| CPC H04L 63/1408 (2013.01) [G06F 21/53 (2013.01); G06F 21/567 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, causes the one or more computing devices to perform the steps of:
receiving, at a threat management facility, a local threat indication from a local security agent executing on a compute instance, the local threat indication identifying a category of malicious activity associated with one or more events detected on the compute instance;
at a threat management facility, augmenting event data associated with the local threat indication with transient contextual threat data related to the local threat indication from a third-party service;
calculating a transient contextual threat score for the compute instance based at least in part on the transient contextual threat data;
at the threat management facility, augmenting the event data with transient cloud resource data from a cloud service that provides access to data and services of an enterprise network to the compute instance, wherein the transient cloud resource data is based on an action taken at the cloud service and associated with the local threat indication;
determining a composite threat score indicative of a threat risk for the compute instance based on at least the local threat indication, the transient contextual threat score based at least in part on the transient contextual threat data, and the transient cloud resource data based on the action taken at the cloud service and associated with the local threat indication;
automatically creating an investigation container for investigating activity associated with the composite threat score in response to the composite threat score meeting a predetermined threshold, the investigation container associated with a user interface displaying one or more threat scores based on the local threat indication, the transient contextual threat data, and the transient cloud resource data, the user interface providing interactive access to supporting data for the one or more threat scores including one or more of the local threat indication, the contextual threat score, and the transient cloud resource data;
initiating remediation of the compute instance by terminating a process executing on the compute instance and associated with the local threat indication; and
transmitting a notification with a link to the user interface associated with the investigation container to a device associated with a security technician.
|