Search

US-20260127282-A1 - THREAT MITIGATION SYSTEM AND METHOD

US20260127282A1US 20260127282 A1US20260127282 A1US 20260127282A1US-20260127282-A1

Abstract

A computer-implemented method, computer program product and computing system for receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included within the plurality of detection events; and grouping the two or more associated detection events to define a security incident.

Inventors

  • Brian P. Murphy
  • Joe Partlow
  • Colin O'CONNOR
  • Jason Pfeiffer
  • Brian Philip Murphy

Assignees

  • RELIAQUEST HOLDINGS, LLC

Dates

Publication Date
20260507
Application Date
20241121

Claims (20)

  1. 1 .- 30 . (canceled)
  2. 31 . A computer-implemented method, executed on a computing device, comprising: receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included within the plurality of detection events; grouping the two or more associated detection events to define a security incident; receiving one or more additional detection events concerning one or more additional security events occurring on the security-relevant subsystem within the computing platform; and adding the one or more additional detection events to the security incident if the one or more additional detection events are related to the two or more associated detection events.
  3. 32 . The computer-implemented method of claim 31 wherein the plurality of security events includes one or more of: Denial of Service (DoS) events; Distributed Denial of Service DDoS events; Man-in-the-Middle (MitM) events; phishing events; Password Attack events; SQL Injection events; Cross-Site Scripting (XSS) events; Insider Threat events; spamming events; malware events; web attacks; and exploitation events.
  4. 33 . The computer-implemented method of claim 31 wherein the security-relevant subsystem includes one or more of: CDN (i.e., Content Delivery Network) systems; DAM (i.e., Database Activity Monitoring) systems; UBA (i.e., User Behavior Analytics) systems; MDM (i.e., Mobile Device Management) systems; IAM (i.e., Identity and Access Management) systems; DNS (i.e., Domain Name Server) systems; Antivirus systems; operating systems; data lakes; data logs; security-relevant software applications; security-relevant hardware systems; and resources external to the computing platform.
  5. 34 . The computer-implemented method of claim 31 wherein one or more artifacts/log entries are associated with each of the plurality of detection events.
  6. 35 . The computer-implemented method of claim 34 wherein identifying two or more associated detection events included within the plurality of detection events includes: identifying two or more detection events included within the plurality of detection events that have common artifacts/log entries.
  7. 36 . The computer-implemented method of claim 34 wherein grouping the two or more associated detection events into a security incident includes: grouping the one or more artifacts/log entries associated with each of the two or more associated detection events to form an artifact/log entry set for the security incident.
  8. 37 . The computer-implemented method of claim 31 further comprising: receiving one or more additional detection events concerning one or more additional security events occurring on the security-relevant subsystem within the computing platform; and adding the one or more additional detection events to the security incident if the one or more additional detection events are related to the two or more associated detection events.
  9. 38 . The computer-implemented method of claim 31 wherein the plurality of security events are detected on the security-relevant subsystem using one or more detection rules executed on the security-relevant subsystem 39 . The computer-implemented method of claim 31 further comprising: normalizing the plurality of detection events into a common ontology.
  10. 40 . The computer-implemented method of claim 39 wherein normalizing the plurality of detection events into a common ontology includes: translating a syntax of each of the plurality of detection events into a common syntax.
  11. 41 . A computer program product residing on a computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising: receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included within the plurality of detection events; grouping the two or more associated detection events to define a security incident; receiving one or more additional detection events concerning one or more additional security events occurring on the security-relevant subsystem within the computing platform; and adding the one or more additional detection events to the security incident if the one or more additional detection events are related to the two or more associated detection events.
  12. 42 . The computer program product of claim 41 wherein the plurality of security events includes one or more of: Denial of Service (DoS) events; Distributed Denial of Service DDoS events; Man-in-the-Middle (MitM) events; phishing events; Password Attack events; SQL Injection events; Cross-Site Scripting (XSS) events; Insider Threat events; spamming events; malware events; web attacks; and exploitation events.
  13. 43 . The computer program product of claim 41 wherein the security-relevant subsystem includes one or more of: CDN (i.e., Content Delivery Network) systems; DAM (i.e., Database Activity Monitoring) systems; UBA (i.e., User Behavior Analytics) systems; MDM (i.e., Mobile Device Management) systems; IAM (i.e., Identity and Access Management) systems; DNS (i.e., Domain Name Server) systems; Antivirus systems; operating systems; data lakes; data logs; security-relevant software applications; security-relevant hardware systems; and resources external to the computing platform.
  14. 44 . The computer program product of claim 41 wherein one or more artifacts/log entries are associated with each of the plurality of detection events.
  15. 45 . The computer program product of claim 44 wherein identifying two or more associated detection events included within the plurality of detection events includes: identifying two or more detection events included within the plurality of detection events that have common artifacts/log entries.
  16. 46 . The computer program product of claim 44 wherein grouping the two or more associated detection events into a security incident includes: grouping the one or more artifacts/log entries associated with each of the two or more associated detection events to form an artifact/log entry set for the security incident.
  17. 47 . The computer program product of claim 41 further comprising: receiving one or more additional detection events concerning one or more additional security events occurring on the security-relevant subsystem within the computing platform; and adding the one or more additional detection events to the security incident if the one or more additional detection events are related to the two or more associated detection events.
  18. 48 . The computer program product of claim 41 wherein the plurality of security events are detected on the security-relevant subsystem using one or more detection rules executed on the security-relevant subsystem.
  19. 49 . The computer program product of claim 41 further comprising: normalizing the plurality of detection events into a common ontology.
  20. 50 . The computer program product of claim 49 wherein normalizing the plurality of detection events into a common ontology includes: translating a syntax of each of the plurality of detection events into a common syntax.

Description

RELATED APPLICATION(S) This application is a continuation of U.S. patent application Ser. No. 18/130,152 filed on 3 Apr. 2023, which claims the benefit of U.S. Provisional Application No. 63/326,375, filed on 1 Apr. 2022, the entire contents of which are herein incorporated by reference TECHNICAL FIELD This disclosure relates to threat mitigation systems and, more particularly, to threat mitigation systems that utilize a universal query language. BACKGROUND In the computer world, there is a constant battle occurring between bad actors that want to attack computing platforms and good actors who try to prevent the same. Unfortunately, the complexity of such computer attacks in constantly increasing, so technology needs to be employed that understands the complexity of these attacks and is capable of addressing the same. Threat mitigation systems may utilize and/or communicate with a plurality of security-relevant subsystems, wherein these security-relevant subsystems may gather information concerning such computer attacks. Unfortunately and in order to obtain such gathered information from these security-relevant subsystems, the user of the threat mitigation system would often be required to formulate a unique query for each security-relevant subsystem. SUMMARY OF DISCLOSURE Phase 1 In one implementation, a computer-implemented method is executed on a computing device and includes: receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included within the plurality of detection events; and grouping the two or more associated detection events to define a security incident. One or more of the following features may be included. The plurality of security events may include one or more of: Denial of Service (DoS) events; Distributed Denial of Service DDoS events; Man-in-the-Middle (MitM) events; phishing events; Password Attack events; SQL Injection events; Cross-Site Scripting (XSS) events; Insider Threat events; spamming events; malware events; web attacks; and exploitation events. The security-relevant subsystem may include one or more of: CDN (i.e., Content Delivery Network) systems; DAM (i.e., Database Activity Monitoring) systems; UBA (i.e., User Behavior Analytics) systems; MDM (i.e., Mobile Device Management) systems; IAM (i.e., Identity and Access Management) systems; DNS (i.e., Domain Name Server) systems; Antivirus systems; operating systems; data lakes; data logs; security-relevant software applications; security-relevant hardware systems; and resources external to the computing platform. One or more artifacts/log entries may be associated with each of the plurality of detection events. Identifying two or more associated detection events included within the plurality of detection events may include: identifying two or more detection events included within the plurality of detection events that have common artifacts/log entries. Grouping the two or more associated detection events into a security incident may include: grouping the one or more artifacts/log entries associated with each of the two or more associated detection events to form an artifact/log entry set for the security incident. One or more additional detection events may be received concerning one or more additional security events occurring on the security-relevant subsystem within the computing platform. The one or more additional detection events may be added to the security incident if the one or more additional detection events are related to the two or more associated detection events. The plurality of security events may be detected on the security-relevant subsystem using one or more detection rules executed on the security-relevant subsystem. The plurality of detection events may be normalized into a common ontology. Normalizing the plurality of detection events into a common ontology may include: translating a syntax of each of the plurality of detection events into a common syntax. In another implementation, a computer program product resides on a computer readable medium and has a plurality of instructions stored on it. When executed by a processor, the instructions cause the processor to perform operations including: receiving a plurality of detection events concerning a plurality of security events occurring on a security-relevant subsystem within a computing platform; identifying two or more associated detection events included within the plurality of detection events; and grouping the two or more associated detection events to define a security incident. One or more of the following features may be included. The plurality of security events may include one or more of: Denial of Service (DoS) events; Distributed Denial of Service DDoS events; Man-in-the-Middle (MitM) events; phishing events; Password Attack events; SQL Injection events; Cross-Site Scripting (XSS) events; Ins