CA2386109A1 - Information technology incident response and investigation system and method - Google Patents
Information technology incident response and investigation system and method Download PDFInfo
- Publication number
- CA2386109A1 CA2386109A1 CA002386109A CA2386109A CA2386109A1 CA 2386109 A1 CA2386109 A1 CA 2386109A1 CA 002386109 A CA002386109 A CA 002386109A CA 2386109 A CA2386109 A CA 2386109A CA 2386109 A1 CA2386109 A1 CA 2386109A1
- Authority
- CA
- Canada
- Prior art keywords
- investigation
- incident
- file
- electronic
- security alert
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A method of responding to an information technology related incident. The method having the steps of receiving a security alert (54), the security ale rt being displayed on an incident response and investigation system (58) for analysis by an administrator; documenting the incident (56) based on information contained in the security alert; opening an investigation file (64) to administratate investigation of the incident; collecting items of electronic evidence and maintaining the evidence in an electronic evidence database associated with the investigation file (66). An incident response a nd investigation system is also disclosed. The system having an incoming securi ty alert administration function for receiving and analyzing security alert, ea ch security alert containing information related to an event (106), the event being related to an information technology policy of an organization; an incident administration function for creating an incident file to document t he event; and an investigation administration function for administering an investigation of the event documented in the incident file (158).
Description
INFORMATION TECHNOLOGY INCIDENT RESPONSE AND INVESTIGATION
SYSTEM AND METHOD
This application claims priority form copending U.S. provisional application serial number 60/156,912, filed October l, 1999, entitled, "SCORPIAN (Secure Corporate Investigations Automation)", incorporated herein by reference in its entirety.
TECHNICAL FIELD
The present invention generally relates to information technology and, more particularly, to a system and method for tracking, responding to and investigating incidents involving of information technology policy.
BACKGROUND ART
There is an ever present demand for information technology security tools and techniques for protecting against, detecting and responding to incidents involving potentially criminal and other types of culpable behavior. Information technology, as used herein, relates to the collection, organization, handling, storage and communication of information, such as data, computer files, algorithms, executable code and instructions, data packets, documents, electronic mail ("e-mail") and the like (collectively referred to below as electronic information or electronic documents). Information technology generally refers to electronic media used in connection with a computer or computer network, but is not limited thereto.
Most organizations, firms, companies, government agencies and institutions have policies, standards, procedures, rules and regulations concerning the behavior of their employees, staff members, volunteers, service providers and third parties.
These policies may relate to matters including information technology security policies, standards and procedures, corporate espionage, sexual harassment, discrimination, fraud, embezzlement and the like. These entities are also concerned with civil or criminal actions that may be brought against the entity for causes of action ranging from insider trading to wrongful termination.
In addition, local, state and federal laws and government agency regulations may govern people's conduct.
Presently, computers are used by persons who may violate an organization's policies, a criminal law or regulatory rule, or may be used to engage in wrongful conduct presenting the organization with a civil remedy. The use of a computer during the commission of these activities may leave evidence in the form of computer logs, files, e-mail and the like.
Alternatively, computers may be used in such a way to leave evidence useful in the defense of a criminal or civil action brought against the organization.
To date, information security tools have focused on protection against and the detection of computer related threats. Common protection schemes include establishing information technology protocols, isolation techniques (e.g., the establishment of firewalls), access limitations (e.g., password control and parental Internet control) and the use of encryption. Detection schemes include hacking detection algorithms, e-mail parsing and content filtering, security sweeps and human reporting (e.g., "whistle-blowing").
However, very little attention has been given to automating the response to and the investigation of an incident which potentially violates one or more of the foregoing regulations and/or requires the analysis of electronic documents. Therefore, there exists a need in the art for an information technology incident response and investigation tool.
SUMMARY OF THE INVENTION
According to one aspect of the invention, the invention is a method of responding to an information technology related incident. The method having the steps of receiving a security alert, the security alert being displayed on an incident response and investigation system for analysis by an administrator; documenting the incident based on information contained in the security alert; opening an investigation file to administrate an investigation of the incident; and collecting items of electronic evidence and maintaining the evidence in an electronic evidence database associated with the investigation file.
According to another aspect of the invention, the invention is an incident response and investigation system. The system having an incoming security alert administration function for receiving and analyzing security alerts, each security alert containing information related to an event, the event being related to an information technology policy of an organization; an incident administration function for creating an incident file to document the event; and an investigation administration function for administering an investigation of the event documented in the incident file.
BRIEF DESCRIPTION OF DRAWINGS
These and further features of the present invention will be apparent with reference to the following description and drawings, wherein:
FIG. 1 is a block diagram of an incident response and investigation system;
FIG. 2 is a flow chart of the general operation of the incident response and investigation system;
FIG. 3 is a flow chart of an incoming security alert administration function of the incident response and investigation system;
FIG. 4 is a graphical illustration of an interactive display for the incoming security alert administration function;
FIG. 5 is a flow chart of an incident administration function of the incident response and investigation system;
FIG. 6 is a graphical illustration of an interactive display for the incident administration function;
FIG. 7 is a flow chart of an investigation administration function of the incident response and investigation system;
FIG. 8 is a graphical illustration of an interactive display for the investigation administration function;
FIG. 9 is a flow chart of a digital notary function of the incident response and investigation system; and FIG. 10 is a graphical illustration of an interactive display for an information technology policy administration function of the incident response and investigation system.
DISCLOSURE OF THE INVENTION
In the detailed description which follows, identical components have been given the same reference numerals, regardless of whether they are shown in different embodiments of the present invention. To illustrate the present invention in a clear and concise manner, the drawings may not necessarily be to scale and certain features may be shown in somewhat schematic form.
Referring to FIG. 1, a block diagram of an incident response and investigation system 10, or simply the system 10, is illustrated. As used herein, the term incident is intended to include, but is not limited to, any activity relating to the potential breach of one of the policies, procedures, rules, laws or regulations mentioned in the background section above.
Briefly, the system 10 is a computer tool having a graphical user interface to assist an information technology security administrator to securely create and maintain databases for security alerts, incidents, investigations, electronic evidence, reports, and information technology policies.
The system 10 includes a computer system 12. The computer system 12 has a processor 14 for executing instructions, usually in the form of computer code, to carry out a specified logic routine and a memory 16 for storing data, software, logic routine instructions, computer programs, files, operating system instructions, and the like. The memory 16 can 1 S comprise several devices and includes, for example, volatile and nonvolatile memory components. Volatile components typically do not retain data values upon a loss of power.
Nonvolatile components retain data upon a loss of power. Thus, the memory 16 can be, for example, random access memory (RAM), read-only memory (ROM), hard disks, floppy disks, compact disks (including, but not limited to, CD-ROM, DVD-ROM and CD-RV~, tapes, and/or other memory components, including drives and players for these memory types.
The processor 14 and the memory 16 are coupled to a local interface 18. The local interface 18 can be, for example, a data bus with an accompanying control bus, or a network between a processor and/or processors and a memory or memories. The computer system 12 also has a video interface 20, a number of input interfaces 22, a modem 24, a number of output interfaces 26, each being coupled to the local interface 18.
The system 10 also has a display 28 coupled to the local interface 18 via the video interface 20. Although shown as a cathode ray tube (CRT), the display device may alternatively be, for example, a liquid crystal display (LCD), a plasma display, an electro-luminescent display, indicator lights, or light emitting diodes. In addition, the system 10 has several input devices, including, but not limited to, a keyboard 30, a mouse 32, a microphone 34, and a scanner 36, each being coupled to the local interface 18 via the input interfaces 22.
The modem 24 is coupled to an external network 38 enabling the computer system 12 to send and receive data signals, voice signals, video signals and the like via the external network 38 S as is well known in the art. The external network 38 may be, for example, the Internet, a wide area network (WAN), a local area network (LAN), direct data link or other similar network. It is noted that the system 10 can be accessed and used by a remote user via the external network 38 and modem 24. The system 10 can also include output devices coupled to the local interface 18 via the output interfaces 26, such as audio speakers 40, a printer 42, and the like.
The computer system 12 is programmed to display and execute an automated incident response and investigation software tool in graphical user interface (GUI) format.
Alternatively, the computer system has logic stored in the memory 16 capable of being executed to display and function as the automated incident response and investigation software tool.
With additional reference to FIG. 2, a general operational logic 50 of the system 10 and associated software tool is illustrated. Upon the detection of an incident in step 52, an alerting source (not illustrated) will generate a security alert and relay the security alert to the computer system 12 for processing. It is noted that the alerting source can be an individual, an individual using a device or an automated device. If the alerting source is an automated device, the alerting source will generally be separate from the system 10.
Persons, such as employees, human resource professionals, legal counselors, law enforcement officials, and members of another organization or company, may notice or become aware of an incident. The person may elect to send a security alert directly to the system 10. Alternatively, the person may elect to notify a superior or a system 10 administrator who sends the security alert to the system 10. Security alerts can be presented to the system 10 in a number of ways, including direct entry using the computer systems's 10 input devices, e-mail, entering information in a web page (using, for example, hypertext transfer protocol, or HTTP), pressing an alarm button, and the like. It is noted that e-mails can be addressed to the system 10 using an anonymous e-mail tool, and Internet or intranet alerts can also be sent to the computer system 10 via anonymous electronic transmission.
Should the author of the e-mail specify that the e-mail containing the security alert is to be sent anonymously, an e-mail logic routine will strip or modify any headers identifying the source of the e-mail before delivery to the system 10.
Security alerts can also be presented to the system 10 by an automated or semi-automated detection device configured to detect a potential incident in real time. Example detection devices include software tools and firewalls programmed to detect certain activities, such as the downloading of pornography, suspicious financial transfers, and the hacking of a computer system. Upon the detection of an incident, the detection device will configure a data packet and send the data packet to the system 10 to alert the system 10 of the incident.
The data packet can be in a variety of formats including an e-mail or codes to be interpreted by the system 10.
In step 54, the system 10 receives the security alert from either an external source as described above via the modem or by direct entry using the input devices, such as the keyboard 30, mouse 32 and/or microphone 34. Speech received via the microphone 34 can be converted into text using a voice recognition application.
In an alternative configuration, the security alerts are initially sent to an alert processing system that is separate from the system 10. The alert processing system can conduct some preliminary analysis of the security alerts, consolidate alerts relating to the same incident, eliminate duplicate alerts, filter the alerts, prioritize the alerts, temporarily store alerts and/or attend to the security alert in the manner of the system 10, especially when the system 10 is unattended. The alert processing system can be staffed by a person at all times and can be configured to receive alerts for multiple entities having the system 10, thereby alleviating full-time staffing of the system 10. Once security alerts are processed by the alert processing system, the alert processing system 10 sends a secure security alert or alerts to the system 10 for further attention by the system 10 administrator as described herein.
Security alerts received by the system 10 are documented and subsequently managed using an incoming security alert administration function as will be described in more detail below with respect to FIGS. 3 and 4.
SYSTEM AND METHOD
This application claims priority form copending U.S. provisional application serial number 60/156,912, filed October l, 1999, entitled, "SCORPIAN (Secure Corporate Investigations Automation)", incorporated herein by reference in its entirety.
TECHNICAL FIELD
The present invention generally relates to information technology and, more particularly, to a system and method for tracking, responding to and investigating incidents involving of information technology policy.
BACKGROUND ART
There is an ever present demand for information technology security tools and techniques for protecting against, detecting and responding to incidents involving potentially criminal and other types of culpable behavior. Information technology, as used herein, relates to the collection, organization, handling, storage and communication of information, such as data, computer files, algorithms, executable code and instructions, data packets, documents, electronic mail ("e-mail") and the like (collectively referred to below as electronic information or electronic documents). Information technology generally refers to electronic media used in connection with a computer or computer network, but is not limited thereto.
Most organizations, firms, companies, government agencies and institutions have policies, standards, procedures, rules and regulations concerning the behavior of their employees, staff members, volunteers, service providers and third parties.
These policies may relate to matters including information technology security policies, standards and procedures, corporate espionage, sexual harassment, discrimination, fraud, embezzlement and the like. These entities are also concerned with civil or criminal actions that may be brought against the entity for causes of action ranging from insider trading to wrongful termination.
In addition, local, state and federal laws and government agency regulations may govern people's conduct.
Presently, computers are used by persons who may violate an organization's policies, a criminal law or regulatory rule, or may be used to engage in wrongful conduct presenting the organization with a civil remedy. The use of a computer during the commission of these activities may leave evidence in the form of computer logs, files, e-mail and the like.
Alternatively, computers may be used in such a way to leave evidence useful in the defense of a criminal or civil action brought against the organization.
To date, information security tools have focused on protection against and the detection of computer related threats. Common protection schemes include establishing information technology protocols, isolation techniques (e.g., the establishment of firewalls), access limitations (e.g., password control and parental Internet control) and the use of encryption. Detection schemes include hacking detection algorithms, e-mail parsing and content filtering, security sweeps and human reporting (e.g., "whistle-blowing").
However, very little attention has been given to automating the response to and the investigation of an incident which potentially violates one or more of the foregoing regulations and/or requires the analysis of electronic documents. Therefore, there exists a need in the art for an information technology incident response and investigation tool.
SUMMARY OF THE INVENTION
According to one aspect of the invention, the invention is a method of responding to an information technology related incident. The method having the steps of receiving a security alert, the security alert being displayed on an incident response and investigation system for analysis by an administrator; documenting the incident based on information contained in the security alert; opening an investigation file to administrate an investigation of the incident; and collecting items of electronic evidence and maintaining the evidence in an electronic evidence database associated with the investigation file.
According to another aspect of the invention, the invention is an incident response and investigation system. The system having an incoming security alert administration function for receiving and analyzing security alerts, each security alert containing information related to an event, the event being related to an information technology policy of an organization; an incident administration function for creating an incident file to document the event; and an investigation administration function for administering an investigation of the event documented in the incident file.
BRIEF DESCRIPTION OF DRAWINGS
These and further features of the present invention will be apparent with reference to the following description and drawings, wherein:
FIG. 1 is a block diagram of an incident response and investigation system;
FIG. 2 is a flow chart of the general operation of the incident response and investigation system;
FIG. 3 is a flow chart of an incoming security alert administration function of the incident response and investigation system;
FIG. 4 is a graphical illustration of an interactive display for the incoming security alert administration function;
FIG. 5 is a flow chart of an incident administration function of the incident response and investigation system;
FIG. 6 is a graphical illustration of an interactive display for the incident administration function;
FIG. 7 is a flow chart of an investigation administration function of the incident response and investigation system;
FIG. 8 is a graphical illustration of an interactive display for the investigation administration function;
FIG. 9 is a flow chart of a digital notary function of the incident response and investigation system; and FIG. 10 is a graphical illustration of an interactive display for an information technology policy administration function of the incident response and investigation system.
DISCLOSURE OF THE INVENTION
In the detailed description which follows, identical components have been given the same reference numerals, regardless of whether they are shown in different embodiments of the present invention. To illustrate the present invention in a clear and concise manner, the drawings may not necessarily be to scale and certain features may be shown in somewhat schematic form.
Referring to FIG. 1, a block diagram of an incident response and investigation system 10, or simply the system 10, is illustrated. As used herein, the term incident is intended to include, but is not limited to, any activity relating to the potential breach of one of the policies, procedures, rules, laws or regulations mentioned in the background section above.
Briefly, the system 10 is a computer tool having a graphical user interface to assist an information technology security administrator to securely create and maintain databases for security alerts, incidents, investigations, electronic evidence, reports, and information technology policies.
The system 10 includes a computer system 12. The computer system 12 has a processor 14 for executing instructions, usually in the form of computer code, to carry out a specified logic routine and a memory 16 for storing data, software, logic routine instructions, computer programs, files, operating system instructions, and the like. The memory 16 can 1 S comprise several devices and includes, for example, volatile and nonvolatile memory components. Volatile components typically do not retain data values upon a loss of power.
Nonvolatile components retain data upon a loss of power. Thus, the memory 16 can be, for example, random access memory (RAM), read-only memory (ROM), hard disks, floppy disks, compact disks (including, but not limited to, CD-ROM, DVD-ROM and CD-RV~, tapes, and/or other memory components, including drives and players for these memory types.
The processor 14 and the memory 16 are coupled to a local interface 18. The local interface 18 can be, for example, a data bus with an accompanying control bus, or a network between a processor and/or processors and a memory or memories. The computer system 12 also has a video interface 20, a number of input interfaces 22, a modem 24, a number of output interfaces 26, each being coupled to the local interface 18.
The system 10 also has a display 28 coupled to the local interface 18 via the video interface 20. Although shown as a cathode ray tube (CRT), the display device may alternatively be, for example, a liquid crystal display (LCD), a plasma display, an electro-luminescent display, indicator lights, or light emitting diodes. In addition, the system 10 has several input devices, including, but not limited to, a keyboard 30, a mouse 32, a microphone 34, and a scanner 36, each being coupled to the local interface 18 via the input interfaces 22.
The modem 24 is coupled to an external network 38 enabling the computer system 12 to send and receive data signals, voice signals, video signals and the like via the external network 38 S as is well known in the art. The external network 38 may be, for example, the Internet, a wide area network (WAN), a local area network (LAN), direct data link or other similar network. It is noted that the system 10 can be accessed and used by a remote user via the external network 38 and modem 24. The system 10 can also include output devices coupled to the local interface 18 via the output interfaces 26, such as audio speakers 40, a printer 42, and the like.
The computer system 12 is programmed to display and execute an automated incident response and investigation software tool in graphical user interface (GUI) format.
Alternatively, the computer system has logic stored in the memory 16 capable of being executed to display and function as the automated incident response and investigation software tool.
With additional reference to FIG. 2, a general operational logic 50 of the system 10 and associated software tool is illustrated. Upon the detection of an incident in step 52, an alerting source (not illustrated) will generate a security alert and relay the security alert to the computer system 12 for processing. It is noted that the alerting source can be an individual, an individual using a device or an automated device. If the alerting source is an automated device, the alerting source will generally be separate from the system 10.
Persons, such as employees, human resource professionals, legal counselors, law enforcement officials, and members of another organization or company, may notice or become aware of an incident. The person may elect to send a security alert directly to the system 10. Alternatively, the person may elect to notify a superior or a system 10 administrator who sends the security alert to the system 10. Security alerts can be presented to the system 10 in a number of ways, including direct entry using the computer systems's 10 input devices, e-mail, entering information in a web page (using, for example, hypertext transfer protocol, or HTTP), pressing an alarm button, and the like. It is noted that e-mails can be addressed to the system 10 using an anonymous e-mail tool, and Internet or intranet alerts can also be sent to the computer system 10 via anonymous electronic transmission.
Should the author of the e-mail specify that the e-mail containing the security alert is to be sent anonymously, an e-mail logic routine will strip or modify any headers identifying the source of the e-mail before delivery to the system 10.
Security alerts can also be presented to the system 10 by an automated or semi-automated detection device configured to detect a potential incident in real time. Example detection devices include software tools and firewalls programmed to detect certain activities, such as the downloading of pornography, suspicious financial transfers, and the hacking of a computer system. Upon the detection of an incident, the detection device will configure a data packet and send the data packet to the system 10 to alert the system 10 of the incident.
The data packet can be in a variety of formats including an e-mail or codes to be interpreted by the system 10.
In step 54, the system 10 receives the security alert from either an external source as described above via the modem or by direct entry using the input devices, such as the keyboard 30, mouse 32 and/or microphone 34. Speech received via the microphone 34 can be converted into text using a voice recognition application.
In an alternative configuration, the security alerts are initially sent to an alert processing system that is separate from the system 10. The alert processing system can conduct some preliminary analysis of the security alerts, consolidate alerts relating to the same incident, eliminate duplicate alerts, filter the alerts, prioritize the alerts, temporarily store alerts and/or attend to the security alert in the manner of the system 10, especially when the system 10 is unattended. The alert processing system can be staffed by a person at all times and can be configured to receive alerts for multiple entities having the system 10, thereby alleviating full-time staffing of the system 10. Once security alerts are processed by the alert processing system, the alert processing system 10 sends a secure security alert or alerts to the system 10 for further attention by the system 10 administrator as described herein.
Security alerts received by the system 10 are documented and subsequently managed using an incoming security alert administration function as will be described in more detail below with respect to FIGS. 3 and 4.
Using an incident administration function, a system 10 administrator documents incidents related to incoming security alerts in step 56. The user can configure an incident file for each incoming security alert or can group security alerts as being related to one incident and configure an associated incident file. The documentation and subsequent management of incident files will be discussed in more detail below with respect to FIGS. 5 and 6.
Each incident file is reviewed, either through programming of the system 10 or by human analysis, to determine if an investigation should be opened to examine the incident in greater detail (step 58). Although each incident file may not be investigated, the incident files will remain as historical documentation of the incident. A set of criteria can be established to determine whether the incident should be investigated. For example, certain alerts generated by a firewall may not require further attention, but an e-mail containing certain accusations may be automatically flagged as warranting investigation. If an investigation is not warranted, the incident file will become dormant and the system will await new security alerts. The identity of the persons) tasked with deciding whether an investigation is warranted may be restricted to selected individuals and validated with the use of a password protection scheme or a digital signature scheme.
If an investigation is warranted based on the nature of the associated incident in step 58, the system 10 can be configured to not proceed unless approval to open the investigation is granted by at least one person in a position of proper authority (step 60).
The system 10 can be configured to require approval for all potential investigations or just certain types of investigations. If approval is not required or if approval is required and granted (step 62), the system 10 will open, or document, an investigation file using an investigation administration function in step 64. If approval is required and not granted in step 62, the associated incident file will become dormant and the system will await new security alerts. As a safeguard, the system 10 can be configured to require more than one person's approval to open an investigation based on an incident file. In addition, the identity of the persons) tasked with granting investigation approval may be validated with the use of a password protection scheme or a digital signature scheme.
Each incident file is reviewed, either through programming of the system 10 or by human analysis, to determine if an investigation should be opened to examine the incident in greater detail (step 58). Although each incident file may not be investigated, the incident files will remain as historical documentation of the incident. A set of criteria can be established to determine whether the incident should be investigated. For example, certain alerts generated by a firewall may not require further attention, but an e-mail containing certain accusations may be automatically flagged as warranting investigation. If an investigation is not warranted, the incident file will become dormant and the system will await new security alerts. The identity of the persons) tasked with deciding whether an investigation is warranted may be restricted to selected individuals and validated with the use of a password protection scheme or a digital signature scheme.
If an investigation is warranted based on the nature of the associated incident in step 58, the system 10 can be configured to not proceed unless approval to open the investigation is granted by at least one person in a position of proper authority (step 60).
The system 10 can be configured to require approval for all potential investigations or just certain types of investigations. If approval is not required or if approval is required and granted (step 62), the system 10 will open, or document, an investigation file using an investigation administration function in step 64. If approval is required and not granted in step 62, the associated incident file will become dormant and the system will await new security alerts. As a safeguard, the system 10 can be configured to require more than one person's approval to open an investigation based on an incident file. In addition, the identity of the persons) tasked with granting investigation approval may be validated with the use of a password protection scheme or a digital signature scheme.
The documentation and subsequent management of investigation files using an investigation administration function of the system 10 will be discussed in more detail below with respect to FIGS. 7 and 8. It is noted that investigations may also be opened for events which do not spawn a security alert or an incident file. For example, if a lawsuit is brought against a corporation using the system 10, the corporation may be interested in analyzing information technology matters potentially related to the lawsuit. In this instance, the features of the investigation administration function may be useful to the corporation and an investigation file may be opened by bypassing steps 52 to 56.
The administration of an investigation file includes various tasks which can be automated, at least in part, using the investigation administration function of the system 10 (step 66). For example, the administration of an investigation file can include alerting individuals and/or organizations that make up a response team tasked with reacting to the incident and conducting the investigation.
The investigation administration function is also capable of opening an evidence database for each investigation file. It is noted that the evidence database for each investigation file is logically or physically separated from every other investigation's evidence database to assist in preserving the integrity of the evidence databases. The evidence database for each investigation file may contain a catalog of physical evidence items. The evidence data is also a repository for electronic copies of electronic files that have been copied or confiscated during the investigation. The electronic files can be any type of file in computer readable format, including but not limited to e-mail files, firewall logs, word processing or spreadsheet documents, logs from computer forensic tools, and specific computer program application logs. Part of the evidence collected will usually include the original security alerts) received in step 54.
The administration of an investigation file can also include digitally notarizing selected pieces of electronic evidence. Digital notarization techniques are known in the art and include the digital authentication system described in U.S. Patent No.
5,781,629, incorporated herein by reference in its entirety. As will be discussed in more detail with respect to FIG. 9, digital notarization of electronic files provides a reasonably secure means of subsequently verifying the contents of a particular electronic file at the time of notarization. This record may be desirable to help validate the electronic evidence at a later date. For example, the digital notarization may assist a witness in authenticating a particular electronic file to enhance the admissibility of the electronic file into evidence during a legal proceeding.
It is noted that the system 10 can be used to create a database separate from any investigation. Separate databases can be used to maintain a library of electronic documents related to a certain project, corporate department and the like. The electronic documents contained in the database can also be notarized using the digital notary function.
In addition to the incoming security alert administration function, the incident administration function and the investigation administration function, the system 10 is provided with an information technology policy administration function. At any point during the use of the system 10, the system 10 administrator can use and consult the information technology policy administration function. The information technology policy administration function will be discussed in more detail below with respect to Fig. 10.
Briefly, the information technology policy administration function is a repository of form templates, security policies for the organization, and guidelines and checklists to be followed during an investigation or before an investigation is opened. The information technology policy administration function also has administration functions related to the foregoing repositories of files.
The foregoing aspects of the system 10 will be discussed in more detail below.
As will be apparent to one skilled in the art, the system 10 is a tool for an organization to automate incident response and investigation activities and provides a secure platform for investigators to share information and conduct analysis of accumulated data for current and past incidents and investigations.
Since the system 10 has a variety of database and documentation features, it is desirable that the incident response and investigation software tool of the system 10 be built on a database and document management platform to provide the user with additional features and functions inherent to the underlying platform. An example of such a platform is LOTUS NOTES available from Lotus Development Corp., 55 Cambridge Parkway, Cambridge, MA 02142.
The administration of an investigation file includes various tasks which can be automated, at least in part, using the investigation administration function of the system 10 (step 66). For example, the administration of an investigation file can include alerting individuals and/or organizations that make up a response team tasked with reacting to the incident and conducting the investigation.
The investigation administration function is also capable of opening an evidence database for each investigation file. It is noted that the evidence database for each investigation file is logically or physically separated from every other investigation's evidence database to assist in preserving the integrity of the evidence databases. The evidence database for each investigation file may contain a catalog of physical evidence items. The evidence data is also a repository for electronic copies of electronic files that have been copied or confiscated during the investigation. The electronic files can be any type of file in computer readable format, including but not limited to e-mail files, firewall logs, word processing or spreadsheet documents, logs from computer forensic tools, and specific computer program application logs. Part of the evidence collected will usually include the original security alerts) received in step 54.
The administration of an investigation file can also include digitally notarizing selected pieces of electronic evidence. Digital notarization techniques are known in the art and include the digital authentication system described in U.S. Patent No.
5,781,629, incorporated herein by reference in its entirety. As will be discussed in more detail with respect to FIG. 9, digital notarization of electronic files provides a reasonably secure means of subsequently verifying the contents of a particular electronic file at the time of notarization. This record may be desirable to help validate the electronic evidence at a later date. For example, the digital notarization may assist a witness in authenticating a particular electronic file to enhance the admissibility of the electronic file into evidence during a legal proceeding.
It is noted that the system 10 can be used to create a database separate from any investigation. Separate databases can be used to maintain a library of electronic documents related to a certain project, corporate department and the like. The electronic documents contained in the database can also be notarized using the digital notary function.
In addition to the incoming security alert administration function, the incident administration function and the investigation administration function, the system 10 is provided with an information technology policy administration function. At any point during the use of the system 10, the system 10 administrator can use and consult the information technology policy administration function. The information technology policy administration function will be discussed in more detail below with respect to Fig. 10.
Briefly, the information technology policy administration function is a repository of form templates, security policies for the organization, and guidelines and checklists to be followed during an investigation or before an investigation is opened. The information technology policy administration function also has administration functions related to the foregoing repositories of files.
The foregoing aspects of the system 10 will be discussed in more detail below.
As will be apparent to one skilled in the art, the system 10 is a tool for an organization to automate incident response and investigation activities and provides a secure platform for investigators to share information and conduct analysis of accumulated data for current and past incidents and investigations.
Since the system 10 has a variety of database and documentation features, it is desirable that the incident response and investigation software tool of the system 10 be built on a database and document management platform to provide the user with additional features and functions inherent to the underlying platform. An example of such a platform is LOTUS NOTES available from Lotus Development Corp., 55 Cambridge Parkway, Cambridge, MA 02142.
In addition, the incident response and investigation software tool preferably provides a graphical user interface to the system 10 administrator for carrying out the functions of the general operational logic 50 as illustrated in FIG. 2 and the additional functions and features discussed below. As is known in the art, the GUI includes a menu bar disposed across the top of the display 28 having a series of pull down menus from which the system 10 administrator can choose various features of the database and document management platform and/or the incident response and investigation software tool. As is appropriate, the GUI
will also have pop-up menus to illustrate selection choices when a certain feature is selected, scroll bars allowing the user to navigate through a displayed window, drop-down menus which drop down from the menu bar or other selected area, and content sensitive menus for highlighting options available or unavailable to the user depending upon the context of the selected content sensitive menu.
Referring to Fig. 3, an incoming security alert administration function logic 100 is illustrated. The logic 100 starts in step 102 by receiving a security alert.
As discussed above, the alert can be an incoming electronic mail message or a data message sent by a computer or software tool over the external network 38 and into the computer system 12 via the modem 24. Alternatively, the security alert can be received by direct entry into the computer system 12 via the keyboard 30, the mouse 32, the microphone 34, or other input device.
With additional reference to Fig. 4, when a security alert is received, the system 10 will send an incoming alert indication to an incoming alert administrator in step 106. The incoming alert indication can be in the form of one or more of an audible sound, flashing light or display 28 screen icon, an alphanumeric page sent to a personal pager, an electronic mail, facsimile or the like. The incoming alert indication is intended to provide an indication to the administrator that a security alert has been received and is awaiting attention. The incoming alert indication can be sent to one or more persons. The incoming alert indicator can be sent to a selected individual, or individuals, based on the type of security alert, the source of the alert, or the individual's expertise or responsibilities.
Also in step 106, the incoming security alert is displayed on an incoming security alert display screen 104. The alerts are displayed as line items 108 on the display screen 104.
Each line item contains an indication of the status and/or source of the security alert, the date and time the alert was received by the computer system 12, or alternatively, the data and time of the incident for which the security alert relates to, and subject matter of the alert. Each alert displayed as a line item 108 can be opened into a viewing window (not shown) to display more information related to the security alert or the content of a message contained within the security alert. The alert can be opened, for example, by directing a mouse pointer 109 displayed on the display 28 with the mouse 32 to the desired line item 108 and clicking a mouse 32 button to select the security alert associated with the line item 108. This action can directly open the security alert into the viewing window or specify which of the line items 108 the system 10 is to open following the selection of an action button, such as a review document button 110 used to open the security alert into the viewing window.
Once a security alert is opened in the viewing window, the system 10 administrator can analyze the security alert to determine the nature of the incident reported by the security alert (step 106). In step 112, the system 10 administrator will then decide whether to take action on the security alert. As a safeguard, more than one person may be required to determine whether to take action based on the security alert. Alternatively, the decision making process can be automated and based on information contained in the security alert or the source of the security alert. If a decision is made not to take action in step 112, the alert will be stored in the memory 16 in a no action taken log (step 114). If, however, action is to be taken in step 112, the system 10 administrator will proceed as desired, preferably following established information technology security procedures (step 116).
Example actions in step 116 include opening an incident file using the incident administration function. The incident administration function will be discussed in more detail below. An incident file may be created by selecting an open new incident file button 118 appearing on the incoming security alert display screen 104. Selection of the open new incident file button 118 will link the user to a display screen specified by the system 10, such as the incident administration function or an incident file viewing/editing window.
Other action in step 116 can include associating the alert with an existing investigation file or incident file, should the alert contain information related to an existing incident file or investigation file. A security alert can be associated with an incident file or an investigation file by selecting an associate alert button 120 appearing on the incoming security alert display screen 104 and specifying the target incident file or investigation file.
Once action has been taken on a security alert, the security alert and the action taken is stored in the memory 16 in an action taken database (step 122).
With continued reference to Fig. 4, the user can select among view buttons 124 displayed on the incoming security alert display screen 104 to select among new security alerts (i.e., received but unprocessed security alerts), security alerts saved in the action taken database and security alerts saved in the no action taken database. The incoming security alert display screen 104 is also provided with link buttons 126 so that the user can select among the various administration functions of the incident response and investigation software tool, including the incoming security alert administration function, the incident administration function, the investigation administration function, and the information technology policy administration function. Although not illustrated, the link buttons 126 can have graphical icons to represent the destination of the link.
Referring now to Fig. 5, an incident administration function logic 150 is illustrated, and, with additional reference to Fig. 6, an incident administration display screen 154 is illustrated. If a new incident file is to be opened (step 152), the system 10 administrator can select an open new incident file button 156 to access an incident file viewing window (not shown). It is noted that the create incident file button 118 on the incoming security alert display screen 104 (FIG. 4) invokes similar operation to the button 156. The following incident file creation and documentation procedure is conducted in step 158 of the incident administration function logic 150.
The incident file viewing window will contain information relating to the incident at hand and/or fields to be populated with information relating to the incident.
This information can include an incident identification number which is either selected by the system 10 administrator or automatically determined by the system 10. The information also includes an incident name, such as website hacked, falsified expense account, or harassing e-mails.
The incident file will also identify employees involved or suspected to be involved in the incident, the information source of the security alerts, and which personnel has responsibility to act upon the incident. The information also includes an incident status, including new incident, incident awaiting approval, investigation approved, investigation denied, under investigation, and incident resolved. If the incident has been approved for investigation, denied for investigation, or resolved, an associated approval date, denial date or resolution date may also be placed in the incident file. The incident may also be assigned a priority such as an emergency, high priority, normal priority, or low priority. The incident may also be categorized such as computer intrusion, employee conduct or the like.
Subcategories may also be specified, such as internal threat, external threat, potential criminal conduct, violation of company regulations and the like. The incident file may also contain an incident description containing text entered by the system 10 administrator with any information related to the incident. The incident file may also contain a list of incident events and any additional comments, notes or conclusions.
The incident file can be read and write access controlled using password or digital signature schemes. Accordingly, the incident file will contain information related to those with read access and those with write access (those with the ability to edit the incident file).
The incident file will also contain data on when the incident file was created and by whom, and will contain information on when the incident file was modified and by whom.
Once an incident file has been opened, the decision to open an investigation is conducted in step 160. Step 160 relates to steps 58 through 62 illustrated in Fig. 2 and discussed in more detail above. Therefore, the decision process of whether to open an investigation will not be discussed in detail at this point. However, the system 10 administrator can access an investigation approval routing form by selecting an approval button 165 displayed on the incident administration display screen 154. The investigation approval routing form can be transmitted to those in charge of deciding whether to open an investigation. The form can be signed with pen and ink, approved using a password or digital signature, or denied using the same methods. If an investigation is not opened, either because an investigation is not warranted or an investigation has been denied, the incident file will be stored in an incident file database in step 162 for review at a later date, if desired. If an investigation is to be opened, the system 10 administrator can select an open investigation button 164 displayed on the incident administration display screen 154. The open investigation button 164 will serve as a link to the incident administration function as will be described in more detail below. The system 10 will lock the system 10 administrator's ability to open an investigation if approval has not been granted.
The content of a selected incident file may be updated in step 166, such as changing the incident file priority, incident file status, adding description details, and so forth. The incident file can be accessed for revision by selecting an edit button 168 displayed on the incident administration display screen 154. If the incident file is password protected under the write access control, the user will be prompted to enter a valid password or digital signature after selecting the edit button 168. The incident administration function will also allow a person with read access privileges to review an incident file by selecting a review button 170.
Searches of the incident file database for a particular incident or incidents having a particular item in common can be searched for using a search tool accessed by pressing the search button 172. To assist in searching, the incident administration function logic 150 can also be provided with an indexing tool so that the system 10 administrator can associate incident files with selected search terms.
The incident administration function also allows for the generation of reports (step 173). For example, a report can be generated providing details of a particular incident file by selecting a create incident report button 174. An incident report content selection window is then displayed for the system 10 administrator to select which items of information contained in the incident file are to printed or displayed. Alternatively, the reports may be generated based on more than one incident, for example, statistical reports highlighting the number of incidents in a particular incident category or assigned to a certain status, and reports highlighting trends or other correlated data. This type of report can be generated by selecting a create executive report button 176 displayed on the incident administration display screen 154.
The incident administration display screen 154 displays selected incident files as line items 178. Each line item 178 can be displayed under a heading 179 relating to the status or priority of the associated incident file. Each line item 178 can contain items of information, such as an incident name, incident identification number, date created and by whom, and so forth. Each heading 179 can also contain information, such as the number of incident files under the heading 179 and the percentage of incident files under the heading as a function of all the incidents.
The incident administration display screen 154 is provided with view buttons 180 to select different views, such as all of the incident files categorized under status headings, priority headings, or category headings, new incidents, all incidents waiting to be approved, all approved incidents, all denied incidents, all incidents under investigation, and all resolved incidents. If the incident files are displayed under a heading 179, the heading 179 may be provided with an expand or contract button 184, as is well known in the art, to select between displaying the incidents under the heading 179 or not displaying the incidents under the heading 179. Link buttons 126 (described above) may also be provided as part of the incident administration display screen 154.
Each time an incident file is opened or modified, the incident administration function logic 150 will store or update the incident file in step 186.
Referring now to Fig. 7, an investigation administration function logic 200 is illustrated for the incident response and investigation system 10 and, with additional reference to Fig. 8, an investigation administration display screen 206 is illustrated. Upon the opening of an investigation file in step 202, an investigation documentation window is displayed to the operator (not shown) for providing information to document the investigation file in step 204. The investigation documentation window can be accessed by selecting an open investigation file button 208 or open investigation file button 164 (FIG.
6). It is noted that an existing investigation file can be reviewed by selecting a review investigation file button 210 or edited by selecting an edit investigation file button 212. The buttons 208, 210 and 212 can be provided with the security lock-out and read/write access features discussed above (i.e., approval requirements, password requirements, etc.).
Each investigation file contains information such as an investigation identification number, an investigation name, employees or other persons who are the subject of the investigation, and the source or sources of information relevant to the investigation, including persons to be interviewed and equipment to be analyzed. The investigation also contains information related to the investigator or investigators and any sub-teams or specialists to be involved with the investigation. The investigation file also contains information regarding the investigation status, such as open or closed. The priority of the investigation is also contained in the investigation file, such as emergency, high, normal or low priority. The investigation file may be assigned an activity state such as active, idle, on hold or closed.
Investigations may also be categorized, such as computer intrusion, employee conduct, and the like. Investigations may also be sub-categorized. Example sub-categories for a computer intrusion category would include internal threat, external threat, and so forth.
The investigation file includes an investigation description containing general information pertaining to the investigation. In addition, the investigation file contains a section for significant investigation events which will be completed as the investigation progresses. A section for comments, notes and conclusions is also provided. A
section for investigation characteristics and classifications can be provided to provide for additional elaboration on non-technical characteristics of the investigation, such as remarks related to insider assistance of an external computer intrusion threat.
The investigation file provides for a number of technical classifications such as technology type, including various items of software and/or hardware.
Technical classifications also include technological function such as an electronic mail gateway or firewall. Technical classifications also include any computer environments affected, the vendors of software and hardware which may be affected, the operating systems that may be affected, computer programs, applications and application servers potentially involved in the incident generating the investigation, and middle-ware or other software related to the investigation.
The investigation file also includes read and write access controls similar to those described above for incident files. Finally, the investigation file includes documentation of who opened the investigation file and when, and who has modified the investigation file and when those modifications were made.
Once an investigation file has been opened, it may desirable to inform certain individuals, or groups of individuals, that an incident has occurred and an investigation is currently pending to study the incident. The system 10 administrator may send an alert in step 214 (Fig. 7) by selecting an alert button 216 (Fig. 8). Upon selecting the alert button 216, the system 10 will display an alert window (not shown) on the display 28.
The alert window will allow the user to select the recipients of the alert by either specifying the recipients or selecting among groups of pre-defined recipients. The pre-defined groups include a steering committee consisting of a group of persons internal to the organization and typically including high-level managers or decision makers. The groups also include a response team which is usually an internal group of persons related to the organization and includes people with technical skill to coordinate and carry out a response to the incident and conduct the investigation. The groups also include an emergency response team made up of either internal or external persons having a very high skill level to address the incident at hand and/or resources to respond very rapidly to the incident. The groups also include authority personnel, such as a human resources department, internal security and/or external law enforcement. External law enforcement includes local police departments and the Federal Bureau of Investigations (FBI) who can be notified if the situation may require the assistance of these authorities or if their knowledge of the incident is desired.
The alert window can be used to select all or some of the individuals previously defined as being part of the selected group. The investigation identification number is also associated with the alert and any other additional instructions or comments to be sent to the alertees. The system 10 administrator can also select how the alertees are to be informed of the incident and pending investigation. Alert methods include sending an alpha-numeric page, sending an e-mail, telephoning the alertee, personally visiting the alertee, and the like.
In an alternative arrangement, an alert can be generated upon the identification of an incident without waiting for an investigation file to be opened. This is useful in situations where time may be of the essence.
With continued reference to Figs. 7 and 8, an electronic evidence database can be created for the investigation (step 218). The evidence database is a repository for any electronic documents related to the investigation including, but not limited to, e-mails, e-mail server logs, firewall logs, documents, contents of hard drives, application files such as word processing documents and spreadsheets, and any other information saved on computer-readable media. The electronic documents can also include paper documents which have been scanned by the scanner 36 and stored on the memory 16.
The evidence database can be created by selecting a create evidence database button 220 on the evidence administration display screen 206. Upon selecting the create evidence database button, an evidence window (not shown) will be displayed on the display 28. The evidence entered into the database can be categorized and displayed by status such as analysis pending, notarization, notarized and awaiting analysis, analyzed and not notarized. More specifically, each item of evidence is listed in line items under a status heading. The evidence may also be displayed by category or type of evidence, by author, or a listing of all documents. For convenience, the evidence items may be indexed and searchable.
The evidence database can also store and display comments related to selected items of evidence.
The evidence display window can include buttons which link the user to evidence administration tools (step 219), such as a comment on evidence button and respond to comment button for respectively documenting comments on a certain piece of evidence and entering a response to those comments. A new evidence button may also be provided to enter a new piece of evidence into the evidence database and key in related information, such as the 1 S date the evidence was seized, a title for the evidence, the person seizing the evidence, and the person, device or software thought to have created the evidence.
A digital notary button is also provided so that, once an evidence item is entered into the evidence database, the item can optionally be digitally notarized to create a record of the contents of the evidence item at the time of notarization (step 220). Digital notarization techniques are known in the art and include the digital document authentication system described in U.S. Patent No. 5,781,629, incorporated herein by reference in its entirety.
Referring to FIG. 9, an example flow chart for a digital notary function logic 222, is illustrated. Briefly, the digital notarization function includes creating a fingerprint of the electronic document (step 224). The fingerprint is usually created by sampling selected portions of the document and storing those sections in a separate file. Next, the fingerprint is transmitted to a notary function (step 226). The notary function is resident either in the computer system 12 or on a separate computer system connected to the computer system 12 via the external network 3 8. The fingerprint is time-stamped by the notary function (step 228). The time-stamped fingerprint is appended with hash codes which typically are derived from the fingerprint, time-stamp and/or other unpredictable data values (step 228). The fingerprint, time-stamp and hash values are assembled into a notary record which is logically associated with the original electronic document (step 230) and stored in the memory 16 (step 232).
Referring back to FIGS. 7 and 8, the evidence administration functions of the system 10 include an electronic mail analysis function (step 238). The electronic mail analysis allows the system 10 administrator to specify a list of keywords by entering the words or making menu selections. Once the keywords are entered and/or selected, the system 10 administrator can identify a group of electronic mail documents. Then, system 10 will search the group of electronic mail documents for any appearance of the keywords in the electronic mail documents. Once the system 10 has identified any target e-mails containing any of the specified keywords, the system 10 will transfer the target e-mails, or a copy of the target e-mails, to an appropriate electronic evidence database.
The investigation administration function logic 200 is programmed to include various investigation administration functions in step 238. The investigation administration functions include creating activity documents by selecting a create activity document button 240 in the investigation administration display screen 206. Activity documents include tasks for the investigators to perform, calendars, a collection of investigation target dates, time-lines of suspected activity related to the incident, outstanding and/or completed investigation tasks and reports of activities yet to be completed.
In addition, documentation related to an investigation may be generated, displayed and printed. The investigation administration function step 238 also provides for the generation of investigation reports, including high-level executive reports to chart trends and correlate various data. For complicated investigations, the investigation may be broken down into more manageable sub-investigations. Each sub-investigation can be managed using the same tools and functions as described herein for investigation files.
By selecting a team setup button 242, the system 10 administrator can set up teams and sub-teams of investigators and/or define the members of the alert groups discussed above.
In addition, each investigation may be associated with various indexed terms using an indexing tool accessed with an index button 244 to create a searchable database using a search tool accessed with a search button 246.
Each investigation can be displayed on the investigation administration display screen 206 as a line item 248 under headings 249. The line items 248 can be arranged under various categories such as the priority of the investigation, the activity state of the investigation, the investigator, or by investigation category by selecting one of various investigation view buttons 250. Each line item can contain an investigation name, an investigation identification number, icons (not shown) to symbolize various aspects of an investigation, and any other relevant information, such as dates and/or times. The investigation administration display screen 206 can also display statistical information for each category heading 249 such as the number of open investigations under the heading 249 and the number of closed investigations under that heading 249. The investigation administration display screen 206 can also be used to display investigation activities by selecting activity view buttons 252.
Example display views include activities by calendar, activities by investigation, activities by investigator, activities by activity type and activities by investigation team. Links 126 as described more fully above are also provided to navigate between the various display screens described herein.
The investigation administration function logic 200 will store all information related to each investigation file each time the investigation database is modified or a new investigation file is opened (step 256).
Referring now to Fig. 10, an information technology policy administration screen 300 is illustrated. The information technology policy administration screen 300 allows the user to carry out matters related to the information technology policy administration function briefly mentioned above. The screen 300 allows the user to select among and display one or more databases of information using view buttons 302. For example, the system 10 administrator can select to view investigation support material containing checklists and procedures to be followed upon the receipt of a security alert, when administering incidents and when administering investigations. The information technology policy administration function can also be used to store information security policies, standards and procedures relating to all aspects of an organization's body of information technology. These policies can be individually entered into the database or loaded as entire files supplied by a vendor.
A document stored by the information technology policy administration function can be reviewed in detail by selecting the document displayed as a line item 304 and then selecting a review document button 306 to open a document view window (not illustrated) containing the text and/or illustrations of the document. Alternatively, the user can double click directly on the line item 304. The documents of the information technology policy administration function can be indexed based on key words using an indexing tool accessible by selecting an index button 308. The index can be subsequently searched using a search tool accessible by selecting a search button 310.
A new policy can be introduced or an existing policy can be changed using a change policy/new policy button 312. Selecting this button will open a policy administration window (not shown) allowing the system 10 administrator to enter the new policy or edit an existing policy and then route the new or changed policy for approval by a policy review team. The policies can be routed using e-mail, fax, electronic document transfer or other similar method. Approval or denial can be made based on written signature, entering a password or providing a digital signature. Members of the policy review team may also provide commentary on the new policies to spawn further discussions and/or changes of the policies, if desired. The information technology policy administration function can be programmed to send automatic reminders to the members of the policy review team if approval, denial or comments have not been received within a specified period of time. The system 10 administrator can display policies waiting for approval by selecting a policy awaiting approval button 314. The system 10 administrator can display commentary on the pending policies by policy category, status or author using the discussion buttons 317.
Once a new policy has been approved or the changes to an existing policy have been approved, the system 10 administrator can send a newsletter to all persons to be informed of the new or changed policy. To accomplish this, the system 10 administrator can select a newsletter button 316 which will provide the system 10 administrator with menus to select the recipients) of the newsletter, including predefined groups, such as all employees, all managers, all staff, and the like, and menus to specify the policy or policies to be presented in the newsletter. The newsletter can also be used to send existing policies to selected members of the organization, such as when a new employee or all employees on a periodic basis.
The information technology policy administration screen 300 is also provided with an approval profiles button 318 for displaying an approval group window (not illustrated). The approval group window will provide the system 10 administrator with menus to select and/or enter the members of various approval teams mentioned herein, such as the persons to approve the opening of an investigation or the persons to approve a new information technology policy, standard or procedure. The system 10 administrator can display and/or edit request templates, forms (i.e., investigation or new policy approval forms) used to carry out the administration functions of the system 10 described herein. The forms and templates can be displayed by type or by the approving party by selecting among request buttons 319.
The foregoing discussion states that various features and functions of the system 10 can be accessed and carried out by a person with the title of system 10 administrator. It should be understood that accessing each of these features and functions can be limited by access control techniques, such as passwords and/or digital signatures. One skilled in the art will also recognize that the same features and functions are not limited for use by a person given the title of system 10 administrator, but can be accessed by any person using the system 10, either locally or remotely, who has been granted access under the access control techniques.
Preferably, the system 10 is provided with multiple levels of access security.
More specifically access is controlled on various system 10 levels, such as a database level, a view level (i.e., display, screen or window) level, a form level, a document level, a document portion or section level and a field level. Once logged into the system 10, a user will be able to display and work with all material to which he or she has been granted access. Material to which the user has not be granted access will be blocked from being displayed, altered, viewed, printed and otherwise worked with. In addition, the system 10 is capable of selectively encrypting database contents at various levels, such as all information stored by the database, all information associated with one of the administration functions, a view level, a form level, a document level, a document section level and a field level.
Although the logic routines 50, 100, 150, 200 and 222 (FIGS. 2, 3, 5, 7 and 9) of the present invention are embodied in software as discussed above, this logic may alternatively be embodied in hardware or a combination of software and hardware. If embodied in hardware, the foregoing logic can be implemented as a circuit or state machine that employs any one of or a combination of a number of technologies. These technologies may include, but are not limited to, discrete logic circuits having logic gates for implementing various logic functions upon an application of one or more data signals, application specific integrated circuits having appropriate logic gates, programmable gate arrays (PGA), field programmable gate arrays (FPGA), or other components, etc. Such technologies are generally well known by those skilled in the art and, consequently, are not described in detail herein.
The diagrams described herein show the architecture, functionality, and operation of an implementation of the foregoing logic. If embodied in software, each block may represent a module, segment, or portion of code that contains one or more executable instructions to implement the specified logical function(s). If embodied in hardware, each block may represent a circuit or a number of interconnected circuits to implement the specified logical function(s). Although the block diagrams and flow charts show a specific order of execution, it is understood that the order of execution may differ from that which is depicted. For example, the order of execution of two or more blocks may be altered relative to the order shown. Also, two or more blocks shown in succession in may be executed concurrently or with partial concurrence. In addition, various blocks may be omitted. It is understood that all such variations are within the scope of the present invention.
Also, the logic can be embodied in any computer-readable medium for use by or in connection with an instruction execution system such as a computer/processor based system or other system that can fetch or obtain the logic from the computer-readable medium and execute the instructions contained therein. In the context of this document, a "computer-readable medium" can be any medium that can contain, store, or maintain logic and/or data for use by or in connection with the instruction execution system.
The computer readable medium can be any one of many physical media such as, for example, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor media. More specific examples of a suitable computer-readable medium would include, but are not limited to, a portable magnetic computer diskette such as floppy disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory, or a compact disc.
Although particular embodiments of the invention have been described in detail, it is understood that the invention is not limited correspondingly in scope, but includes all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.
will also have pop-up menus to illustrate selection choices when a certain feature is selected, scroll bars allowing the user to navigate through a displayed window, drop-down menus which drop down from the menu bar or other selected area, and content sensitive menus for highlighting options available or unavailable to the user depending upon the context of the selected content sensitive menu.
Referring to Fig. 3, an incoming security alert administration function logic 100 is illustrated. The logic 100 starts in step 102 by receiving a security alert.
As discussed above, the alert can be an incoming electronic mail message or a data message sent by a computer or software tool over the external network 38 and into the computer system 12 via the modem 24. Alternatively, the security alert can be received by direct entry into the computer system 12 via the keyboard 30, the mouse 32, the microphone 34, or other input device.
With additional reference to Fig. 4, when a security alert is received, the system 10 will send an incoming alert indication to an incoming alert administrator in step 106. The incoming alert indication can be in the form of one or more of an audible sound, flashing light or display 28 screen icon, an alphanumeric page sent to a personal pager, an electronic mail, facsimile or the like. The incoming alert indication is intended to provide an indication to the administrator that a security alert has been received and is awaiting attention. The incoming alert indication can be sent to one or more persons. The incoming alert indicator can be sent to a selected individual, or individuals, based on the type of security alert, the source of the alert, or the individual's expertise or responsibilities.
Also in step 106, the incoming security alert is displayed on an incoming security alert display screen 104. The alerts are displayed as line items 108 on the display screen 104.
Each line item contains an indication of the status and/or source of the security alert, the date and time the alert was received by the computer system 12, or alternatively, the data and time of the incident for which the security alert relates to, and subject matter of the alert. Each alert displayed as a line item 108 can be opened into a viewing window (not shown) to display more information related to the security alert or the content of a message contained within the security alert. The alert can be opened, for example, by directing a mouse pointer 109 displayed on the display 28 with the mouse 32 to the desired line item 108 and clicking a mouse 32 button to select the security alert associated with the line item 108. This action can directly open the security alert into the viewing window or specify which of the line items 108 the system 10 is to open following the selection of an action button, such as a review document button 110 used to open the security alert into the viewing window.
Once a security alert is opened in the viewing window, the system 10 administrator can analyze the security alert to determine the nature of the incident reported by the security alert (step 106). In step 112, the system 10 administrator will then decide whether to take action on the security alert. As a safeguard, more than one person may be required to determine whether to take action based on the security alert. Alternatively, the decision making process can be automated and based on information contained in the security alert or the source of the security alert. If a decision is made not to take action in step 112, the alert will be stored in the memory 16 in a no action taken log (step 114). If, however, action is to be taken in step 112, the system 10 administrator will proceed as desired, preferably following established information technology security procedures (step 116).
Example actions in step 116 include opening an incident file using the incident administration function. The incident administration function will be discussed in more detail below. An incident file may be created by selecting an open new incident file button 118 appearing on the incoming security alert display screen 104. Selection of the open new incident file button 118 will link the user to a display screen specified by the system 10, such as the incident administration function or an incident file viewing/editing window.
Other action in step 116 can include associating the alert with an existing investigation file or incident file, should the alert contain information related to an existing incident file or investigation file. A security alert can be associated with an incident file or an investigation file by selecting an associate alert button 120 appearing on the incoming security alert display screen 104 and specifying the target incident file or investigation file.
Once action has been taken on a security alert, the security alert and the action taken is stored in the memory 16 in an action taken database (step 122).
With continued reference to Fig. 4, the user can select among view buttons 124 displayed on the incoming security alert display screen 104 to select among new security alerts (i.e., received but unprocessed security alerts), security alerts saved in the action taken database and security alerts saved in the no action taken database. The incoming security alert display screen 104 is also provided with link buttons 126 so that the user can select among the various administration functions of the incident response and investigation software tool, including the incoming security alert administration function, the incident administration function, the investigation administration function, and the information technology policy administration function. Although not illustrated, the link buttons 126 can have graphical icons to represent the destination of the link.
Referring now to Fig. 5, an incident administration function logic 150 is illustrated, and, with additional reference to Fig. 6, an incident administration display screen 154 is illustrated. If a new incident file is to be opened (step 152), the system 10 administrator can select an open new incident file button 156 to access an incident file viewing window (not shown). It is noted that the create incident file button 118 on the incoming security alert display screen 104 (FIG. 4) invokes similar operation to the button 156. The following incident file creation and documentation procedure is conducted in step 158 of the incident administration function logic 150.
The incident file viewing window will contain information relating to the incident at hand and/or fields to be populated with information relating to the incident.
This information can include an incident identification number which is either selected by the system 10 administrator or automatically determined by the system 10. The information also includes an incident name, such as website hacked, falsified expense account, or harassing e-mails.
The incident file will also identify employees involved or suspected to be involved in the incident, the information source of the security alerts, and which personnel has responsibility to act upon the incident. The information also includes an incident status, including new incident, incident awaiting approval, investigation approved, investigation denied, under investigation, and incident resolved. If the incident has been approved for investigation, denied for investigation, or resolved, an associated approval date, denial date or resolution date may also be placed in the incident file. The incident may also be assigned a priority such as an emergency, high priority, normal priority, or low priority. The incident may also be categorized such as computer intrusion, employee conduct or the like.
Subcategories may also be specified, such as internal threat, external threat, potential criminal conduct, violation of company regulations and the like. The incident file may also contain an incident description containing text entered by the system 10 administrator with any information related to the incident. The incident file may also contain a list of incident events and any additional comments, notes or conclusions.
The incident file can be read and write access controlled using password or digital signature schemes. Accordingly, the incident file will contain information related to those with read access and those with write access (those with the ability to edit the incident file).
The incident file will also contain data on when the incident file was created and by whom, and will contain information on when the incident file was modified and by whom.
Once an incident file has been opened, the decision to open an investigation is conducted in step 160. Step 160 relates to steps 58 through 62 illustrated in Fig. 2 and discussed in more detail above. Therefore, the decision process of whether to open an investigation will not be discussed in detail at this point. However, the system 10 administrator can access an investigation approval routing form by selecting an approval button 165 displayed on the incident administration display screen 154. The investigation approval routing form can be transmitted to those in charge of deciding whether to open an investigation. The form can be signed with pen and ink, approved using a password or digital signature, or denied using the same methods. If an investigation is not opened, either because an investigation is not warranted or an investigation has been denied, the incident file will be stored in an incident file database in step 162 for review at a later date, if desired. If an investigation is to be opened, the system 10 administrator can select an open investigation button 164 displayed on the incident administration display screen 154. The open investigation button 164 will serve as a link to the incident administration function as will be described in more detail below. The system 10 will lock the system 10 administrator's ability to open an investigation if approval has not been granted.
The content of a selected incident file may be updated in step 166, such as changing the incident file priority, incident file status, adding description details, and so forth. The incident file can be accessed for revision by selecting an edit button 168 displayed on the incident administration display screen 154. If the incident file is password protected under the write access control, the user will be prompted to enter a valid password or digital signature after selecting the edit button 168. The incident administration function will also allow a person with read access privileges to review an incident file by selecting a review button 170.
Searches of the incident file database for a particular incident or incidents having a particular item in common can be searched for using a search tool accessed by pressing the search button 172. To assist in searching, the incident administration function logic 150 can also be provided with an indexing tool so that the system 10 administrator can associate incident files with selected search terms.
The incident administration function also allows for the generation of reports (step 173). For example, a report can be generated providing details of a particular incident file by selecting a create incident report button 174. An incident report content selection window is then displayed for the system 10 administrator to select which items of information contained in the incident file are to printed or displayed. Alternatively, the reports may be generated based on more than one incident, for example, statistical reports highlighting the number of incidents in a particular incident category or assigned to a certain status, and reports highlighting trends or other correlated data. This type of report can be generated by selecting a create executive report button 176 displayed on the incident administration display screen 154.
The incident administration display screen 154 displays selected incident files as line items 178. Each line item 178 can be displayed under a heading 179 relating to the status or priority of the associated incident file. Each line item 178 can contain items of information, such as an incident name, incident identification number, date created and by whom, and so forth. Each heading 179 can also contain information, such as the number of incident files under the heading 179 and the percentage of incident files under the heading as a function of all the incidents.
The incident administration display screen 154 is provided with view buttons 180 to select different views, such as all of the incident files categorized under status headings, priority headings, or category headings, new incidents, all incidents waiting to be approved, all approved incidents, all denied incidents, all incidents under investigation, and all resolved incidents. If the incident files are displayed under a heading 179, the heading 179 may be provided with an expand or contract button 184, as is well known in the art, to select between displaying the incidents under the heading 179 or not displaying the incidents under the heading 179. Link buttons 126 (described above) may also be provided as part of the incident administration display screen 154.
Each time an incident file is opened or modified, the incident administration function logic 150 will store or update the incident file in step 186.
Referring now to Fig. 7, an investigation administration function logic 200 is illustrated for the incident response and investigation system 10 and, with additional reference to Fig. 8, an investigation administration display screen 206 is illustrated. Upon the opening of an investigation file in step 202, an investigation documentation window is displayed to the operator (not shown) for providing information to document the investigation file in step 204. The investigation documentation window can be accessed by selecting an open investigation file button 208 or open investigation file button 164 (FIG.
6). It is noted that an existing investigation file can be reviewed by selecting a review investigation file button 210 or edited by selecting an edit investigation file button 212. The buttons 208, 210 and 212 can be provided with the security lock-out and read/write access features discussed above (i.e., approval requirements, password requirements, etc.).
Each investigation file contains information such as an investigation identification number, an investigation name, employees or other persons who are the subject of the investigation, and the source or sources of information relevant to the investigation, including persons to be interviewed and equipment to be analyzed. The investigation also contains information related to the investigator or investigators and any sub-teams or specialists to be involved with the investigation. The investigation file also contains information regarding the investigation status, such as open or closed. The priority of the investigation is also contained in the investigation file, such as emergency, high, normal or low priority. The investigation file may be assigned an activity state such as active, idle, on hold or closed.
Investigations may also be categorized, such as computer intrusion, employee conduct, and the like. Investigations may also be sub-categorized. Example sub-categories for a computer intrusion category would include internal threat, external threat, and so forth.
The investigation file includes an investigation description containing general information pertaining to the investigation. In addition, the investigation file contains a section for significant investigation events which will be completed as the investigation progresses. A section for comments, notes and conclusions is also provided. A
section for investigation characteristics and classifications can be provided to provide for additional elaboration on non-technical characteristics of the investigation, such as remarks related to insider assistance of an external computer intrusion threat.
The investigation file provides for a number of technical classifications such as technology type, including various items of software and/or hardware.
Technical classifications also include technological function such as an electronic mail gateway or firewall. Technical classifications also include any computer environments affected, the vendors of software and hardware which may be affected, the operating systems that may be affected, computer programs, applications and application servers potentially involved in the incident generating the investigation, and middle-ware or other software related to the investigation.
The investigation file also includes read and write access controls similar to those described above for incident files. Finally, the investigation file includes documentation of who opened the investigation file and when, and who has modified the investigation file and when those modifications were made.
Once an investigation file has been opened, it may desirable to inform certain individuals, or groups of individuals, that an incident has occurred and an investigation is currently pending to study the incident. The system 10 administrator may send an alert in step 214 (Fig. 7) by selecting an alert button 216 (Fig. 8). Upon selecting the alert button 216, the system 10 will display an alert window (not shown) on the display 28.
The alert window will allow the user to select the recipients of the alert by either specifying the recipients or selecting among groups of pre-defined recipients. The pre-defined groups include a steering committee consisting of a group of persons internal to the organization and typically including high-level managers or decision makers. The groups also include a response team which is usually an internal group of persons related to the organization and includes people with technical skill to coordinate and carry out a response to the incident and conduct the investigation. The groups also include an emergency response team made up of either internal or external persons having a very high skill level to address the incident at hand and/or resources to respond very rapidly to the incident. The groups also include authority personnel, such as a human resources department, internal security and/or external law enforcement. External law enforcement includes local police departments and the Federal Bureau of Investigations (FBI) who can be notified if the situation may require the assistance of these authorities or if their knowledge of the incident is desired.
The alert window can be used to select all or some of the individuals previously defined as being part of the selected group. The investigation identification number is also associated with the alert and any other additional instructions or comments to be sent to the alertees. The system 10 administrator can also select how the alertees are to be informed of the incident and pending investigation. Alert methods include sending an alpha-numeric page, sending an e-mail, telephoning the alertee, personally visiting the alertee, and the like.
In an alternative arrangement, an alert can be generated upon the identification of an incident without waiting for an investigation file to be opened. This is useful in situations where time may be of the essence.
With continued reference to Figs. 7 and 8, an electronic evidence database can be created for the investigation (step 218). The evidence database is a repository for any electronic documents related to the investigation including, but not limited to, e-mails, e-mail server logs, firewall logs, documents, contents of hard drives, application files such as word processing documents and spreadsheets, and any other information saved on computer-readable media. The electronic documents can also include paper documents which have been scanned by the scanner 36 and stored on the memory 16.
The evidence database can be created by selecting a create evidence database button 220 on the evidence administration display screen 206. Upon selecting the create evidence database button, an evidence window (not shown) will be displayed on the display 28. The evidence entered into the database can be categorized and displayed by status such as analysis pending, notarization, notarized and awaiting analysis, analyzed and not notarized. More specifically, each item of evidence is listed in line items under a status heading. The evidence may also be displayed by category or type of evidence, by author, or a listing of all documents. For convenience, the evidence items may be indexed and searchable.
The evidence database can also store and display comments related to selected items of evidence.
The evidence display window can include buttons which link the user to evidence administration tools (step 219), such as a comment on evidence button and respond to comment button for respectively documenting comments on a certain piece of evidence and entering a response to those comments. A new evidence button may also be provided to enter a new piece of evidence into the evidence database and key in related information, such as the 1 S date the evidence was seized, a title for the evidence, the person seizing the evidence, and the person, device or software thought to have created the evidence.
A digital notary button is also provided so that, once an evidence item is entered into the evidence database, the item can optionally be digitally notarized to create a record of the contents of the evidence item at the time of notarization (step 220). Digital notarization techniques are known in the art and include the digital document authentication system described in U.S. Patent No. 5,781,629, incorporated herein by reference in its entirety.
Referring to FIG. 9, an example flow chart for a digital notary function logic 222, is illustrated. Briefly, the digital notarization function includes creating a fingerprint of the electronic document (step 224). The fingerprint is usually created by sampling selected portions of the document and storing those sections in a separate file. Next, the fingerprint is transmitted to a notary function (step 226). The notary function is resident either in the computer system 12 or on a separate computer system connected to the computer system 12 via the external network 3 8. The fingerprint is time-stamped by the notary function (step 228). The time-stamped fingerprint is appended with hash codes which typically are derived from the fingerprint, time-stamp and/or other unpredictable data values (step 228). The fingerprint, time-stamp and hash values are assembled into a notary record which is logically associated with the original electronic document (step 230) and stored in the memory 16 (step 232).
Referring back to FIGS. 7 and 8, the evidence administration functions of the system 10 include an electronic mail analysis function (step 238). The electronic mail analysis allows the system 10 administrator to specify a list of keywords by entering the words or making menu selections. Once the keywords are entered and/or selected, the system 10 administrator can identify a group of electronic mail documents. Then, system 10 will search the group of electronic mail documents for any appearance of the keywords in the electronic mail documents. Once the system 10 has identified any target e-mails containing any of the specified keywords, the system 10 will transfer the target e-mails, or a copy of the target e-mails, to an appropriate electronic evidence database.
The investigation administration function logic 200 is programmed to include various investigation administration functions in step 238. The investigation administration functions include creating activity documents by selecting a create activity document button 240 in the investigation administration display screen 206. Activity documents include tasks for the investigators to perform, calendars, a collection of investigation target dates, time-lines of suspected activity related to the incident, outstanding and/or completed investigation tasks and reports of activities yet to be completed.
In addition, documentation related to an investigation may be generated, displayed and printed. The investigation administration function step 238 also provides for the generation of investigation reports, including high-level executive reports to chart trends and correlate various data. For complicated investigations, the investigation may be broken down into more manageable sub-investigations. Each sub-investigation can be managed using the same tools and functions as described herein for investigation files.
By selecting a team setup button 242, the system 10 administrator can set up teams and sub-teams of investigators and/or define the members of the alert groups discussed above.
In addition, each investigation may be associated with various indexed terms using an indexing tool accessed with an index button 244 to create a searchable database using a search tool accessed with a search button 246.
Each investigation can be displayed on the investigation administration display screen 206 as a line item 248 under headings 249. The line items 248 can be arranged under various categories such as the priority of the investigation, the activity state of the investigation, the investigator, or by investigation category by selecting one of various investigation view buttons 250. Each line item can contain an investigation name, an investigation identification number, icons (not shown) to symbolize various aspects of an investigation, and any other relevant information, such as dates and/or times. The investigation administration display screen 206 can also display statistical information for each category heading 249 such as the number of open investigations under the heading 249 and the number of closed investigations under that heading 249. The investigation administration display screen 206 can also be used to display investigation activities by selecting activity view buttons 252.
Example display views include activities by calendar, activities by investigation, activities by investigator, activities by activity type and activities by investigation team. Links 126 as described more fully above are also provided to navigate between the various display screens described herein.
The investigation administration function logic 200 will store all information related to each investigation file each time the investigation database is modified or a new investigation file is opened (step 256).
Referring now to Fig. 10, an information technology policy administration screen 300 is illustrated. The information technology policy administration screen 300 allows the user to carry out matters related to the information technology policy administration function briefly mentioned above. The screen 300 allows the user to select among and display one or more databases of information using view buttons 302. For example, the system 10 administrator can select to view investigation support material containing checklists and procedures to be followed upon the receipt of a security alert, when administering incidents and when administering investigations. The information technology policy administration function can also be used to store information security policies, standards and procedures relating to all aspects of an organization's body of information technology. These policies can be individually entered into the database or loaded as entire files supplied by a vendor.
A document stored by the information technology policy administration function can be reviewed in detail by selecting the document displayed as a line item 304 and then selecting a review document button 306 to open a document view window (not illustrated) containing the text and/or illustrations of the document. Alternatively, the user can double click directly on the line item 304. The documents of the information technology policy administration function can be indexed based on key words using an indexing tool accessible by selecting an index button 308. The index can be subsequently searched using a search tool accessible by selecting a search button 310.
A new policy can be introduced or an existing policy can be changed using a change policy/new policy button 312. Selecting this button will open a policy administration window (not shown) allowing the system 10 administrator to enter the new policy or edit an existing policy and then route the new or changed policy for approval by a policy review team. The policies can be routed using e-mail, fax, electronic document transfer or other similar method. Approval or denial can be made based on written signature, entering a password or providing a digital signature. Members of the policy review team may also provide commentary on the new policies to spawn further discussions and/or changes of the policies, if desired. The information technology policy administration function can be programmed to send automatic reminders to the members of the policy review team if approval, denial or comments have not been received within a specified period of time. The system 10 administrator can display policies waiting for approval by selecting a policy awaiting approval button 314. The system 10 administrator can display commentary on the pending policies by policy category, status or author using the discussion buttons 317.
Once a new policy has been approved or the changes to an existing policy have been approved, the system 10 administrator can send a newsletter to all persons to be informed of the new or changed policy. To accomplish this, the system 10 administrator can select a newsletter button 316 which will provide the system 10 administrator with menus to select the recipients) of the newsletter, including predefined groups, such as all employees, all managers, all staff, and the like, and menus to specify the policy or policies to be presented in the newsletter. The newsletter can also be used to send existing policies to selected members of the organization, such as when a new employee or all employees on a periodic basis.
The information technology policy administration screen 300 is also provided with an approval profiles button 318 for displaying an approval group window (not illustrated). The approval group window will provide the system 10 administrator with menus to select and/or enter the members of various approval teams mentioned herein, such as the persons to approve the opening of an investigation or the persons to approve a new information technology policy, standard or procedure. The system 10 administrator can display and/or edit request templates, forms (i.e., investigation or new policy approval forms) used to carry out the administration functions of the system 10 described herein. The forms and templates can be displayed by type or by the approving party by selecting among request buttons 319.
The foregoing discussion states that various features and functions of the system 10 can be accessed and carried out by a person with the title of system 10 administrator. It should be understood that accessing each of these features and functions can be limited by access control techniques, such as passwords and/or digital signatures. One skilled in the art will also recognize that the same features and functions are not limited for use by a person given the title of system 10 administrator, but can be accessed by any person using the system 10, either locally or remotely, who has been granted access under the access control techniques.
Preferably, the system 10 is provided with multiple levels of access security.
More specifically access is controlled on various system 10 levels, such as a database level, a view level (i.e., display, screen or window) level, a form level, a document level, a document portion or section level and a field level. Once logged into the system 10, a user will be able to display and work with all material to which he or she has been granted access. Material to which the user has not be granted access will be blocked from being displayed, altered, viewed, printed and otherwise worked with. In addition, the system 10 is capable of selectively encrypting database contents at various levels, such as all information stored by the database, all information associated with one of the administration functions, a view level, a form level, a document level, a document section level and a field level.
Although the logic routines 50, 100, 150, 200 and 222 (FIGS. 2, 3, 5, 7 and 9) of the present invention are embodied in software as discussed above, this logic may alternatively be embodied in hardware or a combination of software and hardware. If embodied in hardware, the foregoing logic can be implemented as a circuit or state machine that employs any one of or a combination of a number of technologies. These technologies may include, but are not limited to, discrete logic circuits having logic gates for implementing various logic functions upon an application of one or more data signals, application specific integrated circuits having appropriate logic gates, programmable gate arrays (PGA), field programmable gate arrays (FPGA), or other components, etc. Such technologies are generally well known by those skilled in the art and, consequently, are not described in detail herein.
The diagrams described herein show the architecture, functionality, and operation of an implementation of the foregoing logic. If embodied in software, each block may represent a module, segment, or portion of code that contains one or more executable instructions to implement the specified logical function(s). If embodied in hardware, each block may represent a circuit or a number of interconnected circuits to implement the specified logical function(s). Although the block diagrams and flow charts show a specific order of execution, it is understood that the order of execution may differ from that which is depicted. For example, the order of execution of two or more blocks may be altered relative to the order shown. Also, two or more blocks shown in succession in may be executed concurrently or with partial concurrence. In addition, various blocks may be omitted. It is understood that all such variations are within the scope of the present invention.
Also, the logic can be embodied in any computer-readable medium for use by or in connection with an instruction execution system such as a computer/processor based system or other system that can fetch or obtain the logic from the computer-readable medium and execute the instructions contained therein. In the context of this document, a "computer-readable medium" can be any medium that can contain, store, or maintain logic and/or data for use by or in connection with the instruction execution system.
The computer readable medium can be any one of many physical media such as, for example, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor media. More specific examples of a suitable computer-readable medium would include, but are not limited to, a portable magnetic computer diskette such as floppy disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory, or a compact disc.
Although particular embodiments of the invention have been described in detail, it is understood that the invention is not limited correspondingly in scope, but includes all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.
Claims (18)
1. A method of responding to an information technology related incident, comprising the steps of:
receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second networked computing device;
displaying the security alert on an incident response and investigation system for analysis by an administrator;
creating an electronic documentation of a potential computer network misconduct incident based on information contained in the security alert;
opening an electronic investigation file to facilitate administration of an investigation of the potential computer network misconduct incident;
collecting items of electronic evidence relating to the investigation of the potential computer network misconduct incident; and maintaining the electronic evidence in an electronic evidence database associated with the electronic investigation file.
receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second networked computing device;
displaying the security alert on an incident response and investigation system for analysis by an administrator;
creating an electronic documentation of a potential computer network misconduct incident based on information contained in the security alert;
opening an electronic investigation file to facilitate administration of an investigation of the potential computer network misconduct incident;
collecting items of electronic evidence relating to the investigation of the potential computer network misconduct incident; and maintaining the electronic evidence in an electronic evidence database associated with the electronic investigation file.
2. The method according to claim 1, further comprising the step of routing an investigation approval form to at least one selected individual for the at least one individual to authorize or deny the investigation of the incident.
3. The method according to any of claims 1 to 2, wherein the security alert is generated in response to an action of an author, the author being anonymous.
4. The method according to any of claims 1 to 3, further comprising the steps of establishing a set of criteria for security alert handling and acting upon the security alert based on the set of criteria.
5. The method according to claim 4, wherein the step of acting upon the security alert is carried out by a computer system.
6. The method according to any of claims 1 to 5, further comprising the step of digitally notarizing at least one item of electronic evidence contained in the electronic evidence database.
7. The method according to any of claims 1 to 6, further comprising the steps of searching a selected electronic mail file for at least one specified word and storing the electronic mail file in the electronic evidence database if the at least one specified word is present in the electronic mail file.
8. The method according to any of claims 1 to 7, further comprising the step of alerting at least one person that an investigation file has been opened.
9. The method according to any of claims 1 to 8, further comprising the steps of storing a collection of security policies and support guidelines in a database and referring to the policies and guidelines when documenting the incident and administering to the investigation of the incident.
10. An information technology incident response and investigation system comprising:
an incoming security alert administration means for receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second networked computing device;
a display for displaying the security alert for analysis by an administrator;
an incident administration means for creating an electronic incident file to document a potential computer network misconduct incident based on information contained in the security alert; and an investigation administration means for opening an electronic investigation file to facilitate administration of an investigation of the potential computer network misconduct incident documented in the incident file.
an incoming security alert administration means for receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second networked computing device;
a display for displaying the security alert for analysis by an administrator;
an incident administration means for creating an electronic incident file to document a potential computer network misconduct incident based on information contained in the security alert; and an investigation administration means for opening an electronic investigation file to facilitate administration of an investigation of the potential computer network misconduct incident documented in the incident file.
11. The system according to claim 10, wherein the security alert is generated in response to an action of an author, the author being anonymous.
12. The system according to any of claims 10 to 11, wherein the security alert is generated by an information technology security device or software tool.
13. The system according to any of claims 10 to 12, further comprising an information technology policy administration means for storing a collection of security policies and support guidelines in a database, the policies and guidelines accessible from the incident administration means and the investigation administration means.
14. The system according to any of claims 10 to 13, wherein the investigation administration means includes an electronic authorization means to approve an opening of an investigation file.
15. The system according to any of claims 10 to 14, wherein the investigation administration means includes an electronic evidence database means associated with the electronic investigation file for maintaining items of electronic evidence relating to the investigation of the potential computer network misconduct incident.
16. The system according to claim 15, wherein the electronic evidence database means has a digital notarization function for digitally notarizing at least one item of electronic evidence contained in the electronic evidence database.
17. The system according to any of claims 10 to 16, wherein the investigation administration means includes an electronic mail search tool for searching a selected electronic mail file for at least one specified word and storing the electronic mail file in an electronic evidence database if the at least one specified word is present in the electronic mail file.
18. The system according to any of claims 10 to 17, further comprising an investigation alerting tool for alerting at least one person that an investigation file has been opened.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US15691299P | 1999-10-01 | 1999-10-01 | |
| US60/156,912 | 1999-10-01 | ||
| PCT/US2000/014992 WO2001025935A1 (en) | 1999-10-01 | 2000-05-31 | Information technology incident response and investigation system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2386109A1 true CA2386109A1 (en) | 2001-04-12 |
Family
ID=22561637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002386109A Abandoned CA2386109A1 (en) | 1999-10-01 | 2000-05-31 | Information technology incident response and investigation system and method |
Country Status (3)
| Country | Link |
|---|---|
| AU (1) | AU5591300A (en) |
| CA (1) | CA2386109A1 (en) |
| WO (1) | WO2001025935A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8621278B2 (en) | 2011-06-28 | 2013-12-31 | Kaspersky Lab, Zao | System and method for automated solution of functionality problems in computer systems |
| US8776241B2 (en) | 2011-08-29 | 2014-07-08 | Kaspersky Lab Zao | Automatic analysis of security related incidents in computer networks |
| US20150149225A1 (en) * | 2013-11-26 | 2015-05-28 | International Business Machines Corporation | Automatically Determining Targeted Investigations on Service Delivery Incidents |
| US10412117B2 (en) | 2014-08-05 | 2019-09-10 | Dflabs S.P.A. | Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams |
| US9729569B2 (en) | 2015-04-21 | 2017-08-08 | International Business Machines Corporation | Solution-centric reporting of security warnings |
| US10552615B2 (en) | 2016-02-18 | 2020-02-04 | Swimlane Llc | Threat response systems and methods |
| CN108460574B (en) * | 2018-02-01 | 2022-04-15 | 海能达通信股份有限公司 | Electronic evidence management system, method and server |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5696486A (en) * | 1995-03-29 | 1997-12-09 | Cabletron Systems, Inc. | Method and apparatus for policy-based alarm notification in a distributed network management environment |
| US5596632A (en) * | 1995-08-16 | 1997-01-21 | Mci Communications Corporation | Message-based interface for phone fraud system |
| US5872921A (en) * | 1996-07-24 | 1999-02-16 | Datalink Systems Corp. | System and method for a real time data stream analyzer and alert system |
-
2000
- 2000-05-31 AU AU55913/00A patent/AU5591300A/en not_active Abandoned
- 2000-05-31 WO PCT/US2000/014992 patent/WO2001025935A1/en active Application Filing
- 2000-05-31 CA CA002386109A patent/CA2386109A1/en not_active Abandoned
Also Published As
| Publication number | Publication date |
|---|---|
| AU5591300A (en) | 2001-05-10 |
| WO2001025935A1 (en) | 2001-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100732789B1 (en) | Method and apparatus for monitoring a database system | |
| US9235629B1 (en) | Method and apparatus for automatically correlating related incidents of policy violations | |
| US6289460B1 (en) | Document management system | |
| Swanson et al. | Generally accepted principles and practices for securing information technology systems | |
| US20070294258A1 (en) | System and method for incident reporting | |
| US20090271238A1 (en) | System and method of managing a workflow within and between a criminal case management side and a criminal intelligence management side in the justice and public safety domain | |
| JP2008522282A (en) | Application implementation and monitoring | |
| EP1579290A2 (en) | Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment | |
| WO2004051408A2 (en) | Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing threat vulnerability feed | |
| CA2571425A1 (en) | Systems and methods for managing litigation and other matters | |
| JP2006511855A (en) | Content management system | |
| Holbrook et al. | Site security handbook | |
| Seyyar et al. | Privacy impact assessment in large-scale digital forensic investigations | |
| Saraiva et al. | CyberSoc Framework a Systematic Review of the State-of-Art | |
| CA2386109A1 (en) | Information technology incident response and investigation system and method | |
| Allinson | Information systems audit trails in legal proceedings as evidence | |
| Ang | A Case Study for Cyber Incident Report in Industrial Control Systems | |
| Ati | Big Data Security and Privacy Implementation: The way Ahead | |
| Dacey | Federal Information System Controls Audit Manual (FISCAM) | |
| Fayzullajon et al. | Handling Information Security Events and Incidents | |
| Kabanov et al. | A Systematic Study of the Control Failures in the Equifax Cybersecurity Incident | |
| Searson et al. | Incident Handling | |
| US20060179030A1 (en) | Method and system for processing information in monitoring system used in ethics, risk and/or value management and corresponding computer program product and corresponding storage medium | |
| Lee | A Study on Introducing Cyber Security Incident Reporting Regulations for Nuclear Facilities | |
| Wilding et al. | Using Digital Forensics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |