Tenable, Inc.

Tenable Network Security, Inc.

Renaud Deraison

Vincent Gilcreest

Wei Tai

Ron Gula

Bryan Peter Doyle

Damien McParland

Barry Sheridan

Anthony Bettini

Matthew Ray Everson

Marcus J Ranum

Matthew Todd Hayton

Nicholas Miles

Clint R Merrill

John Walker

Charles Joseph Bacon

Nicolas Pouvesle

Katherine Alice Sexton

Techniques, methods and/or apparatuses are disclosed that enable prediction of cyber risks of assets of networks. Through the disclosed techniques, a cyber risk prediction model, which may be a form of a machine learning model, may be trained to predict cyber risks. The cyber risk model may be provided to a cyber risk predictor two predict cyber risks of an asset, without the need to scan the asset at a very deep scan level.

Predicting cyber risk for assets with limited scan information using machine learning

In an embodiment, a management system obtains a criticality rules table that includes a plurality of rules mapped to corresponding criticality scores indicative of a level of risk in the event that an associated asset of a managed network is compromised by a third party. The one embodiment, the criticality rules table is updated based upon machine learning and/or feedback from an operator of the managed network. In another embodiment, the criticality rules table is used to assign one or more criticality scores to one or more assets based on one or more attributes of one or more assets, and the criticality rules table.

Rule-based assignment of criticality scores to assets and generation of a criticality rules table

In an embodiment, a threat score prediction model is generated for assigning a threat score to a software vulnerability. The threat score prediction model may factor one or more of (i) a degree to which the software vulnerability is described across a set of public media sources, (ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases, (iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, and/or (iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability.

Threat score prediction model

In an embodiment, a security auditing component obtains a solution set that is based upon a security audit of an enterprise network, the solution set characterizing a set of solutions associated with a set of security issues associated with one or more assets of the enterprise network, detects that the solution set can be condensed into a condensed solution set that mitigates the set of security issues to the same degree as the solution set, the detection being based at least in part upon (i) one or more rules applied to one or more solution texts and/or (ii) asset-specific metadata and/or (iii) static metadata, and condenses, based on the detecting, the solution set into the condensed solution set by combining two or more subsets of related solutions and/or filtering the solution set to remove one or more subsets of redundant or superseded solutions.

Managing supersedence of solutions for security issues among assets of an enterprise network

The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

System and method for identifying exploitable weak points in a network

The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

System and method for correlating log data to discover network vulnerabilities and assets

The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.

System and method for enabling remote registry service security audits

The system and method for passively identifying encrypted and interactive network sessions described herein may distribute a passive vulnerability scanner in a network, wherein the passive vulnerability scanner may observe traffic travelling across the network and reconstruct a network session from the observed traffic. The passive vulnerability scanner may then analyze the reconstructed network session to determine whether the session was encrypted or interactive (e.g., based on randomization, packet timing characteristics, or other qualities measured for the session). Thus, the passive vulnerability scanner may monitor the network in real-time to detect any devices in the network that run encrypted or interactive services or otherwise participate in encrypted or interactive sessions, wherein detecting encrypted and interactive sessions in the network may be used to manage changes and potential vulnerabilities in the network.

Growing community of inventors

New York, NY, United States of America

Renaud Deraison