Symantec Corporation

Splunk Inc.

Phantom Cyber Corporation

Symantec Operating Corporation

Splunkinc.

Cisco Technology, Inc.

Veritas Technologies LLC

Sourabh Satish

Govind Salinas

Brian Hernacki

Atif Mahadik

Oliver Friedrichs

William E Sobel

Zulfikar Ramzan

Bruce McCorkendale

Shane Pereira

Matthew Conover

Glenn Gallien

Robert John Truesdell

Carey S Nachenberg

Timothy Gorden Brown

Trenton John Beals

Abubakar A Wawda

Marios Iliofotou

Amarendra Pendala

David Wayman

Ryan Russell

Nishant Doshi

Ryan Connor Means

Vadan Thimmegowda

Harlan Seymour

Timur Catakli

Shaun P Cooley

Keith Newstadt

Mark Kevin Kennedy

Randall Richards Cook

Michael Spertus

Allison Lindsey Drake

Lucas Keith Murphey

Kent E Griffin

Paul Agbabian

Shreyans Mehta

Patrick Gardner

Kavita Varadarajan

Vijay Anand Seshadri

Sumit Singh Bagga

Francis E Gerard

Robin Jinyang Hu

Gerry Egan

James Irwin Ebeling

Tejas Wanjari

Akshay Dongaonkar

Krishna Prasanna Sankaran

Mihir Randhir Parikh

J Evan Jordan

Kevin Alejandro Roundy

Yang Li

Michael Andrew Hart

Adam Glick

Anurag Singla

Jeffrey Wilhelm

Petrus Johannes Viljoen

Jun Mao

Yan Li

Acar Tamersoy

Nicholas Graf

Tzi-cker Chiueh

Christopher J Peterson

Xiaole Zhu

Himanshu Dubey

Sheng Gong

Uri Mann

Alexander Danileiko

Basil S Gabriel

Chandrasekhar Kalle

Adam Wright

Vipul Sawant

Wilson Meng

Jingnan Si

John Bonamico

Scott D Sullivan

Anne Yeh

Greg Vogel

Candid Wüest

Govinda S Salinas

Min Xu

Gerry A Egan

Xuefeng Tian

Ian M Barile

Philip Lao

Laura Garcia-Manrique

Vijay Seshardi

Benjamin Yeung

Andrea Del Miglio

Lachlan Orr

Ming-Jen Wang

Jing Zhou

Yoshihiro Yasuda

Brian Robert Earle

Jingjing Ren

Vincent Cheong

Timothy G Brown

Techniques are described for an IT and security operations application to automatically generate aggregate (or 'bulk,' “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

Executing playbooks against aggregate notable events in an information technology and security operations application

Aspects described herein provide security actions based on a current state of a security threat. In one example, a computer-implemented method includes identifying a security threat within a computing environment comprising a plurality of computing assets. The method further includes obtaining state information for the security threat within the computing environment from computing assets of the plurality of computing assets in the computing environment. The method further includes determining a current state for the security threat within the computing environment based on the state information. The method further includes obtaining enrichment information for the security threat that relates kill-state information to an identity of the security threat. The method further includes determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Managing security actions in a computing environment using enrichment information

Described herein are systems and methods for enhancing an interface for an information technology (IT) environment. In one implementation, an incident service causes display of a first version of a course of action and obtains input indicative of a request for a new action in the course of action. The incident service further determines suggested actions based at least one the input and causes display of the suggested actions. Once displayed, the incident service obtains input indicative of a selection of at least one action from the suggested actions, and causes display input indicative of a selection of at least one action from the suggested actions.

Generating action recommendations based on attributes associated with incidents used for incident response

Techniques are described that enable an IT and security operations application to prioritize the processing of selected events for a defined period of time. Data is obtained reflecting activity within an IT environment, wherein the data includes a plurality of events each representing an occurrence of activity within the IT environment. A severity level is assigned to each event of the plurality of events, where the events are processed by the IT and security operations application in an order that is based at least in part on the severity level assigned to each event. Input is received identifying at least one event of the plurality of events for expedited processing to obtain a set of expedited events, and the identified events are processed by the IT and security operations application before processing events that are not in the set of expedited events.

Expediting processing of events based on a specified duration

Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

Security action verification in a computing network

Techniques are described for automatically identifying and configuring IT and security application connectors relevant to users' IT environment by obtaining and analyzing data reflecting activity within an IT environment. The identification of types of assets within an IT environment may be based on analyzing a 'source type' field included in events associated with the IT environment, where the source type field included in each event provides an indication of a type of device or service to which the event relates. The values stored in the source type field of events associated with a user's IT environment might indicate, for example, the presence of various types of computing devices, software applications, network devices, and so forth. Based on the identification of types of assets present in an IT environment, an IT and security operations application automatically configures corresponding connectors for those types of assets.

Automatically configuring connectors of an information technology and security operations application

Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Managing security actions in a computing environment based on movement of a security threat

The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.

Generating suggested courses of actions for incidents based on previous incident handling

Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes identifying a first course of action for responding to an incident type in an information technology environment and generating a simulated incident associated with the incident type. The method further includes initiating performance of the first course of action based on the generation of the simulated incident. The method also includes, upon reaching a particular step of the first course of action that prevents the performance of the first course of action from proceeding, providing a first simulated result that allows the performance of the first course of action to proceed.

Obtaining simulated results for a course of action executed in an information technology environment

Described herein are improvements for generating courses of action for an information technology (IT) environment. In one example, a method includes determining that a decision step occurs between a one step and two or more other steps of a first course of action associated with an incident type in the information technology environment. The method further includes determining possible outputs of the one step that, when used as input to the decision step, cause the first course of action to proceed from the decision step to respective steps of the two or more other steps. The method also includes incorporating logic into the decision step to direct the course of action to respective steps of the two or more other steps based on one or more of the possible outputs.

Determination of decision step logic for incident response in an information technology environment

A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

Analysis and mitigation of network security risks

An information technology (IT) and security operations application enables the automatic assignment of incident events to analysts based on a variety of characteristics of the incident events to be assigned, the analysts and analyst teams, and other considerations. An IT and security operations application can perform the automatic assignment of incident events based at least in part on data indicating each analyst's knowledge of certain types of incidents, data indicating each analyst's efficiency at responding to certain types of incidents, and the like, where such data is automatically created and maintained by the application. In this manner, incident events can be efficiently assigned to analysts upon their receipt by the system without the need for a security team to constantly perform a cumbersome incident event assignment process based on a limited set of data, thereby improving analyst teams' ability to efficiently ensure the operation and security of IT environments for which the teams are responsible.

Automatic assignment of incidents in an information technology (IT) and security operations application

Techniques are described for enabling an IT and security operations application to detect and remediate advanced persistent threats (APTs). The detection of APTs involves the execution of search queries to search event data that initially was associated with lower-severity activity or that otherwise did not initially rise to the level of actionable event data in the application. The execution of such search queries may thus generally be configured to search non-real-time event data, e.g., event data that outside of a current window of days or a week and instead searches and aggregates event data spanning time periods of many weeks, months, or years. Due the nature of APTs, analyses of historical event data spanning such relatively long periods of time may in the aggregate uncover the types of persistent activity associated with APTs that would otherwise go undetected based only on searches of more current, real-time event data.

Advanced persistent threat detection by an information technology and security operations application

An information technology (IT) and security operations application is described that enables cross-tenant analyses of data to derive insights that can be used to provide actionable information across the application including, for example, action recommendations, threat confidence scores, and other incident data enrichments. The generation and presentation of such information to users of an IT and security operations application can enable analyst teams to more efficiently and accurately respond to various types of incidents in IT environments, thereby improving the overall operation and security of the IT environments. Furthermore, because of the shared use of an IT and security operations application concurrently by any number of separate tenants, such cross-tenant analyses can be performed in near real-time and on an ongoing basis to deliver relevant insights.

Analyzing data across tenants of an information technology (IT) and security operations application

Systems, methods, and software described herein provide action recommendations to administrators of a computing environment based on effectiveness of previously implemented actions. In one example, an advisement system identifies a security incident for an asset in the computing environment, and obtains enrichment information for the incident. Based on the enrichment information a rule set and associated recommended security actions are identified for the incident. Once the recommended security actions are identified, a subset of the action recommendations are organized based on previous action implementations in the computing environment, and the subset is provided to an administrator for selection.

Providing action recommendations based on action effectiveness across information technology environments

Growing community of inventors

Fremont, CA, United States of America

Sourabh Satish