE-2020-13112 (Common Vulnerability and Exposures (CVE) rating for Amazon Linux Security Advisory for libexif: AL2012-2020-320) to generate a score of 9.1. However, CVE-2020-1311 has no known exploits available and is considered a critical vulnerability based on severity. On the other hand a CVE-2021-36942 (Windows LSA Spoofing Vulnerability) is rated at 5.3 by the National vulnerability Database (NVD) but is actively exploited by malware groups and threat actors. The exploit code maturity may be weaponized, making it easy for attackers to exploit the vulnerability associated with CVE-2021-36942 and compromise and infect systems communicatively coupled to the network. Thus, while CVE-2020-13112 may have a higher CVSS rating than a CVE-2021-36942, from a risk perspective, computer networks are at a higher risk from CVE-2021-36942 than CVE-2020-1