公开(公告)号：US20230133892A1

公开(公告)日：2023-05-04

申请号：US17668639

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac ,  Cenek Skarda

IPC: H04L9/40

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US11985154B2

公开(公告)日：2024-05-14

申请号：US17668639

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac ,  Cenek Skarda

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US20240356962A1

公开(公告)日：2024-10-24

申请号：US18368392

申请日：2023-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jaroslav Hlavac ,  Martin Kopp ,  Michael Adam Polak

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/1416

Abstract: Techniques and architecture are described for automated threat response and remediation of incidents generated by single or multiple security products. The techniques and architecture provide a framework for automated threat response and remediation of incidents generated by single or multiple security products, especially for extended detection and response (XDR) systems. In particular, the techniques and architecture provide for an automated threat response that is handled by an auto-analyst engine emulating security analysts' steps during incident response and remediation. The automated threat response automatically confirms or disapproves of detection verdicts thereby reducing false positives that analysts usually have to deal with. If any actions are needed from a security analyst, a concise report of actions taken, gathered information and recommended next steps are provided by the automated threat response, significantly reducing the time and resources needed to resolve an incident.

公开(公告)号：US20240356949A1

公开(公告)日：2024-10-24

申请号：US18454553

申请日：2023-08-23

Applicant: Cisco Technology, Inc.

Inventor： Tomas Jirsik ,  Cenek Skarda ,  David Sislak ,  Jaroslav Hlavac

IPC: H04L9/40 ,  H04L43/067

CPC classification number: H04L63/1425 ,  H04L43/067 ,  H04L63/20

Abstract: This disclosure describes techniques for mapping local device identifiers used in monitoring data from different sources to a common global identifier to enable correlation of monitoring events related to the same device. The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems.

公开(公告)号：US20240356936A1

公开(公告)日：2024-10-24

申请号：US18368413

申请日：2023-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jaroslav Hlavac ,  Tomas Jirsik ,  Benjamin Paterek

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/1433

Abstract: Techniques and architecture are described for dynamically assigning a final risk score to security alerts from network devices. A first security alert from a first network device and a second security alert from a second network device are received. The first and second security alerts are generated by different security products. The first security alert and the second security alert are evaluated, using, for example, device risk scores and alert risk scores, and based at least in part on the evaluating (i) a first final risk score related to the first security alert and (ii) a second final risk score related to the second security alert are generated. The first and second final risk scores are provided to a prioritized alert queue, wherein the first security alert and the second security alert are prioritized based on values of the first final risk score and the second final risk score.

公开(公告)号：US20240259414A1

公开(公告)日：2024-08-01

申请号：US18632209

申请日：2024-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Cenek Skarda ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.