Search

US-20260129067-A1 - TECHNIQUES FOR RISK MANAGEMENT BASED ON SOFTWARE BILL OF MATERIALS

US20260129067A1US 20260129067 A1US20260129067 A1US 20260129067A1US-20260129067-A1

Abstract

Techniques are described herein for determining and mitigating a risk to an organization associated with a security threat. In embodiments, such techniques may be performed by an access control device and may comprise receiving information about a security threat, identifying one or more components susceptible to the security threat, determining a number of software applications associated with the one or more components, and determining, based on usage metrics stored in relation to the number of software applications, a severity associated with each of the number of software applications. The techniques may further comprise determining at least one mitigation technique associated with a software application having the highest severity in relation to the security threat and causing the at least one mitigation technique to be implemented.

Inventors

  • Nancy Patricia Cam-Winget
  • Robert Edgar Barton
  • Edward Albert Warnicke
  • Flemming S. Andreasen

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20260105

Claims (20)

  1. 1 . A method comprising: receiving, at an access control device, information about a security threat; identifying, by the access control device, one or more components susceptible to the security threat; determining, by the access control device, a number of software applications associated with the one or more components; determining, by the access control device based on usage metrics stored in relation to the number of software applications, a severity associated with each of the number of software applications; determining, by the access control device, at least one mitigation technique associated a software application having the highest severity in relation to the security threat; and cause, by the access control device, the at least one mitigation technique to be implemented.
  2. 2 . The method of claim 1 , wherein the at least one mitigation technique comprises patching the software application having the highest severity prior to patching other software applications of the number of software applications.
  3. 3 . The method of claim 1 , wherein determining the severity associated with each of the number of software applications comprises calculating a risk score based on a degree of susceptibility of the one or more components to the security threat.
  4. 4 . The method of claim 1 , further comprising: comparing the severity associated with each of the number of software applications against a threshold severity value; and identifying, based on the comparing, a set of software applications for which the severity exceeds the threshold severity value.
  5. 5 . The method of claim 1 , wherein the usage metrics comprise information about a frequency of access of each of the number of software applications by computing devices associated with an organization.
  6. 6 . The method of claim 1 , wherein determining the number of software applications associated with the one or more components comprises querying a software bill of materials to identify software applications that include references to the one or more components.
  7. 7 . The method of claim 1 , further comprising providing, to a user device, an indication of the severity associated with each of the number of software applications.
  8. 8 . The method of claim 1 , wherein the security threat comprises at least one of a software virus or a software exploit.
  9. 9 . A system comprising: one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the system to: receive information about a security threat; identify one or more components susceptible to the security threat; determine a number of software applications associated with the one or more components; calculate a severity value for each of the number of software applications based on usage metrics and a degree of susceptibility of the one or more components to the security threat; rank the number of software applications based on the severity value calculated for each of the number of software applications; and generate a patching order for the number of software applications based on the ranking.
  10. 10 . The system of claim 9 , wherein the instructions further cause the system to initiate patching of a first software application having a highest severity value prior to initiating patching of a second software application having a lower severity value.
  11. 11 . The system of claim 9 , wherein the usage metrics comprise information about a number of computing devices that have accessed each of the number of software applications within a predetermined time period.
  12. 12 . The system of claim 9 , wherein the usage metrics comprise information about what software applications have been accessed by each of a number of computing devices associated with an organization.
  13. 13 . The system of claim 12 , wherein the immutable record comprises a blockchain ledger.
  14. 14 . The system of claim 9 , wherein the instructions further cause the system to: determine, for each of the number of software applications, a version associated with the software application; and calculate the severity value based on the version.
  15. 15 . The system of claim 9 , wherein the instructions further cause the system to transmit the patching order to one or more computing devices associated with an organization.
  16. 16 . A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to: receive information about a security threat from a vulnerability management service; identify one or more software components that are susceptible to the security threat; determine a plurality of software applications that are associated with the one or more software components; retrieve usage metrics indicating an extent to which each of the plurality of software applications is accessed by computing devices of an organization; calculate a severity score for each of the plurality of software applications based on the usage metrics and a vulnerability of the one or more software components to the security threat; generate a prioritized list of the plurality of software applications based on the severity score calculated for each of the plurality of software applications; and cause patching of the plurality of software applications to be performed according to the prioritized list.
  17. 17 . The non-transitory computer-readable medium of claim 16 , wherein the instructions further cause the one or more processors to: identify, for a software application having a highest severity score, at least one mitigation technique; and implement the at least one mitigation technique prior to patching the software application.
  18. 18 . The non-transitory computer-readable medium of claim 16 , wherein the severity score is further calculated based on a type of the security threat.
  19. 19 . The non-transitory computer-readable medium of claim 16 , wherein the instructions further cause the one or more processors to update the prioritized list upon receiving information about a second security threat.
  20. 20 . The non-transitory computer-readable medium of claim 16 , wherein the usage metrics comprise information about a relationship between each of the plurality of software applications and the one or more software components.

Description

CROSS REFERENCE TO RELATED APPLICATION This U.S. patent application is a continuation of and claims priority to co-pending and commonly associated U.S. patent application Ser. No. 18/318,198, filed on May 16, 2023, the entirety of which is incorporated here in by reference. TECHNICAL FIELD The present disclosure relates generally to risk detection and management surrounding threats and vulnerabilities detected in relation to software applications. BACKGROUND Modern software applications are built using a collection of pre-existing libraries, open-source code, and other reusable components, along with custom software code. However, these reusable components, which are often easily accessible by the public, can become susceptible to security threats. For example, malicious actors may review the code for the publicly available components and identify weaknesses of those components that can be exploited in malicious code. With the emergence of technologies such as Infrastructure as a Service (IaaS) and Software as a Service (SaaS), the resulting virtualization of services has led to a dramatic shift in how and what applications are made available to an organization. This increased availability in software applications has resulted in a corresponding increase in the difficulty of assessing risks to an organization resulting from the use of those software applications. For example, when a threat or vulnerability is detected in relation to a particular piece of code, it may be difficult for an organization to determine how the organization is impacted by that threat. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 depicts an example environment in which risks may be assessed in relation to detected vulnerabilities in accordance with at least some embodiments. FIG. 2 depicts an example of a risk management engine that may be implemented to determine a level of risk associated with a detected software vulnerability in accordance with at least some embodiments. FIG. 3 depicts a block diagram illustrating an example of a process for generating and mitigating risk for an organization upon detecting a threat in accordance with at least some embodiments. FIG. 4 depicts an example of access control device that may be used to control access to applications hosted on an application provider in accordance with at least some embodiments. FIG. 5 depicts a block diagram illustrating an example of a process for allowing or denying network traffic based on a determined risk in accordance with at least some embodiments. FIG. 6 depicts a flow diagram illustrating an exemplary process for detecting and mitigating a threat in accordance with at least some embodiments. FIG. 7 depicts a flow diagram illustrating an exemplary process for managing network traffic based on detected threats in accordance with at least some embodiments. FIG. 8 is a schematic block diagram of an example computer network illustratively comprising nodes/devices, such as a plurality of routers/devices interconnected by links or networks, as shown. FIG. 9 illustrates an example of network in greater detail, according to various embodiments. FIG. 10 is a computing system diagram illustrating a configuration for a data center that can be utilized to implement aspects of the technologies disclosed herein. FIG. 11 shows an example computer architecture for a server computer capable of executing program components for implementing the functionality described above. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview A first method according to the techniques described herein may first include receiving information about a security threat, identifying one or more components susceptible to the security threat. The method may further include determining, based on a software bill of materials (SBOM) a number of software applications associated with the one or more components, and determining, based on usage metrics stored in relation to the number of software applications in relation to an organization, a risk value associated with the organization. Once such a risk value has been determined, the method may further include providing the risk value to at least one second electronic device. A second method according to the techniques described herein may first include receiving network traffic originating from a computing device associated with an organization. The method then includes determining a target software application associated with the network traffic, determining, based on a software bill of materials, a number of components