	US 12,079,331 B2
	Threat mitigation system and method
Brian P. Murphy, Tampa, FL (US); Joe Partlow, Tampa, FL (US); Colin O'Connor, Tampa, FL (US); Jason Pfeiffer, Tampa, FL (US); and Brian Philip Murphy, St. Petersburg, FL (US)
Assigned to RELIAQUEST HOLDINGS, LLC, Tampa, FL (US)
Filed by ReliaQuest Holdings, LLC, Tampa, FL (US)
Filed on Jul. 27, 2020, as Appl. No. 16/940,020.
Claims priority of provisional application 62/883,797, filed on Aug. 7, 2019.
Claims priority of provisional application 62/879,105, filed on Jul. 26, 2019.
Prior Publication US 2021/0029159 A1, Jan. 28, 2021
Int. Cl. H04L 9/40 (2022.01); G06F 3/04842 (2022.01); G06F 21/55 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01)

CPC G06F 21/554 (2013.01) [G06F 3/04842 (2013.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); G06F 2221/034 (2013.01); G06F 2221/2115 (2013.01); H04L 2463/102 (2013.01)]

27 Claims

1. A computer-implemented method, executed on a computing device, comprising: monitoring and logging, by a plurality of security-relevant subsystems, respective activity of the plurality of security-relevant subsystems with respect to a computing platform, wherein the plurality of security-relevant subsystems include one or more of CDN (Content Delivery Network) systems; DAM (Database Activity Monitoring) systems; UBA (User Behavior Analytics) systems; MDM (Mobile Device Management) systems; IAM (Identity and Access Management) systems; DNS (Domain Name Server) systems, antivirus systems, operating systems, data lakes; data logs; security-relevant software applications; security-relevant hardware systems;

monitoring a plurality of sources to identify suspect activity within the computing platform, the plurality of sources including log files maintained by one or more of the plurality of security-relevant subsystems, wherein a probabilistic process, contains a probabilistic model and a trained neural network, constructs a decision tree and provides branch weights and probabilities;

detecting a security event within the computing platform based upon the identified suspect activity, wherein threat mitigation process compares current security-relevant capabilities of computing platform to the comparative platform information determined for the comparative platform to identify a threat context indicator for computing platform, wherein comparison information includes graphical comparison information which includes a client threat context score, a maximum possible client threat context score, a vendor threat context score, and a industrial threat context score forming an aggregated security relevant information set;

rendering a threat mitigation user interface that identifies objects within the computing platform in response to the security event;

enabling a third-party to select an object within the threat mitigation user interface, thus defining a selected object; and rendering an inspection window that defines object information concerning the selected object;

enabling the third-party to gather artifacts concerning an object within the threat mitigation user interface; providing suggestions concerning additional artifacts to be gathered; and

assigning a threat level to the security event based upon, at least in part, the gathered artifacts;

detecting the security event within the computing platform based upon the aggregated security relevant information set and identified suspect activity, wherein detecting the security event within the computing platform based upon identified suspect activity includes: monitoring a plurality of sources to identify suspect activity within the computing platform and effectuate a threat mitigation for the identified suspect activity.