| CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01)] | 4 Claims |
|
1. A system for a complete application monitoring and cyber defense system based upon advanced application level segmentation, real-time behavior analytics, automatic application protection and full workflow orchestration for all enterprise technology to remediate immediate and residual threats, the system comprising
a plurality of technology entities comprising information technology and data processing assets in an enterprise, said assets comprising one or more servers, desktops, network switches, routers, databases, mobile devices, and storage devices;
a software agent comprising computer programming instructions executable on a processor and configured to run on the technology entities, to collect data, to transmit the data via an encrypted channel to a Communications Bus, the collection and transmission frequency programmed to independently set changes in sampling frequency and for optimization of network traffic bandwidth, the software agent data comprising all available system telemetries comprising cpu, memory, disk usage, network traffic and connections, system and user processes, and network tables, and based on the operating system of each of the technology entities, including Linux, Windows, Solaris, AIX, and OSX;
the software agent controlled via API (Application Programming Interface) to modify a collection method, a frequency, and a scope of data being collected,
the software agent programmed to accept 3rd party plugins relating to an additional data collection method, said plugins comprising database platform plugins and appliance plugins,
the software agent programmed with a self-healing and auto restart module to run if the software agent is terminated, said self-healing and auto restart module having a coupled watcher+agent configuration component,
the software agent programmed with a task module to perform tasks on each operating system and application running on the technology entities based upon task instructions sent to it, said task instructions are sent securely with validation from an Orchestration Engine,
the software agent programmed with an on-demand module to run ad-hoc, on-demand queries to interrogate real-time present state of a technology entity, said queries comprising analysis and threat detection, the on-demand queries initiated centrally via a Command & Control Console, said queries executed in a parallelized manner so requested data is transmitted and available within a same timeframe regardless of the number of entities or size of the system;
a flexible API (Application Programming Interface) programmed to provide data collection, said API compatible with a plurality of 3rd party log sources and network devices for rapid integration of new sources of data without delay;
a Message Backbone comprising a communications channel that is horizontally scalable, globally replicable, and having no single points of failure, said communications channel programmed to employ a ‘publish and subscribe’ messaging model for message transmission, said communications channel programmed to run on readily available commodity hardware;
a Profiling Engine programmed to perform a series of operations in real-time on the collected data to automatically create virtual application segmentation profile or white list application profile by first, normalizing timestamps on all incoming data using UTC standard to ensure temporal synchronization that is critical to the analysis and correlation of events, then grouping the data by minute, hourly, daily, weekly, monthly, and quarterly buckets by default, and then applying standard statistical sampling techniques on the data to record basic statistics such as min, max, mean, mode, average, standard deviation;
a Behavior Profile Engine programmed to generate a plurality of Application profiles comprising an application definition and a summary of observed information within a specific time period;
said Behavior Analytics Engine programmed to combine Application Profiles, Policies and Metadata to detect anomalies which are manifested as an Alert;
a Command and Control Interface programmed to fine-tune said Application Profiles in two ways: (1) a administrator/user modifies/adds/removes entries in the application profile to further reflect the real world picture and (2) the Behavior Analytics Engine refers back to events/metrics that caused an alert and refines policy to minimize false positives;
a Data Ambassador component programmed to manage the reference data from a technology asset management system and a configuration management system, wherein correlation techniques are applied to collected metrics in conjunction with the reference data to add contexts and improve analysis efficiencies and detection capabilities for multitude of scenarios;
wherein, after a default sampling period, which varies upon the intended timeframe buckets selected from the group consisting of hours, days, weeks, and months, unique application patterns and behavioral profiles are identified based on these contextualized data and stored as application compartment profiles;
wherein the application compartment profiles serve as a unique baseline profile for each of the applications upon which anomaly detection is referenced, said unique baseline profile labelled as an application white listed profile;
wherein the Behavior Profiling Engine is programmed to automatically generate a plurality of Unique Application profiles, assign an Application ID, and store the Unique Application profiles in the system, wherein the Unique Application profiles are generated based upon a sophisticated multi-variable time-series model, which includes application process consumption of system resources, open network ports, traffic characteristics, geographic topology, vector of system access, duration of access, and interrelationship of various entities;
wherein the Behavior Profiling Engine is programmed to generate a software code binary integrity profile on critical application code and system binaries using checksum methods such as MD5 to enable tamper detection, wherein the Behavior Profiling Engine is programmed to optimize for Java based programs via checksum at the JAR collection level, wherein the Behavior Profiling Engine is programmed to utilize a streamlining technique to checksum only running applications to reduce the tamper detection scope as only tampered running software are capable of further threats to the environment;
wherein the Behavior Profiling Engine is programmed to generate a Feed-based application profile by accepting feed data from sources such as systems of records or CMDB;
wherein the Behavior Profiling Engine is programmed to accept manually created application profile based on known entities and relationship to preset existing entities into an application profile and allows the Behavior Profiling Engine to augment with behavioral baselines from the collected data;
a Policy engine is programmed to provide default policies that govern the normalcy of an application profile and specify security parameters to adhere to, wherein Default policies comprise control parameters for time-of-day, geographic location, resource consumption pattern, and network access pattern, that denotes a normal behavior, wherein Security policies comprise control parameters for avoidance rules, zero day threats, and bad IP addresses, wherein the Default policies and Security policies are fed into a Behavioral Analytics Engine to detect anomalies, said policy defaults are provided for each class of application types, and are fully customizable for each application profile;
the Behavioral Analytics Engine is programmed to provide a complex event processing system that continuously monitors high-speed data streams from Communications Channel and make observations, wherein the Behavioral Analytics Engine, in conjunction with the Application Profiles and Policies, detects data in real-time that indicates a behavior anomaly from the profile, wherein once an anomaly is detected, three (3) primary actions are programmed to handle the behavior anomaly;
said Behavioral Analytics Engine is programmed with detection logic to detect behavioral anomalies using computational checksum to detect tampering of application code and/or binaries on the operating system, and to analyse user and administrator access patterns against the access control databases and application profile to detect out of range behaviors, and to perform context-based analyses on network port access patterns for each application processes, time-of-day, and duration of activities, to determine behavior deviations;
wherein the three primary actions comprise:
Action: 1 Produce an alert and route it to an Alert Management System and to an Event Management System that performs a remedial actions lifecycle, comprising incident logging, action steps formulation, governance approvals, and execution of remedial steps;
Action 2: Inform an Orchestration Engine programmed to provide automatic lock-down or remediation of the environment and application, wherein the automatic lock-down prevents further infiltration and ensures the applications behave within the compartments or white list as described by their profiles;
Action 3: Update the application profile with this new behavior to customize the profile to include the behavior as part of the normal operating profile of the application;
wherein the automatic lock-down feature utilizes OS kernel firewalling techniques that provide granular access controls at the application process level, wherein the lock-down is executed by the software agent and provides the capabilities to restrict an application or the entire operating system from communicating to specific target systems, specific network ports, and/or specific other applications;
wherein the Orchestration Engine communicates with the software agent to affect the automatic lock-down during a detected event, wherein the orchestration engine has a flexible workflow module that provides open architecture plug-in capabilities, wherein the plug-in capability allows it to interface with existing IT management software and systems to orchestrate actions across a heterogeneous environment to comprehensively patch, reconfigure and addresses vulnerabilities in the system;
an Event Management Engine programmed to manage the complete lifecycle of an incident and event to ensure comprehensive remediation of the underlying vulnerabilities, and integrate patch rollout and process oriented IT functions for approvals and controls, wherein the Event Management Engine is fully compliant with ITIL framework, wherein the Event Management Engine provides patching and remediation actions via the Orchestration Engine;
a Command & Control Console programmed to provide a single comprehensive view of the state of all applications and systems in an enterprise, and to functions as a single point of control to manage environment configuration and vulnerability remediation to provide a coordinated approach, wherein the Command & Control Console comprises an Entitlement framework programmed for fine-grained management of application and asset visibilities wherein Technology Entities and applications are grouped based on locations, types, and activities, the Entitlement framework programmed with custom filters for grouping lines of businesses, critical applications, and Pll data segregation;
a Node module programmed to manage a cluster consists of 1 to N number of identical nodes, wherein each node is a server executing all the components of architecture, wherein adding more nodes into a cluster increases processing and data storage capacity, wherein all nodes are identical, wherein the Node module supports dynamic scaling for removing or adding nodes to the cluster, to remove or add storage and computing resources;
a Message Broker component within each node is programmed to form a Messaging Backbone programmed to provide a means of system communications, wherein a cluster of message brokers are programmed to communicate with each other to understand states and to load-balance the messages being processed, wherein the Message Backbone is responsible to transmit and receive all communication messages among many of the systems components and between agents and feeds, and transmits commands to reconfigure agents or to lock-down and remediate compromised applications;
a Scale-out Data-store component within each node is programmed to form a Data Backbone, wherein the Data Backbone stores persistent data and application profile data and monitoring policies, wherein the Data Backbone provides storage for event and incident management, wherein Data-driven automation and orchestration will be able to use this backbone to perform required tasks, wherein the system automatically detects modification of the nodes and dynamically balances the load;
wherein each node in the system runs a complete set of independent components that makes up the entire system/application ecosystem, wherein each component within the node communicates with its peers across all other nodes within the cluster, wherein the communication protocol is programmed to guarantee resiliency of the system down to the last component running in the cluster,
a Regional Cluster locally processes all metrics, events, and actions, said Regional Cluster programmed to service a geographic locale where devices are within tolerable network latency to ensure efficient data transmission and optimizes detection, wherein each Regional Cluster communicates with each other via a scale-out Gateway, wherein the Gateway server is programmed to send messages to Gateway server of other Regional Cluster, wherein the Gateway servers are programmed to subscribe to specific events and messages for forwarding to other regions, wherein once the metrics, events, and profiles are processed within the Regional Cluster, the results are sent back to the original Cluster, wherein the Gateways are programmed to periodically synchronize data globally via the Gateways. With this configuration, once can be connected to any region and yet have the global visibility of the entire environment, wherein events from the agents within the cluster are processed locally within the cluster, wherein the gateway processes are programmed to send messages to each of the regional clusters, wherein the gateway processes are programmed to subscribe to specific events/messages for forwarding to other regions, and wherein the gateways processes are programmed to scale horizontally.
|