AUTOMATED USER-ASSISTED WORKFLOWS FOR CLOUD-BASED COMPUTER FORENSIC ANALYSIS
Saved in:
| Title: | AUTOMATED USER-ASSISTED WORKFLOWS FOR CLOUD-BASED COMPUTER FORENSIC ANALYSIS |
|---|---|
| Document Number: | 20240143752 |
| Publication Date: | May 2, 2024 |
| Appl. No: | 18/548514 |
| Application Filed: | April 07, 2022 |
| Abstract: | Disclosed are techniques for analyzing forensic data and remediating security incidents in a multi-tenant environment. The techniques comprises receiving the forensic data from a network by receiving a copy of data from each a computing device and a containerized systems which accesses the network, wherein the network includes a premises network and/or a cloud network. Further, processing the forensic data received from the network by determining if the network has been accessed by an unauthorized computing system by parsing the forensic data, wherein processing is performed by splitting the processing of the forensic data into a number of tasks and processing the number of tasks in overlapping time using a number of working resources, the group of working resources are scaled based on the number of tasks, Finally, processing the number of tasks if it is determining that the unauthorized computing device has accessed the network. |
| Assignees: | Cado Security Ltd (Cheshire, GB) |
| Claim: | 1. A computer security method for analyzing forensic data for remediating security incidents in a multi-tenant environment, the computer security method comprising: receiving the forensic data from a network for a tenant of the multi-tenant environment, wherein: the network includes a premises network and/or a cloud network, the network is connected to a plurality of computing devices and/or containerized systems, receiving the forensic data includes receiving a copy of data from each the computing device and the containerized systems which accesses the network, and the copy of data includes logs of data of the computing device and the containerized systems; processing the forensic data received from the network, wherein the processing includes determining if the network has been accessed by an unauthorized computing system by parsing the logs of data, wherein the processing of the forensic data is performed by: splitting the processing of the forensic data into a number of tasks, wherein the number of tasks are determined based on processing resources scaled for the forensic data, assigning the number of tasks to a group of working resources, wherein: the group of working resources is scaled based on the number tasks, the group of working resources comprises computing resources to process the tasks, the group of working resources processes the number of tasks in overlapping in time, and the computing resources are released when the number of tasks are completed; processing the number of tasks if it is determining that the unauthorized computing device has accessed the network. |
| Claim: | 2. The method of claim 1, further comprising: identifying a sequence of events employed by an adversary, the sequence of events being associated with the network; detecting a missing event in the sequence of events; and identifying one or more new suggested tasks, wherein each new suggested task of the one or more new suggested tasks being designed to assist a user in searching for one or more attack techniques associated with the missing event. |
| Claim: | 3. The method of claim 1, wherein determining if the network has been accessed by the unauthorized computing system includes the computing system modifying, deleting and/or acquiring data to the network without authorization. |
| Claim: | 4. The method of claim 1, wherein the group of working resources are scaled using machine learning techniques. |
| Claim: | 5. The method of claim 1, wherein, when the forensic data includes credit card information, suggesting a set of tasks to a user, wherein the set of tasks includes a suggested task designed to assist the user in determining whether or not to notify customers of a security incident associated with the network. |
| Claim: | 6. The method of claim 1, further comprising: identifying a suspicious remote login, suggesting a set of tasks to a user based on suspicious login, wherein the set of tasks includes a suggested task designed to assist the user in: determining whether a source connection associated with the suspicious remote login is detect on a system; reviewing account activity associated with the source connection; and performing an analysis of the system. |
| Claim: | 7. The method of claim 1, further comprising suggesting a set of tasks to a user, wherein the set of tasks includes executing a wizard, evaluating an enrichment to one or more log events, or managing a task using an auto-suggest technique. |
| Claim: | 8. A non-transitory computer-readable medium comprising instructions that are executable by a processing device for causing the processing device to perform operations comprising: receiving forensic data from a network for a tenant of a multi-tenant environment, wherein: the network includes a premises network and/or a cloud network, the network is connected to a plurality of computing devices and/or containerized systems, receiving the forensic data includes receiving a copy of data from each the computing device and the containerized systems which accesses the network, and the copy of data includes logs of data of the computing device and the containerized systems; processing the forensic data received from the network, wherein the processing includes determining if the network has been accessed by an unauthorized computing system by parsing the logs of data, wherein the processing of the forensic data is performed by: splitting the processing of the forensic data into a number of tasks, wherein the number of tasks are determined based on processing resources scaled for the forensic data, assigning the number of tasks to a group of working resources, wherein: the group of working resources is scaled based on the number tasks, the group of working resources comprises computing resources to process the tasks, the group of working resources processes the number of tasks in overlapping in time, and the computing resources are released when the number of tasks are completed; processing the number of tasks if it is determining that the unauthorized computing device has accessed the network. |
| Claim: | 9. The computer-readable medium of claim 8, wherein the operations further comprise: identifying a sequence of events employed by an adversary, the sequence of events being associated with the network; detecting a missing event in the sequence of events; and identifying one or more new suggested tasks, wherein each new suggested task of the one or more new suggested tasks being designed to assist a user in searching for one or more attack techniques associated with the missing event. |
| Claim: | 10. The computer-readable medium of claim 8, wherein determining if the network has been accessed by the unauthorized computing system includes the computing system modifying, deleting and/or acquiring data to the network without authorization. |
| Claim: | 11. The computer-readable medium of claim 8, wherein the group of working resources are scaled using machine learning techniques. |
| Claim: | 12. The computer-readable medium of claim 8, wherein, when the forensic data includes credit card information, suggesting a set of tasks to a user, wherein the set of tasks includes a suggested task designed to assist the user in determining whether or not to notify customers of a security incident associated with the network. |
| Claim: | 13. The computer-readable medium of claim 8, further comprising: identifying a suspicious remote login, suggesting a set of tasks to a user based on suspicious login, wherein the set of tasks includes a suggested task designed to assist the user in: determining whether a source connection associated with the suspicious remote login is detect on a system; reviewing account activity associated with the source connection; and performing an analysis of the system. |
| Claim: | 14. The computer-readable medium of claim 8, further comprising suggesting a set of tasks to a user, wherein the set of tasks includes executing a wizard, evaluating an enrichment to one or more log events, or managing a task using an auto-suggest technique. |
| Claim: | 15. A system for analyzing forensic data for remediating security incidents in a multi-tenant environment, comprising: one or more processors; and a non-transitory computer-readable storage medium containing instructions which, when executed on the one or more processors, cause the one or more processors to perform operations including: receiving the forensic data from a network for a tenant of the multi-tenant environment, wherein: the network includes a premises network and/or a cloud network, the network is connected to a plurality of computing devices and/or containerized systems, receiving the forensic data includes receiving a copy of data from each the computing device and the containerized systems which accesses the network, and the copy of data includes logs of data of the computing device and the containerized systems; processing the forensic data received from the network, wherein the processing includes determining if the network has been accessed by an unauthorized computing system by parsing the logs of data, wherein the processing of the forensic data is performed by: splitting the processing of the forensic data into a number of tasks, wherein the number of tasks are determined based on processing resources scaled for the forensic data, assigning the number of tasks to a group of working resources, wherein: the group of working resources is scaled based on the number tasks, the group of working resources comprises computing resources to process the tasks, the group of working resources processes the number of tasks in overlapping in time, and the computing resources are released when the number of tasks are completed; processing the number of tasks if it is determining that the unauthorized computing device has accessed the network. |
| Claim: | 16. The system of claim 15, wherein the operations further comprise: identifying a sequence of events employed by an adversary, the sequence of events being associated with the network; detecting a missing event in the sequence of events; and identifying one or more new suggested tasks, wherein each new suggested task of the one or more new suggested tasks being designed to assist a user in searching for one or more attack techniques associated with the missing event. |
| Claim: | 17. The system of claim 15, wherein determining if the network has been accessed by the unauthorized computing system includes the computing system modifying, deleting and/or acquiring data to the network without authorization. |
| Claim: | 18. The system of claim 15, wherein the group of working resources are scaled using machine learning techniques. |
| Claim: | 19. The system of claim 15, wherein, when the forensic data includes credit card information, suggesting a set of tasks to a user, wherein the set of tasks includes a suggested task designed to assist the user in determining whether or not to notify customers of a security incident associated with the network. |
| Claim: | 20. The system of claim 15, further comprising: identifying a suspicious remote login, suggesting a set of tasks to a user based on suspicious login, wherein the set of tasks includes a suggested task designed to assist the user in: determining whether a source connection associated with the suspicious remote login is detect on a system; reviewing account activity associated with the source connection; and performing an analysis of the system |
| Current International Class: | 06 |
| Accession Number: | edspap.20240143752 |
| Database: | USPTO Patent Applications |
Be the first to leave a comment!