公开(公告)号：US20210067562A1

公开(公告)日：2021-03-04

申请号：US17095376

申请日：2020-11-11

Applicant: SECUREWORKS CORP.

Inventor： Ross Rowland Kinder ,  William Urbanski ,  Ryan James Leavengood ,  Timothy Vidas ,  Jon Ramsey

IPC: H04L29/06

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

公开(公告)号：US11044263B2

公开(公告)日：2021-06-22

申请号：US17024845

申请日：2020-09-18

Applicant: Secureworks Corp.

Inventor： Lewis McLean ,  Jon Ramsey ,  Nash Borges

IPC: H04L29/06 ,  G06F16/28

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

公开(公告)号：US20170244750A1

公开(公告)日：2017-08-24

申请号：US15436277

申请日：2017-02-17

Applicant: SecureWorks Corp.

Inventor： Ross R. Kinder ,  Aaron Hackworth ,  Matthew K. Geiger ,  Kevin R. Moore ,  Timothy M. Vidas ,  Oliver J. Palmer ,  Jon Ramsey ,  Matt J. McCormack

IPC: H04L29/06 ,  G06F9/445

CPC classification number: H04L63/308 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/20

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

公开(公告)号：US20210006575A1

公开(公告)日：2021-01-07

申请号：US17024845

申请日：2020-09-18

Applicant: Secureworks Corp.

Inventor： Lewis McLean ,  Jon Ramsey ,  Nash Borges

IPC: H04L29/06 ,  G06F16/28

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

公开(公告)号：US20200351307A1

公开(公告)日：2020-11-05

申请号：US16929404

申请日：2020-07-15

Applicant: SECUREWORKS CORP.

Inventor： Timothy Vidas ,  Jon Ramsey ,  Aaron Hackworth ,  Robert Danford ,  William Urbanski

IPC: H04L29/06 ,  G06N7/00 ,  G06N3/08 ,  G06F21/52 ,  G06F21/62

Abstract: Methods and systems for building security applications can be provided. Data policies for accessing security data can be set, and a module pipeline including one or more modules selected from a plurality of modules can be generated. The modules can include at least one module operable to apply a predictive security application or model for detection or identification of security threats. Module execution policies governing execution of the one or more modules in the module pipeline also can be set. Upon receipt of a request to initiate execution of the module pipeline, it can be determined if the execution thereof would violate the data policies or the module execution policies. If so, execution of the module pipeline can be blocked, otherwise the module pipeline can be executed to process the portion of the security data.

公开(公告)号：US20190379678A1

公开(公告)日：2019-12-12

申请号：US16006236

申请日：2018-06-12

Applicant: Secureworks Corp.

Inventor： Lewis McLean ,  Jon Ramsey ,  Nash Borges

IPC: H04L29/06 ,  G06F17/30

Abstract: The present disclosure provides systems and methods for organizations to use forensic to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, specific attributes or marks, such as low fidelity indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

公开(公告)号：US20190141079A1

公开(公告)日：2019-05-09

申请号：US15804109

申请日：2017-11-06

Applicant: SECUREWORKS CORP.

Inventor： Timothy Vidas ,  Jon Ramsey ,  Aaron Hackworth ,  Robert Danford ,  William Urbanski

IPC: H04L29/06 ,  G06F21/52 ,  G06N3/08 ,  G06N7/00

Abstract: Methods and systems for developing and distributing applications and data for building security applications can be provided. A plurality of data policies can be set for access and/or filtering security data based on selected parameters. One or more modules can be generated for processing the security data, with each of the modules governed by one or more module policies. Upon receipt of a request to initiate execution of the one or more modules to access and process a selected portion or filtered set of the security data, it can be determined if the request violates the data policies and/or the module policies applicable for processing the selected portion or filtered set of the security data, and if the data policies and/or the module policies are not violated, the one or more modules can be executed to process the selected portion or filtered set of the security data.

公开(公告)号：US20180152480A1

公开(公告)日：2018-05-31

申请号：US15816133

申请日：2017-11-17

Applicant: SECUREWORKS CORP.

Inventor： Ross Rowland Kinder ,  William Urbanski ,  Ryan James Leavengood ,  Timothy Vidas ,  Jon Ramsey

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/1433

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

公开(公告)号：US11632398B2

公开(公告)日：2023-04-18

申请号：US16929404

申请日：2020-07-15

Applicant: SECUREWORKS CORP.

Inventor： Timothy Vidas ,  Jon Ramsey ,  Aaron Hackworth ,  Robert Danford ,  William Urbanski

IPC: H04L9/40 ,  G06N7/00 ,  G06N3/08 ,  G06F21/52 ,  G06F21/62

Abstract: Methods and systems for building security applications can be provided. Data policies for accessing security data can be set, and a module pipeline including one or more modules selected from a plurality of modules can be generated. The modules can include at least one module operable to apply a predictive security application or model for detection or identification of security threats. Module execution policies governing execution of the one or more modules in the module pipeline also can be set. Upon receipt of a request to initiate execution of the module pipeline, it can be determined if the execution thereof would violate the data policies or the module execution policies. If so, execution of the module pipeline can be blocked, otherwise the module pipeline can be executed to process the portion of the security data.

公开(公告)号：US11418524B2

公开(公告)日：2022-08-16

申请号：US16405788

申请日：2019-05-07

Applicant: Secureworks Corp.

Inventor： William M. Urbanski ,  Timothy M. Vidas ,  Kyle Soeder ,  Jon Ramsey ,  Robert William Danford ,  Aaron Hackworth

IPC: H04L9/40 ,  G06N20/00 ,  G06N7/00

Abstract: The present disclosure provides systems and methods for detection of one or more security threats or malicious actions. According to the present disclosure, data can be received from one or more data producers and provided to a behavior processor. The behavior processor extracts, identifies, or detects one or more behaviors from the data based on one or more datum, features, or characteristics included therein, and provides the one or more identified behaviors to a tactic processor. The tactic processor extracts, identifies, or detects one or more tactics based on the one or more identified behaviors, and submits the one or more identified tactics to a tactic classifier to determine whether the one or more identified tactics are indicative of the one or more security threats or malicious actions. Other aspects are also described.