WO2020049595A1 - Method and system for managing incident response in an organization - Google Patents

Method and system for managing incident response in an organization Download PDF

Info

Publication number
WO2020049595A1
WO2020049595A1 PCT/IN2019/050644 IN2019050644W WO2020049595A1 WO 2020049595 A1 WO2020049595 A1 WO 2020049595A1 IN 2019050644 W IN2019050644 W IN 2019050644W WO 2020049595 A1 WO2020049595 A1 WO 2020049595A1
Authority
WO
WIPO (PCT)
Prior art keywords
incident
responses
management system
organization
visibility
Prior art date
Application number
PCT/IN2019/050644
Other languages
French (fr)
Inventor
Sriram Govindan
Original Assignee
Sriram Govindan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sriram Govindan filed Critical Sriram Govindan
Publication of WO2020049595A1 publication Critical patent/WO2020049595A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present subject matter is, in general, related to incident ticket management and more particularly, but not exclusively, to a method and system for managing incident responses in an organization.
  • Incident response is an organized approach used by organizations to handle incidents such as data breach or cyberattack, including an attempt to manage consequences of the incidents.
  • the goal of incident response is to effectively manage the incidents, so that damage caused by the incidents is limited.
  • Incident response also helps in minimizing recovery time, recovery costs, as well as collateral damages caused by the incidents.
  • CIRT Computer Incident Response Team
  • IT Information Technology
  • the incident management process includes analyzing threat landscapes and mapping them with available resource landscapes to design effective incident management workflows.
  • existing incident management processes do not provide focused view of the threat landscape visibility and incident responders resource landscape visibility to the CIRTs.
  • the CIRTs consume more time for analyzing and effectively managing the incidents.
  • the present disclosure relates to a method of managing incident responses in an organization.
  • the method comprises generating, by an incident management system, hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources. Thereafter, the method comprises assigning a label for each of the one or more incident responses based on a domain of each of the one or more incident responses. Subsequent to assigning the labels, the method comprises analyzing each of the one or more incident responses using a plurality of pre-trained learning model. A corresponding pre-trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses.
  • the method comprises classifying each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis.
  • the method comprises generating a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses.
  • the dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility.
  • the present disclosure relates to an incident management system for managing incident responses in an organization.
  • the incident management system comprises a processor and a memory.
  • the memory is communicatively coupled to the processor and stores processor- executable instructions, which on execution, cause the processor to generate hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources.
  • the instructions cause the processor to assign a label for each of the one or more incident responses based on a domain of each of the one or more incident responses. Thereafter, the instructions cause the processor to analyze each of the one or more incident responses using a plurality of pre-trained learning model.
  • a corresponding pre-trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses. Further, the instructions cause the processor to classify each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis. Finally, the instructions cause the processor to generate a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses.
  • the dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility.
  • FIG. 1 illustrates an exemplary environment for managing incident responses in an organization in accordance with some embodiments of the present disclosure
  • FIG. 2 shows a detailed block diagram illustrating an incident management system in accordance with some embodiments of the present disclosure
  • FIG. 3 shows a flowchart illustrating a method of managing incident responses in an organization in accordance with some embodiments of the present disclosure
  • FIGS. 4A - 4E show exemplary analytical results provided on a dynamic dashboard analytics in accordance with some embodiments of the present disclosure.
  • FIG. 5 illustrates a block diagram of an exemplary computer system for implementing embodiments consistent with the present disclosure. It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and executed by a computer or processor, whether such computer or processor is explicitly shown.
  • the present disclosure is related to a method and an incident management system for managing incident responses in an organization.
  • the method comprises receiving one or more incident responses from one or more sources associated with the organization and then generating hash values corresponding to each of the one or more incident responses.
  • a label is assigned to each of the one or more incident responses based on a domain to which each of the one or more incident responses belong.
  • each of the one or more incident responses are analyzed using a plurality of pre-trained learning models for classifying each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses.
  • a dynamic dashboard analytics is generated based on the one or more qualitative responses, such that the dynamic dashboard provides an incident ticket landscape visibility and a resource landscape visibility, which may be used for managing each of the one or more incident responses.
  • the method and incident management system of the present disclosure may be used to address issues related to incident management processes of the organization by providing focused view of threat landscape visibility and incident responders resource landscape visibility to a Computer Incident Response Team (CIRT) of the organization. That is, the present disclosure uses convenient dashboard analytics to showcase both the resource landscape analytics and the threat landscape analytics to the CIRTs for effectively managing the incident responses. Further, the present disclosure may be used for automating tasks of incident management process to reduce complexity and time taken for the incident management process. More importantly, the present disclosure may be used for calculating first response of any CIRT while performing incident response, thereby improving quality of the CIRT.
  • CIRT Computer Incident Response Team
  • FIG. 1 illustrates an exemplary environment for managing incident responses 105 in an organization in accordance with some embodiments of the present disclosure.
  • the environment 100 may include, without limiting to, an incident management system 101, one or more sources 103 and a plurality of pre-trained learning models 107 associated with the incident management system 101.
  • the incident management system 101 may be any computing system such as a desktop, a laptop, a Personal Digital Assistant (PDA) a server and the like, which may be configured for managing the incident responses 105 in an organization.
  • the incident management system 101 may be configured and operated within the organization in which the incident management has to be performed.
  • the incident management system 101 may be configured outside the organization, as an external and/or remote computing system.
  • the organization may be a service company, a business institution and the like.
  • the one or more sources 103 may be the sources of one or more incident responses 105 corresponding to one or more incident tickets being generated in the organization.
  • the one or more sources 103 may include, without limiting to, an incident response repository, an online incident repository, databases storing historical incident responses 105 of the organization and the like.
  • the one or more incident tickets may include, without limiting to, reports and/or queries raised by users of a service and/or product of the organization, upon experiencing service interruptions or issues while using the service/product of the organization.
  • the one or more incident responses 105 corresponding to the one or more incident tickets may include responses, solutions and/or approaches required and/or used for resolving and/or handling each of the one or more incident tickets.
  • the incident management system 101 may receive the one or more incident responses 105, corresponding to the one or more incident tickets, from the one or more sources 103 for handling and managing the incident responses 105.
  • the incident management system 101 may generate hash values corresponding to each of one or more incident responses 105.
  • the hash values may be generated using an existing hashing algorithm and/or hash function.
  • the incident management system 101 may convert/map each of the one or more incident responses 105, which may be of different lengths, to data of a predetermined fixed length. As an example, after hashing the one or more incident responses 105, each of the one or more incident responses 105 may be converted into fixed- size data of 32 -bit length.
  • the incident management system 101 may also assign a label for each of the one or more incident responses 105 based on a domain of each of the one or more incident responses 105.
  • the domain of the incident response may indicate a category of the incident tickets to which a particular incident response may belong.
  • the domain of the incident response may include, without limiting to, malwares, failures, suspicious activities, interruptions, client risks and the like.
  • an incident response that belongs to the domain‘malwares’ may be assigned with a label‘malware Ol’ to uniquely identify and/or classify the incident response as belonging to the‘malwares’ domain.
  • assigning labels for each of the one or more incident responses 105 helps in classifying each of the one or more responses into respective domains/categories.
  • the domain of each of the one or more incident responses 105 may be determined by analysing each of the one or more responses using a Natural Language Processing (NLP) technique.
  • NLP Natural Language Processing
  • the incident management system 101 may analyse each of the one or more incident responses 105 using a plurality of pre-trained learning models 107.
  • a corresponding pre-trained learning model of the plurality of pre-trained learning models 107 may be selected for analysing a corresponding one of the one or more incident responses 105 based on the hash values and the label of the one or more incident responses 105. Analysing each of the one or more incident responses 105 using the plurality of the pre trained learning models 107 helps in classifying each of the one or more incident responses 105 into one of a qualitative response or a quantitative response.
  • each of the one or more incident responses 105 classified as the‘qualitative responses’ may be considered to be the responses of good quality and/or responses which are appropriate for handling the corresponding incident tickets.
  • each of the one or more incident responses 105 classified as the ‘quantitative responses’ may be considered as the incomplete and/or inappropriate responses.
  • the incident management system 101 may generate a dynamic dashboard analytics 109 based on the one or more qualitative responses. That is, subsequent to classification of the incident responses 105, the incident management system 101 may use only the incident responses 105 classified as qualitative responses to dynamically generate a dashboard analytics.
  • the dynamic dashboard analytics 109 may provide an incident ticket landscape visibility and a resource landscape visibility for the users of the incident management system 101.
  • the incident ticket landscape visibility may indicate information and analysis related to each of the one or more incident tickets generated in the organization.
  • the resource landscape visibility may indicate information related to one or more resources of the organization, which are involved in handling the one or more incidents.
  • the dynamic dashboard analytics 109 helps the users to effectively analyse and manage each of the one or more incident responses 105 occurring in the organization.
  • FIG. 2 shows a detailed block diagram illustrating an incident management system 101 in accordance with some embodiments of the present disclosure.
  • the incident management system 101 may include an I/O interface 201, a processor 203, and a memory 205.
  • the I/O interface 201 may be configured to receive one or more incident responses 105 from one or more sources 103 associated with the organization.
  • the memory 205 may be communicatively coupled to the processor 203 and may store data 207 and one or more modules 209.
  • the processor 203 may be configured to perform one or more functions of the incident management system 101 for managing the incident responses 105 in the organization, using the data 207 and the one or more modules 209.
  • the data 207 may include, without limitation, hash values 211 corresponding to the incident responses 105, incident ticket landscape visibility 213, resource landscape visibility 215 and other data 217.
  • the data 207 may be stored within the memory 205 in the form of various data structures. Additionally, the data 207 may be organized using data models, such as relational or hierarchical data models.
  • the other data 217 may store various temporary data and files generated by the one or more modules 209 while performing various functions of the incident management system 101.
  • the other data 217 may include, without limiting to, a plurality of pre-trained learning models 107, training neural networks, incident responses 105 and the like.
  • the hash values 211 corresponding to each of the one or more incident responses 105 may be arbitrary fixed-size values assigned to each of the one or more incident responses 105.
  • the hash values 211 corresponding to each of the one or more incident responses 105 may be generated by feeding each of the one or more incident responses 105 into a hash function, specifying the length of the fixed-size data required.
  • Hash values 211 assigned to each of the one or more incident responses 105 may be unique and help in transmitting and/or processing each of the one or more incident responses 105 in an efficient and secure manner and to maintain data integrity.
  • hashing may be performed using an existing technique such as, without limiting to, Message Digest (MD, MD2 etc.), Secure Hash Function (SHA-0, SHA-l etc.).
  • MD Message Digest
  • SHA-0 Secure Hash Function
  • the hash value assigned to a simplest incident response -‘this shall be taken care’, limited to 32-bit, may be ‘bb90c8b4e70a6f 15a3b047c 162e2dc27’ .
  • the incident ticket landscape visibility 213 may include information related to the one or more incident tickets generated in the organization.
  • the incident ticket landscape visibility 213 provides a collective overview of each of the one or more incident tickets.
  • the incident ticket landscape visibility 213 may include, without limiting to, at least one of information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and a mean turnaround time taken for generating the one or more incident responses 105 to each of the one or more incident tickets.
  • the resource landscape visibility 215 may indicate the information related to availability and effective usage of the one or more resources in the organisation.
  • the one or more resources may be human resources, computing resources or any other resources relating to incident management process.
  • the resource landscape visibility 215 may include, without limiting to, at least one of information related to one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses 105 to each of the one or more incident tickets.
  • the incident ticket landscape visibility 213 may be useful for determining a pattern in the occurrence of the incident tickets and thereby device an effective approach for handling the one or more incident tickets.
  • the resource landscape visibility 215 helps in making strategies for better utilization of the resources in the organization.
  • the data 207 may be processed by the one or more modules 209.
  • the one or more modules 209 may be communicatively coupled to the processor 203 for performing one or more functions of the incident management system 101.
  • the one or more modules 209 may include, without limiting to, a hash value generation module 221, a label assignor module 223, a response analysis module 225, a classification module 227, a dashboard creation module 229 and other modules 231.
  • module refers to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.
  • ASIC Application Specific Integrated Circuit
  • the other modules 231 may be used to perform various miscellaneous functionalities of the incident management system 101. It will be appreciated that such one or more modules 209 may be represented as a single hardware component or a combination of different components in a single hardware unit.
  • the hash value generation module 221 may be configured for generating the hash values 211 for each of the one or more incident responses 105 using an existing hashing algorithm. In an embodiment, before generating the hash values 211, the hash value generation module 221 may perform one or more pre-processing operations on each of the one or more incident responses 105 to convert each of the one or more incident responses 105 into a standard format and thereby increase effectiveness of hashing.
  • the one or more pre processing operations may include, without limiting to, casing of texts, removal of special characters from the incident responses 105, tokenization of the responses, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses 105.
  • label assignor module 223 may be configured for assigning a label to each of the one or more incident responses 105.
  • the label assignor module 223 may analyze each of the one or more incident responses 105 using one of an existing Natural Language Processing (NLP) techniques to identify the domain to which each of the one or more incident responses 105 belong.
  • NLP Natural Language Processing
  • the domain of the incident response may be identified based on one or more technical keywords present in the incident response.
  • an incident response that includes information on how to prevent malware attacks may be identified as belonging to the domain‘malwares’. Accordingly, the incident response may be assigned with a label corresponding to the domain‘malwares’.
  • the response analysis module 225 may be configured for analyzing each of the one or more incident responses 105 based on the hash value and the label assigned for each of the one or more incident responses 105.
  • the response analysis module 225 may be configured with a plurality of pre-trained learning models 107 that are specifically trained for analyzing the incident responses 105.
  • each one of the plurality of pre-trained learning models 107 may be trained to analyze the one or more incident responses 105 belonging to a specific domain of the incident responses 105.
  • each of the plurality of pre-trained learning models 107 may be a multilayer stacked model including at least one of an embedding layer, at least one LSTM layer and a dense layer with a sigmoid activation function. Further, each of the plurality of learning models may be generated and trained using a sequential model, in which every layer is stacked upon the previous layer.
  • the embedding layer provides embeddings for text inputs in the one or more incident responses 105.
  • a dropout and recurrent_dropout values may be specified for regularization of the model. Additionally, an activation function may be added to introduce non-linearity in the model.
  • more than one LSTM layers may be added depending upon performance of the model.
  • the dense layer may connect all the inputs to all the outputs.
  • the activation function in the final layer may be used. If there are two classes, a sigmoid may be used. If there are more than two classes, then a softmax function may be used.
  • each of the plurality of pre-trained learning models 107 may be compiled with proper optimizer and loss metrics.
  • the classification module 227 may be configured for classifying each of the one or more incident responses 105 into at least one of a ‘qualitative response’ and a ‘quantitative response’, based on the analysis and outcome of the plurality of pre-trained learning models 107.
  • the dashboard creation module 229 may be configured for dynamically generating the dynamic dashboard analytics 109 based on the one or more qualitative responses.
  • the dynamic dashboard analytics 109 may provide the incident ticket landscape visibility 213 and the resource landscape visibility 215.
  • the dynamic dashboard analytics 109 may be provided to the users by displaying the dynamic dashboard analytics 109 on a display interface. Subsequently, the users may analyse the dynamic dashboard analytics 109 and derive insights required for manging each of the one or more incident responses 105.
  • FIG. 3 shows a flowchart illustrating a method of managing incident responses 105 in an organization in accordance with some embodiments of the present disclosure.
  • the method 300 may include one or more blocks illustrating a method of managing incident responses 105 in an organization using the incident management system 101 shown in FIG. 1.
  • the method 300 may be described in the general context of computer executable instructions.
  • computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, and functions, which perform specific functions or implement specific abstract data types.
  • the method 300 includes generating, by the incident management system 101, hash values 211 corresponding to each of one or more incident responses 105, corresponding to one or more incident tickets, received from one or more sources 103.
  • one or more pre-processing operations may be performed on each of the one or more incident responses 105 before generating the hash values 211.
  • the one or more pre processing operations may include, without limiting to, casing of texts, removal of special characters, tokenization, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses 105.
  • the method 300 includes assigning, by the incident management system 101, a label for each of the one or more incident responses 105 based on a domain of each of the one or more incident responses 105.
  • the domain of each of the one or more incident responses 105 may be determined using Natural Language Processing (NLP) techniques.
  • NLP Natural Language Processing
  • the method 300 includes analyzing, by the incident management system 101, each of the one or more incident responses 105 using a plurality of pre-trained learning model.
  • a corresponding pre-trained learning model of the plurality of pre-trained learning models 107 may be used for analysing each of the one or more incident responses 105 based on the hash values 211 and the label of each of the one or more incident responses 105.
  • the method 300 includes classifying, by the incident management system 101, each of the one or more incident responses 105 as one of one or more qualitative responses or one or more quantitative responses based on the analysis. That is, the pre-trained learning models 107, when used for analysing the incident responses 105, indicate whether a given incident response is a qualitative response or a quantitative response.
  • the method 300 includes generating, by the incident management system 101, a dynamic dashboard analytics 109 based on the one or more qualitative responses for managing each of the one or more incident responses 105.
  • the dynamic dashboard analytics 109 may provide an incident ticket landscape visibility 213 and a resource landscape visibility 215 to one or more users responsible for managing the one or more incident tickets in the organization.
  • the incident ticket landscape visibility 213 may include at least one of - information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and mean turnaround time taken for generating the one or more incident responses 105 to each of the one or more incident tickets.
  • the resource landscape visibility 215 may indicate information related to at least one of - one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses 105 to each of the one or more incident tickets.
  • comments or incident response logged by a security analyst, during the incident management process may be classified into one of a qualitative category or a quantitative category.
  • a comment or incident response involves an approach used to tackle the incident, then such a comment may be classified under‘qualitative category’ .
  • the comment may be classified under‘quantitative category’.
  • the method of present disclosure may provide a‘playbook’ structure to the users, which may be used to automate any task while creating the incident, or when the incident management process reaches a particular stage.
  • the present disclosure discloses use of a dedicated, IR dashboard to measure the incident ticket landscape and the resource landscape during the incident management.
  • the present disclosure may provide a dedicated visibility to the threat landscape dashboard, thereby allowing the users and/or CIRTs to see what is trending in the organization.
  • the present disclosure may facilitate system analysts to create private cases with automating Non-Disclosure Agreements (NDAs), where sensitive cases are involved.
  • NDAs Non-Disclosure Agreements
  • the present disclosure provides flexibility for the users, CIRTs and other system analysts to customize any Security Operations Centre (SOC) or a CIRT environment. Also, the present disclosure helps in creating threat/incident reports, which help a stakeholder to receive and see the reports designed exclusively for their requirements.
  • SOC Security Operations Centre
  • CDE Cloud Detection Engine
  • the present disclosure discloses use of a CDE for automation of gathering threat intel lookups about the Indicators of Compromise (IOCs) extracted from initial work notes related to the incident responses 105. Further, the CDE may also be used for performing email analysis, where an email workflow is available.
  • IOCs Indicators of Compromise
  • FIGS. 4A - 4E show exemplary analytical results provided on a dynamic dashboard analytics 109 in accordance with some embodiments of the present disclosure.
  • FIG. 4A and FIG. 4B indicate exemplary views of the incident ticket landscape visibility 213.
  • the graph on FIG. 4A shows an average of the dwell time spent on individual incident tickets that belong to various domains such as malware, exploits, recon, suspicious email and the like (shown on the bottom of FIG. 4A).
  • the FIG. 4A showcases the average time that a group experts spends on the cases collectively before either escalating to another group of experts or closing the cases. This may be seen at a micro level on a per-case basis on the incident ticket landscape visibility 213.
  • the organization may decide, for example, on which of the groups need more training or additional resources for effectively handling the incident tickets in each domain.
  • FIG. 4B provides a chart that indicates trends in occurrence of the incident tickets at different times of a day.
  • the graph of FIG. 4B indicates which category of the incident tickets occur most frequently and/or are trending during various times of the day and night.
  • a security analyst/an expert may strategize a suitable approach or incident response for effectively handling the incident tickets occurring at different times of the day.
  • FIGS. 4C - 4E show exemplary views from the resource landscape visibility 215 of the organization.
  • FIG. 4C indicates an average time taken by each individual analyst for the first response.
  • the organization may identify which of the analysts are overloaded and/or which of the analysts have a poor first response time, for an optimal utilization of each resource (i.e. analysts).
  • FIG. 4D indicates an assessment of the quality of first response provided by each individual analyst in the organization. That is, the graph on FIG. 4D indicates what portion of the total first responses of an analyst are qualitative responses and quantitative responses, respectively. Thus, the indications in FIG. 4D help the organization in readily determining the quality of first response provided by each analyst.
  • FIG. 4E indicates status of each case handled by each of the analyst in the organization. Particularly, FIG. 4E indicates what number of the total cases handled by each analyst are open, stalled, in progress, waiting or closed. Thus, FIG. 4E helps in understanding the status of cases handled by each analyst at any given point of time.
  • the incident ticket landscape visibility 213 and the resource landscape visibility 215, which are dynamically generated as per needs of the organization, may be used for drawing various technical insights related to the incident tickets and the resources allocated for handling the incident tickets.
  • the dynamic dashboard analytics 109 is highly customizable, such that the organization may choose and/or customize the nature and type of analytics to be performed on the incident tickets or resources of the organization.
  • the methods and embodiments of the present disclosure may not be limited only to incident ticket management. Instead, the method of the present disclosure may be applied across various organizations for use cases such as monitoring resources of the organization, work allocation among the available resources, monitoring inflow of work, projects or cases in domain of the organization, budget management and the like.
  • FIG. 5 illustrates a block diagram of an exemplary computer system 500 for implementing embodiments consistent with the present disclosure.
  • the computer system 500 may be the incident management system 101 illustrated in FIG. 1, which may be used for managing incident responses 105 in an organization.
  • the computer system 500 may include a central processing unit (“CPU” or“processor”) 502.
  • the processor 502 may comprise at least one data processor for executing program components for executing user- or system-generated business processes.
  • a user may include a person, a security analyst, or any system/sub-system being operated parallelly to the computer system 500.
  • the processor 502 may include specialized processing units such as integrated system (bus) controllers, memory management control units, floating point units, graphics processing units, digital signal processing units, etc.
  • the processor 502 may be disposed in communication with one or more input/output (I/O) devices (511 and 512) via I/O interface 501.
  • the I/O interface 501 may employ communication protocols/methods such as, without limitation, audio, analog, digital, stereo, IEEE ® - 1394, serial bus, Universal Serial Bus (USB), infrared, PS/2, BNC, coaxial, component, composite, Digital Visual Interface (DVI), high-definition multimedia interface (HDMI), Radio Frequency (RF) antennas, S-Video, Video Graphics Array (VGA), IEEE ® 802.
  • the computer system 500 may communicate with one or more I/O devices 511 and 512.
  • cellular e.g., Code-Division Multiple Access (CDMA), High-Speed Packet Access (HSPA+), Global System For Mobile Communications (GSM), Long-Term Evolution (LTE) or the like
  • CDMA Code-Division Multiple Access
  • HSPA+ High-Speed Packet Access
  • GSM Global System For Mobile Communications
  • LTE Long-Term Evolution
  • the processor 502 may be disposed in communication with a communication network 509 via a network interface 503.
  • the network interface 503 may communicate with the communication network 509.
  • the network interface 503 may employ connection protocols including, without limitation, direct connect, Ethernet (e.g., twisted pair 10/100/1000 Base T), Transmission Control Protocol/Internet Protocol (TCP/IP), token ring, IEEE ® 802.1 la/b/g/n/x, etc.
  • the computer system 500 may connect to one or more sources 103 of the one or more incident responses 105.
  • the communication network 509 may be implemented as one of the several types of networks, such as intranet or Local Area Network (LAN) and such within the organization.
  • the communication network 509 may either be a dedicated network or a shared network, which represents an association of several types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), etc., to communicate with each other.
  • HTTP Hypertext Transfer Protocol
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • WAP Wireless Application Protocol
  • the communication network 509 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, etc.
  • the processor 502 may be disposed in communication with a memory 505 (e.g., RAM 513, ROM 514, etc. as shown in FIG. 5) via a storage interface 504.
  • the storage interface 504 may connect to memory 505 including, without limitation, memory drives, removable disc drives, etc., employing connection protocols such as Serial Advanced Technology Attachment (SATA), Integrated Drive Electronics (IDE), IEEE-1394, Universal Serial Bus (USB), fiber channel, Small Computer Systems Interface (SCSI), etc.
  • the memory drives may further include a drum, magnetic disc drive, magneto-optical drive, optical drive, Redundant Array of Independent Discs (RAID), solid-state memory devices, solid-state drives, etc.
  • the memory 505 may store a collection of program or database components, including, without limitation, user/application interface 506, an operating system 507, a web browser 508, and the like.
  • computer system 500 may store user/application data 506, such as the data, variables, records, etc. as described in this invention.
  • Such databases may be implemented as fault-tolerant, relational, scalable, secure databases such as Oracle ® or Sybase ® .
  • the operating system 507 may facilitate resource management and operation of the computer system 500.
  • Examples of operating systems include, without limitation, APPLE ® MACINTOSH ® OS X ® , UNIX ® , UNIX-like system distributions (E.G., BERKELEY SOFTWARE DISTRIBUTION ® (BSD), FREEBSD ® , NETBSD ® , OPENBSD, etc.), LINUX ® DISTRIBUTIONS (E.G., RED HAT ® , UBUNTU ® , KUBUNTU ® , etc.), IBM ® OS/2 ® , MICROSOFT ® WINDOWS ® (XP ® , VISTA ® /7/8, 10 etc.), APPLE ® IOS ® , GOOGLETM ANDROIDTM, BLACKBERRY ® OS , or the like.
  • APPLE ® MACINTOSH ® OS X ® UNIX ®
  • UNIX ® UNIX-like system distributions
  • the user interface 506 may facilitate display, execution, interaction, manipulation, or operation of program components through textual or graphical facilities.
  • the user interface 506 may provide computer interaction interface elements on a display system operatively connected to the computer system 500, such as cursors, icons, check boxes, menus, scrollers, windows, widgets, and the like.
  • GUIs may be employed, including, without limitation, APPLE ® MACINTOSH ® operating systems’ Aqua ® , IBM ® OS/2 ® , MICROSOFT ® WINDOWS ® (e.g., Aero, Metro, etc.), web interface libraries (e.g., ActiveX ® , JAVA ® , JAVASCRIPT ® , AJAX, HTML, ADOBE ® FLASH ® , etc.), or the like.
  • APPLE ® MACINTOSH ® operating systems’ Aqua ® IBM ® OS/2 ®
  • MICROSOFT ® WINDOWS ® e.g., Aero, Metro, etc.
  • web interface libraries e.g., ActiveX ® , JAVA ® , JAVASCRIPT ® , AJAX, HTML, ADOBE ® FLASH ® , etc.
  • the web browser 508 may be a hypertext viewing application. Secure web browsing may be provided using Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and the like.
  • HTTPS Secure Hypertext Transport Protocol
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • the web browsers 508 may utilize facilities such as AJAX, DHTML, ADOBE ® FLASH ® , JAVASCRIPT ® , JAVA ® , Application Programming Interfaces (APIs), and the like.
  • the computer system 500 may implement a mail server stored program component.
  • the mail server may utilize facilities such as ASP, ACTIVEX ® , ANSI ® C++/C#, MICROSOFT ® , .NET, CGI SCRIPTS, JAVA ® , JAVASCRIPT ® , PERL ® , PHP, PYTHON ® , WEBOB JECTS ® , etc.
  • the mail server may utilize communication protocols such as Internet Message Access Protocol (IMAP), Messaging Application Programming Interface (MAPI), MICROSOFT ® exchange, Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), or the like.
  • the computer system 500 may implement a mail client stored program component.
  • the mail client may be a mail viewing application, such as APPLE ® MAIL, MICROSOFT ® ENTOURAGE ® , MICROSOFT ® OUTLOOK ® , MOZILLA ® THUNDERBIRD ® , and the like.
  • a computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored.
  • a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein.
  • the term“computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., non-transitory. Examples include Random Access Memory (RAM), Read-Only Memory (ROM), volatile memory, nonvolatile memory, hard drives, Compact Disc (CD) ROMs, Digital Video Disc (DVDs), flash drives, disks, and any other known physical storage media.
  • the method of present disclosure may be used for dynamically managing the incident tickets being generated in an organization.
  • the method of present disclosure provides a dynamic dashboard analytics including a ticket landscape visibility and a resource landscape visibility of the organization, thereby assisting a Computer Incident Response Team (CIRT) in effectively managing the incident in the organization. Additionally, the present disclosure helps, for example, a Chief Information Security Officer (CISO) of the organization in distributing budgets, tools, resources, knowledge and the like for effective incident response management process.
  • CIRT Computer Incident Response Team
  • CISO Chief Information Security Officer
  • the method of present disclosure also helps CIRT or a system analyst to automate regular tasks of the incident response management process. Additionally, the present disclosure helps in reducing time and cost involved in the incident response management process by automatically collecting threat intel gathered and Indicators of Compromise (IOCs) from work notes.
  • IOCs Indicators of Compromise
  • an embodiment means “one or more (but not all) embodiments of the invention(s)" unless expressly specified otherwise.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed herein is method and an incident management system for managing incident responses in an organization. In some embodiments, hash values corresponding to incident responses received from sources associated with the organization are generated. Thereafter, a label is assigned to each of the incident responses based on domain of the incident responses. Subsequently, each of the incident responses are analyzed using plurality of pre-trained learning models for classifying the incident responses as one of qualitative responses or quantitative responses. Further, a dynamic dashboard analytics, which provides an incident ticket landscape visibility and a resource landscape visibility is generated based on the qualitative responses. The dynamic dashboard analytics helps in effectively managing each of the incident responses occurring in the organization.

Description

METHOD AND SYSTEM FOR MANAGING INCIDENT RESPONSE IN
AN ORGANIZATION
TECHNICAL FIELD
The present subject matter is, in general, related to incident ticket management and more particularly, but not exclusively, to a method and system for managing incident responses in an organization.
BACKGROUND
Incident response is an organized approach used by organizations to handle incidents such as data breach or cyberattack, including an attempt to manage consequences of the incidents. Ultimately, the goal of incident response is to effectively manage the incidents, so that damage caused by the incidents is limited. Incident response also helps in minimizing recovery time, recovery costs, as well as collateral damages caused by the incidents.
Typically, incident response is conducted by the organization’s Computer Incident Response Team (CIRT), also known as a Cyber Incident Response Team. Generally, each CIRT would comprise security personnel, system analysts and general Information Technology (IT) staff, along with members of legal practice, human resources, and public relations departments. The CIRT is responsible for responding to security breaches, viruses, and other potentially catastrophic incidents occurring in the organization.
However, as the organization grows, number of incidents increases, and complexity of the incident response increases too. Therefore, CIRTs must implement incident management processes to minimize the impact of increasing incidents. The incident management process includes analyzing threat landscapes and mapping them with available resource landscapes to design effective incident management workflows. However, existing incident management processes do not provide focused view of the threat landscape visibility and incident responders resource landscape visibility to the CIRTs. As a result, presently, the CIRTs consume more time for analyzing and effectively managing the incidents.
The information disclosed in this background of the disclosure section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
SUMMARY
The present disclosure relates to a method of managing incident responses in an organization. The method comprises generating, by an incident management system, hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources. Thereafter, the method comprises assigning a label for each of the one or more incident responses based on a domain of each of the one or more incident responses. Subsequent to assigning the labels, the method comprises analyzing each of the one or more incident responses using a plurality of pre-trained learning model. A corresponding pre-trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses. Further, the method comprises classifying each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis. Finally, the method comprises generating a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses. The dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility.
Further, the present disclosure relates to an incident management system for managing incident responses in an organization. The incident management system comprises a processor and a memory. The memory is communicatively coupled to the processor and stores processor- executable instructions, which on execution, cause the processor to generate hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources. Further, the instructions cause the processor to assign a label for each of the one or more incident responses based on a domain of each of the one or more incident responses. Thereafter, the instructions cause the processor to analyze each of the one or more incident responses using a plurality of pre-trained learning model. A corresponding pre-trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses. Further, the instructions cause the processor to classify each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis. Finally, the instructions cause the processor to generate a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses. The dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility. The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, explain the disclosed principles. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the figures to reference like features and components. Some embodiments of system and/or methods in accordance with embodiments of the present subject matter are now described, by way of example only, and regarding the accompanying figures, in which:
FIG. 1 illustrates an exemplary environment for managing incident responses in an organization in accordance with some embodiments of the present disclosure;
FIG. 2 shows a detailed block diagram illustrating an incident management system in accordance with some embodiments of the present disclosure;
FIG. 3 shows a flowchart illustrating a method of managing incident responses in an organization in accordance with some embodiments of the present disclosure;
FIGS. 4A - 4E show exemplary analytical results provided on a dynamic dashboard analytics in accordance with some embodiments of the present disclosure; and
FIG. 5 illustrates a block diagram of an exemplary computer system for implementing embodiments consistent with the present disclosure. It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and executed by a computer or processor, whether such computer or processor is explicitly shown.
DETAILED DESCRIPTION
In the present document, the word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or implementation of the present subject matter described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example in the drawings and will be described in detail below. It should be understood, however that it is not intended to limit the disclosure to the specific forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternative falling within the spirit and the scope of the disclosure.
The terms“comprises”,“comprising”,“includes”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, device, or method that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or device or method. In other words, one or more elements in a system or apparatus proceeded by“comprises... a” does not, without more constraints, preclude the existence of other elements or additional elements in the system or method.
The present disclosure is related to a method and an incident management system for managing incident responses in an organization. In some embodiments, the method comprises receiving one or more incident responses from one or more sources associated with the organization and then generating hash values corresponding to each of the one or more incident responses. Thereafter, a label is assigned to each of the one or more incident responses based on a domain to which each of the one or more incident responses belong. Subsequent to assigning the labels, each of the one or more incident responses are analyzed using a plurality of pre-trained learning models for classifying each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses. Thereafter, a dynamic dashboard analytics is generated based on the one or more qualitative responses, such that the dynamic dashboard provides an incident ticket landscape visibility and a resource landscape visibility, which may be used for managing each of the one or more incident responses.
In some embodiments, the method and incident management system of the present disclosure may be used to address issues related to incident management processes of the organization by providing focused view of threat landscape visibility and incident responders resource landscape visibility to a Computer Incident Response Team (CIRT) of the organization. That is, the present disclosure uses convenient dashboard analytics to showcase both the resource landscape analytics and the threat landscape analytics to the CIRTs for effectively managing the incident responses. Further, the present disclosure may be used for automating tasks of incident management process to reduce complexity and time taken for the incident management process. More importantly, the present disclosure may be used for calculating first response of any CIRT while performing incident response, thereby improving quality of the CIRT.
In the following detailed description of the embodiments of the disclosure, reference is made to the accompanying drawings that form a part hereof, and in which are shown by way of illustration specific embodiments in which the disclosure may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosure, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present disclosure. The following description is, therefore, not to be taken in a limiting sense.
FIG. 1 illustrates an exemplary environment for managing incident responses 105 in an organization in accordance with some embodiments of the present disclosure.
In an embodiment, the environment 100 may include, without limiting to, an incident management system 101, one or more sources 103 and a plurality of pre-trained learning models 107 associated with the incident management system 101. In an embodiment, the incident management system 101 may be any computing system such as a desktop, a laptop, a Personal Digital Assistant (PDA) a server and the like, which may be configured for managing the incident responses 105 in an organization. In an embodiment, the incident management system 101 may be configured and operated within the organization in which the incident management has to be performed. Alternatively, the incident management system 101 may be configured outside the organization, as an external and/or remote computing system. As an example, the organization may be a service company, a business institution and the like.
In an embodiment, the one or more sources 103 may be the sources of one or more incident responses 105 corresponding to one or more incident tickets being generated in the organization. As an example, the one or more sources 103 may include, without limiting to, an incident response repository, an online incident repository, databases storing historical incident responses 105 of the organization and the like. Further, the one or more incident tickets may include, without limiting to, reports and/or queries raised by users of a service and/or product of the organization, upon experiencing service interruptions or issues while using the service/product of the organization. Similarly, the one or more incident responses 105 corresponding to the one or more incident tickets may include responses, solutions and/or approaches required and/or used for resolving and/or handling each of the one or more incident tickets.
In an embodiment, the incident management system 101 may receive the one or more incident responses 105, corresponding to the one or more incident tickets, from the one or more sources 103 for handling and managing the incident responses 105. In an embodiment, upon receiving the one or more incident responses 105, the incident management system 101 may generate hash values corresponding to each of one or more incident responses 105. The hash values may be generated using an existing hashing algorithm and/or hash function. In an embodiment, by hashing each of the one or more incident response, the incident management system 101 may convert/map each of the one or more incident responses 105, which may be of different lengths, to data of a predetermined fixed length. As an example, after hashing the one or more incident responses 105, each of the one or more incident responses 105 may be converted into fixed- size data of 32 -bit length.
In an embodiment, along with generating the hash values to each of the one or more incident responses 105, the incident management system 101 may also assign a label for each of the one or more incident responses 105 based on a domain of each of the one or more incident responses 105. In an embodiment, the domain of the incident response may indicate a category of the incident tickets to which a particular incident response may belong. As an example, the domain of the incident response may include, without limiting to, malwares, failures, suspicious activities, interruptions, client risks and the like. Further, as an example, an incident response that belongs to the domain‘malwares’ may be assigned with a label‘malware Ol’ to uniquely identify and/or classify the incident response as belonging to the‘malwares’ domain. Thus, assigning labels for each of the one or more incident responses 105 helps in classifying each of the one or more responses into respective domains/categories. In an embodiment, the domain of each of the one or more incident responses 105 may be determined by analysing each of the one or more responses using a Natural Language Processing (NLP) technique.
In an embodiment, upon generating the hash values and assigning the label for each of the one or more incident responses 105, the incident management system 101 may analyse each of the one or more incident responses 105 using a plurality of pre-trained learning models 107. In an embodiment, a corresponding pre-trained learning model of the plurality of pre-trained learning models 107 may be selected for analysing a corresponding one of the one or more incident responses 105 based on the hash values and the label of the one or more incident responses 105. Analysing each of the one or more incident responses 105 using the plurality of the pre trained learning models 107 helps in classifying each of the one or more incident responses 105 into one of a qualitative response or a quantitative response. As an example, when an incident response is sufficient to solve and/or close the corresponding incident ticket, such an incident response may be classified as a qualitative response. On the other hand, when an incident response is not sufficient and/or is not appropriate for the incident ticket, such an incident response may be classified as the quantitative response. Thus, each of the one or more incident responses 105 classified as the‘qualitative responses’ may be considered to be the responses of good quality and/or responses which are appropriate for handling the corresponding incident tickets. Similarly, each of the one or more incident responses 105 classified as the ‘quantitative responses’ may be considered as the incomplete and/or inappropriate responses.
In an embodiment, upon classifying each of the one or more incident responses 105, the incident management system 101 may generate a dynamic dashboard analytics 109 based on the one or more qualitative responses. That is, subsequent to classification of the incident responses 105, the incident management system 101 may use only the incident responses 105 classified as qualitative responses to dynamically generate a dashboard analytics. The dynamic dashboard analytics 109 may provide an incident ticket landscape visibility and a resource landscape visibility for the users of the incident management system 101. As an example, the incident ticket landscape visibility may indicate information and analysis related to each of the one or more incident tickets generated in the organization. Further, the resource landscape visibility may indicate information related to one or more resources of the organization, which are involved in handling the one or more incidents. In an embodiment, the dynamic dashboard analytics 109 helps the users to effectively analyse and manage each of the one or more incident responses 105 occurring in the organization.
FIG. 2 shows a detailed block diagram illustrating an incident management system 101 in accordance with some embodiments of the present disclosure.
In some implementations, the incident management system 101 may include an I/O interface 201, a processor 203, and a memory 205. The I/O interface 201 may be configured to receive one or more incident responses 105 from one or more sources 103 associated with the organization. In some implementations, the memory 205 may be communicatively coupled to the processor 203 and may store data 207 and one or more modules 209. The processor 203 may be configured to perform one or more functions of the incident management system 101 for managing the incident responses 105 in the organization, using the data 207 and the one or more modules 209.
In some embodiments, the data 207 may include, without limitation, hash values 211 corresponding to the incident responses 105, incident ticket landscape visibility 213, resource landscape visibility 215 and other data 217. In some implementations, the data 207 may be stored within the memory 205 in the form of various data structures. Additionally, the data 207 may be organized using data models, such as relational or hierarchical data models. The other data 217 may store various temporary data and files generated by the one or more modules 209 while performing various functions of the incident management system 101. As an example, the other data 217 may include, without limiting to, a plurality of pre-trained learning models 107, training neural networks, incident responses 105 and the like.
In an embodiment, the hash values 211 corresponding to each of the one or more incident responses 105 may be arbitrary fixed-size values assigned to each of the one or more incident responses 105. The hash values 211 corresponding to each of the one or more incident responses 105 may be generated by feeding each of the one or more incident responses 105 into a hash function, specifying the length of the fixed-size data required. Hash values 211 assigned to each of the one or more incident responses 105 may be unique and help in transmitting and/or processing each of the one or more incident responses 105 in an efficient and secure manner and to maintain data integrity. In an embodiment, hashing may be performed using an existing technique such as, without limiting to, Message Digest (MD, MD2 etc.), Secure Hash Function (SHA-0, SHA-l etc.). Further, as an example, the hash value assigned to a simplest incident response -‘this shall be taken care’, limited to 32-bit, may be ‘bb90c8b4e70a6f 15a3b047c 162e2dc27’ .
In an embodiment, the incident ticket landscape visibility 213 may include information related to the one or more incident tickets generated in the organization. The incident ticket landscape visibility 213 provides a collective overview of each of the one or more incident tickets. As an example, the incident ticket landscape visibility 213 may include, without limiting to, at least one of information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and a mean turnaround time taken for generating the one or more incident responses 105 to each of the one or more incident tickets.
In an embodiment, the resource landscape visibility 215 may indicate the information related to availability and effective usage of the one or more resources in the organisation. Here, the one or more resources may be human resources, computing resources or any other resources relating to incident management process. As an example, the resource landscape visibility 215 may include, without limiting to, at least one of information related to one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses 105 to each of the one or more incident tickets.
In an embodiment, the incident ticket landscape visibility 213 may be useful for determining a pattern in the occurrence of the incident tickets and thereby device an effective approach for handling the one or more incident tickets. Similarly, the resource landscape visibility 215 helps in making strategies for better utilization of the resources in the organization.
In some embodiments, the data 207 may be processed by the one or more modules 209. In some implementations, the one or more modules 209 may be communicatively coupled to the processor 203 for performing one or more functions of the incident management system 101. In an implementation, the one or more modules 209 may include, without limiting to, a hash value generation module 221, a label assignor module 223, a response analysis module 225, a classification module 227, a dashboard creation module 229 and other modules 231.
As used herein, the term module refers to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality. In an embodiment, the other modules 231 may be used to perform various miscellaneous functionalities of the incident management system 101. It will be appreciated that such one or more modules 209 may be represented as a single hardware component or a combination of different components in a single hardware unit.
In an embodiment, the hash value generation module 221 may be configured for generating the hash values 211 for each of the one or more incident responses 105 using an existing hashing algorithm. In an embodiment, before generating the hash values 211, the hash value generation module 221 may perform one or more pre-processing operations on each of the one or more incident responses 105 to convert each of the one or more incident responses 105 into a standard format and thereby increase effectiveness of hashing. As an example, the one or more pre processing operations may include, without limiting to, casing of texts, removal of special characters from the incident responses 105, tokenization of the responses, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses 105.
In an embodiment, label assignor module 223 may be configured for assigning a label to each of the one or more incident responses 105. In an embodiment, the label assignor module 223 may analyze each of the one or more incident responses 105 using one of an existing Natural Language Processing (NLP) techniques to identify the domain to which each of the one or more incident responses 105 belong. As an example, the domain of the incident response may be identified based on one or more technical keywords present in the incident response. For example, an incident response that includes information on how to prevent malware attacks may be identified as belonging to the domain‘malwares’. Accordingly, the incident response may be assigned with a label corresponding to the domain‘malwares’.
In an embodiment, the response analysis module 225 may be configured for analyzing each of the one or more incident responses 105 based on the hash value and the label assigned for each of the one or more incident responses 105. In an embodiment, the response analysis module 225 may be configured with a plurality of pre-trained learning models 107 that are specifically trained for analyzing the incident responses 105. As an example, each one of the plurality of pre-trained learning models 107 may be trained to analyze the one or more incident responses 105 belonging to a specific domain of the incident responses 105.
In an implementation, each of the plurality of pre-trained learning models 107 may be a multilayer stacked model including at least one of an embedding layer, at least one LSTM layer and a dense layer with a sigmoid activation function. Further, each of the plurality of learning models may be generated and trained using a sequential model, in which every layer is stacked upon the previous layer. In an embodiment, in the embedding layer provides embeddings for text inputs in the one or more incident responses 105. In the LSTM layer, a dropout and recurrent_dropout values may be specified for regularization of the model. Additionally, an activation function may be added to introduce non-linearity in the model. In an embodiment, more than one LSTM layers may be added depending upon performance of the model. In an embodiment, the dense layer may connect all the inputs to all the outputs. Depending upon the number of classes, the activation function in the final layer may be used. If there are two classes, a sigmoid may be used. If there are more than two classes, then a softmax function may be used. Finally, each of the plurality of pre-trained learning models 107 may be compiled with proper optimizer and loss metrics.
In an embodiment, the classification module 227 may be configured for classifying each of the one or more incident responses 105 into at least one of a ‘qualitative response’ and a ‘quantitative response’, based on the analysis and outcome of the plurality of pre-trained learning models 107.
In an embodiment, the dashboard creation module 229 may be configured for dynamically generating the dynamic dashboard analytics 109 based on the one or more qualitative responses. In an embodiment, the dynamic dashboard analytics 109 may provide the incident ticket landscape visibility 213 and the resource landscape visibility 215. In some implementations, the dynamic dashboard analytics 109 may be provided to the users by displaying the dynamic dashboard analytics 109 on a display interface. Subsequently, the users may analyse the dynamic dashboard analytics 109 and derive insights required for manging each of the one or more incident responses 105.
FIG. 3 shows a flowchart illustrating a method of managing incident responses 105 in an organization in accordance with some embodiments of the present disclosure. As illustrated in FIG. 3, the method 300 may include one or more blocks illustrating a method of managing incident responses 105 in an organization using the incident management system 101 shown in FIG. 1. The method 300 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, and functions, which perform specific functions or implement specific abstract data types.
The order in which the method 300 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method. Additionally, individual blocks may be deleted from the methods without departing from the spirit and scope of the subject matter described herein. Furthermore, the method can be implemented in any suitable hardware, software, firmware, or combination thereof.
At block 301, the method 300 includes generating, by the incident management system 101, hash values 211 corresponding to each of one or more incident responses 105, corresponding to one or more incident tickets, received from one or more sources 103. In an embodiment, one or more pre-processing operations may be performed on each of the one or more incident responses 105 before generating the hash values 211. As an example, the one or more pre processing operations may include, without limiting to, casing of texts, removal of special characters, tokenization, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses 105.
At block 303, the method 300 includes assigning, by the incident management system 101, a label for each of the one or more incident responses 105 based on a domain of each of the one or more incident responses 105. In an embodiment, the domain of each of the one or more incident responses 105 may be determined using Natural Language Processing (NLP) techniques.
At block 305, the method 300 includes analyzing, by the incident management system 101, each of the one or more incident responses 105 using a plurality of pre-trained learning model. In an embodiment, a corresponding pre-trained learning model of the plurality of pre-trained learning models 107 may be used for analysing each of the one or more incident responses 105 based on the hash values 211 and the label of each of the one or more incident responses 105. At block 307, the method 300 includes classifying, by the incident management system 101, each of the one or more incident responses 105 as one of one or more qualitative responses or one or more quantitative responses based on the analysis. That is, the pre-trained learning models 107, when used for analysing the incident responses 105, indicate whether a given incident response is a qualitative response or a quantitative response.
At block 309, the method 300 includes generating, by the incident management system 101, a dynamic dashboard analytics 109 based on the one or more qualitative responses for managing each of the one or more incident responses 105. Here, the dynamic dashboard analytics 109 may provide an incident ticket landscape visibility 213 and a resource landscape visibility 215 to one or more users responsible for managing the one or more incident tickets in the organization. In an embodiment, the incident ticket landscape visibility 213 may include at least one of - information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and mean turnaround time taken for generating the one or more incident responses 105 to each of the one or more incident tickets. On the other hand, the resource landscape visibility 215 may indicate information related to at least one of - one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses 105 to each of the one or more incident tickets.
For better understanding of the methods and aspects of the present disclosure, the features of the present disclosure may be summarized into following categories:
Classification of comments/responses:
In an embodiment, comments or incident response logged by a security analyst, during the incident management process, may be classified into one of a qualitative category or a quantitative category. As an example, if a comment or incident response involves an approach used to tackle the incident, then such a comment may be classified under‘qualitative category’ . On the other hand, if the comment does not suggest anything required for tackling the incident, then the comment may be classified under‘quantitative category’.
Orchestration: In an embodiment, the method of present disclosure may provide a‘playbook’ structure to the users, which may be used to automate any task while creating the incident, or when the incident management process reaches a particular stage.
Incident Responder’s (IR) Dashboard:
In an embodiment, the present disclosure discloses use of a dedicated, IR dashboard to measure the incident ticket landscape and the resource landscape during the incident management.
Threat Dashboard:
In an embodiment, the present disclosure may provide a dedicated visibility to the threat landscape dashboard, thereby allowing the users and/or CIRTs to see what is trending in the organization.
Private Cases:
In an embodiment, the present disclosure may facilitate system analysts to create private cases with automating Non-Disclosure Agreements (NDAs), where sensitive cases are involved.
Customizations and Reporting:
In an embodiment, the present disclosure provides flexibility for the users, CIRTs and other system analysts to customize any Security Operations Centre (SOC) or a CIRT environment. Also, the present disclosure helps in creating threat/incident reports, which help a stakeholder to receive and see the reports designed exclusively for their requirements.
Cloud Detection Engine (CDE):
In an embodiment, the present disclosure discloses use of a CDE for automation of gathering threat intel lookups about the Indicators of Compromise (IOCs) extracted from initial work notes related to the incident responses 105. Further, the CDE may also be used for performing email analysis, where an email workflow is available.
FIGS. 4A - 4E show exemplary analytical results provided on a dynamic dashboard analytics 109 in accordance with some embodiments of the present disclosure.
FIG. 4A and FIG. 4B indicate exemplary views of the incident ticket landscape visibility 213. For example, the graph on FIG. 4A shows an average of the dwell time spent on individual incident tickets that belong to various domains such as malware, exploits, recon, suspicious email and the like (shown on the bottom of FIG. 4A). Further, the FIG. 4A showcases the average time that a group experts spends on the cases collectively before either escalating to another group of experts or closing the cases. This may be seen at a micro level on a per-case basis on the incident ticket landscape visibility 213. Thus, based on the indications provided in FIG. 4A, the organization may decide, for example, on which of the groups need more training or additional resources for effectively handling the incident tickets in each domain.
Similarly, FIG. 4B provides a chart that indicates trends in occurrence of the incident tickets at different times of a day. For example, the graph of FIG. 4B indicates which category of the incident tickets occur most frequently and/or are trending during various times of the day and night. Thus, by looking at the plot in FIG. 4B, a security analyst/an expert may strategize a suitable approach or incident response for effectively handling the incident tickets occurring at different times of the day.
FIGS. 4C - 4E show exemplary views from the resource landscape visibility 215 of the organization. For example, FIG. 4C indicates an average time taken by each individual analyst for the first response. Using these indications, the organization may identify which of the analysts are overloaded and/or which of the analysts have a poor first response time, for an optimal utilization of each resource (i.e. analysts).
FIG. 4D indicates an assessment of the quality of first response provided by each individual analyst in the organization. That is, the graph on FIG. 4D indicates what portion of the total first responses of an analyst are qualitative responses and quantitative responses, respectively. Thus, the indications in FIG. 4D help the organization in readily determining the quality of first response provided by each analyst.
Similarly, FIG. 4E indicates status of each case handled by each of the analyst in the organization. Particularly, FIG. 4E indicates what number of the total cases handled by each analyst are open, stalled, in progress, waiting or closed. Thus, FIG. 4E helps in understanding the status of cases handled by each analyst at any given point of time.
Thus, as illustrated in FIGS. 4A - 4E, the incident ticket landscape visibility 213 and the resource landscape visibility 215, which are dynamically generated as per needs of the organization, may be used for drawing various technical insights related to the incident tickets and the resources allocated for handling the incident tickets. Also, the dynamic dashboard analytics 109 is highly customizable, such that the organization may choose and/or customize the nature and type of analytics to be performed on the incident tickets or resources of the organization.
In an embodiment, the methods and embodiments of the present disclosure may not be limited only to incident ticket management. Instead, the method of the present disclosure may be applied across various organizations for use cases such as monitoring resources of the organization, work allocation among the available resources, monitoring inflow of work, projects or cases in domain of the organization, budget management and the like.
Computer System
FIG. 5 illustrates a block diagram of an exemplary computer system 500 for implementing embodiments consistent with the present disclosure. In an embodiment, the computer system 500 may be the incident management system 101 illustrated in FIG. 1, which may be used for managing incident responses 105 in an organization. The computer system 500 may include a central processing unit (“CPU” or“processor”) 502. The processor 502 may comprise at least one data processor for executing program components for executing user- or system-generated business processes. A user may include a person, a security analyst, or any system/sub-system being operated parallelly to the computer system 500. The processor 502 may include specialized processing units such as integrated system (bus) controllers, memory management control units, floating point units, graphics processing units, digital signal processing units, etc.
The processor 502 may be disposed in communication with one or more input/output (I/O) devices (511 and 512) via I/O interface 501. The I/O interface 501 may employ communication protocols/methods such as, without limitation, audio, analog, digital, stereo, IEEE®- 1394, serial bus, Universal Serial Bus (USB), infrared, PS/2, BNC, coaxial, component, composite, Digital Visual Interface (DVI), high-definition multimedia interface (HDMI), Radio Frequency (RF) antennas, S-Video, Video Graphics Array (VGA), IEEE® 802. n /b/g/n/x, Bluetooth, cellular (e.g., Code-Division Multiple Access (CDMA), High-Speed Packet Access (HSPA+), Global System For Mobile Communications (GSM), Long-Term Evolution (LTE) or the like), etc. Using the I/O interface 501, the computer system 500 may communicate with one or more I/O devices 511 and 512.
In some embodiments, the processor 502 may be disposed in communication with a communication network 509 via a network interface 503. The network interface 503 may communicate with the communication network 509. The network interface 503 may employ connection protocols including, without limitation, direct connect, Ethernet (e.g., twisted pair 10/100/1000 Base T), Transmission Control Protocol/Internet Protocol (TCP/IP), token ring, IEEE® 802.1 la/b/g/n/x, etc. Using the network interface 503 and the communication network 509, the computer system 500 may connect to one or more sources 103 of the one or more incident responses 105.
In an implementation, the communication network 509 may be implemented as one of the several types of networks, such as intranet or Local Area Network (LAN) and such within the organization. The communication network 509 may either be a dedicated network or a shared network, which represents an association of several types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), etc., to communicate with each other. Further, the communication network 509 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, etc.
In some embodiments, the processor 502 may be disposed in communication with a memory 505 (e.g., RAM 513, ROM 514, etc. as shown in FIG. 5) via a storage interface 504. The storage interface 504 may connect to memory 505 including, without limitation, memory drives, removable disc drives, etc., employing connection protocols such as Serial Advanced Technology Attachment (SATA), Integrated Drive Electronics (IDE), IEEE-1394, Universal Serial Bus (USB), fiber channel, Small Computer Systems Interface (SCSI), etc. The memory drives may further include a drum, magnetic disc drive, magneto-optical drive, optical drive, Redundant Array of Independent Discs (RAID), solid-state memory devices, solid-state drives, etc.
The memory 505 may store a collection of program or database components, including, without limitation, user/application interface 506, an operating system 507, a web browser 508, and the like. In some embodiments, computer system 500 may store user/application data 506, such as the data, variables, records, etc. as described in this invention. Such databases may be implemented as fault-tolerant, relational, scalable, secure databases such as Oracle® or Sybase®. The operating system 507 may facilitate resource management and operation of the computer system 500. Examples of operating systems include, without limitation, APPLE® MACINTOSH® OS X®, UNIX®, UNIX-like system distributions (E.G., BERKELEY SOFTWARE DISTRIBUTION® (BSD), FREEBSD®, NETBSD®, OPENBSD, etc.), LINUX® DISTRIBUTIONS (E.G., RED HAT®, UBUNTU®, KUBUNTU®, etc.), IBM® OS/2®, MICROSOFT® WINDOWS® (XP®, VISTA®/7/8, 10 etc.), APPLE® IOS®, GOOGLE™ ANDROID™, BLACKBERRY® OS , or the like.
The user interface 506 may facilitate display, execution, interaction, manipulation, or operation of program components through textual or graphical facilities. For example, the user interface 506 may provide computer interaction interface elements on a display system operatively connected to the computer system 500, such as cursors, icons, check boxes, menus, scrollers, windows, widgets, and the like. Further, Graphical User Interfaces (GUIs) may be employed, including, without limitation, APPLE® MACINTOSH® operating systems’ Aqua®, IBM® OS/2®, MICROSOFT® WINDOWS® (e.g., Aero, Metro, etc.), web interface libraries (e.g., ActiveX®, JAVA®, JAVASCRIPT®, AJAX, HTML, ADOBE® FLASH®, etc.), or the like.
The web browser 508 may be a hypertext viewing application. Secure web browsing may be provided using Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and the like. The web browsers 508 may utilize facilities such as AJAX, DHTML, ADOBE® FLASH®, JAVASCRIPT®, JAVA®, Application Programming Interfaces (APIs), and the like. Further, the computer system 500 may implement a mail server stored program component. The mail server may utilize facilities such as ASP, ACTIVEX®, ANSI® C++/C#, MICROSOFT®, .NET, CGI SCRIPTS, JAVA®, JAVASCRIPT®, PERL®, PHP, PYTHON®, WEBOB JECTS®, etc. The mail server may utilize communication protocols such as Internet Message Access Protocol (IMAP), Messaging Application Programming Interface (MAPI), MICROSOFT® exchange, Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), or the like. In some embodiments, the computer system 500 may implement a mail client stored program component. The mail client may be a mail viewing application, such as APPLE® MAIL, MICROSOFT® ENTOURAGE®, MICROSOFT® OUTLOOK®, MOZILLA® THUNDERBIRD®, and the like.
Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present invention. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term“computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., non-transitory. Examples include Random Access Memory (RAM), Read-Only Memory (ROM), volatile memory, nonvolatile memory, hard drives, Compact Disc (CD) ROMs, Digital Video Disc (DVDs), flash drives, disks, and any other known physical storage media.
Advantages of the embodiments of the
Figure imgf000020_0001
disclosure are illustrated herein.
In an embodiment, the method of present disclosure may be used for dynamically managing the incident tickets being generated in an organization.
In an embodiment, the method of present disclosure provides a dynamic dashboard analytics including a ticket landscape visibility and a resource landscape visibility of the organization, thereby assisting a Computer Incident Response Team (CIRT) in effectively managing the incident in the organization. Additionally, the present disclosure helps, for example, a Chief Information Security Officer (CISO) of the organization in distributing budgets, tools, resources, knowledge and the like for effective incident response management process.
In an embodiment, the method of present disclosure also helps CIRT or a system analyst to automate regular tasks of the incident response management process. Additionally, the present disclosure helps in reducing time and cost involved in the incident response management process by automatically collecting threat intel gathered and Indicators of Compromise (IOCs) from work notes.
The terms "an embodiment", "embodiment", "embodiments", "the embodiment", "the embodiments", "one or more embodiments", "some embodiments", and "one embodiment" mean "one or more (but not all) embodiments of the invention(s)" unless expressly specified otherwise.
The terms "including", "comprising",“having” and variations thereof mean "including but not limited to", unless expressly specified otherwise. The enumerated listing of items does not imply that any or all the items are mutually exclusive, unless expressly specified otherwise. The terms "a", "an" and "the" mean "one or more", unless expressly specified otherwise.
A description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary, a variety of optional components are described to illustrate the wide variety of possible embodiments of the invention.
When a single device or article is described herein, it will be clear that more than one device/article (whether they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether they cooperate), it will be clear that a single device/article may be used in place of the more than one device or article or a different number of devices/articles may be used instead of the shown number of devices or programs. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality /features. Thus, other embodiments of the invention need not include the device itself.
Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based here on. Accordingly, the embodiments of the present invention are intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.
Referral Numerals:
Figure imgf000021_0001
Figure imgf000022_0001
Figure imgf000023_0001

Claims

Claims:
1. A method of managing incident responses in an organization, the method comprising:
generating, by an incident management system, hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources;
assigning, by the incident management system, a label for each of the one or more incident responses based on a domain of each of the one or more incident responses; analysing, by the incident management system, each of the one or more incident responses using a plurality of pre-trained learning model, wherein a corresponding pre trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses;
classifying, by the incident management system, each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis; and
generating, by the incident management system, a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses, wherein the dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility.
2. The method as claimed in claim 1, wherein one or more pre-processing operations are performed on each of the one or more incident responses prior to generating the hash values.
3. The method as claimed in claim 2, wherein the one or more pre-processing operations comprises at least one of casing of texts, removal of special characters, tokenization, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses.
4. The method as claimed in claim 1, wherein the domain of each of the one or more incident responses is determined using Natural Language Processing (NLP) techniques.
5. The method as claimed in claim 1, wherein each of the plurality of pre-trained learning models comprise a multilayer staked model including at least one of an embedding layer, at least one Long Short-Term Memory (LSTM) layer and a dense layer with a sigmoid activation function.
6. The method as claimed in claim 1, wherein the incident ticket landscape visibility comprises at least one of information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and mean turnaround time taken for generating the one or more incident responses to each of the one or more incident tickets.
7. The method as claimed in claim 1, wherein the resource landscape visibility comprises at least one of information related to one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses to each of the one or more incident tickets.
8. An incident management system for managing incident responses in an organization, the incident management system comprising:
a processor; and
a memory, communicatively coupled to the processor, wherein the memory stores processor-executable instructions, which on execution, cause the processor to:
generate hash values corresponding to each of one or more incident responses, corresponding to one or more incident tickets, received from one or more sources;
assign a label for each of the one or more incident responses based on a domain of each of the one or more incident responses;
analyse each of the one or more incident responses using a plurality of pre trained learning model, wherein a corresponding pre-trained learning model of the plurality of pre-trained learning models analysis each of the one or more incident responses based on the hash values and the label of each of the one or more incident responses;
classify each of the one or more incident responses as one of one or more qualitative responses or one or more quantitative responses based on the analysis; and
generate a dynamic dashboard analytics based on the one or more qualitative responses, for managing each of the one or more incident responses, wherein the dynamic dashboard analytics provides an incident ticket landscape visibility and a resource landscape visibility.
9. The incident management system as claimed in claim 8, wherein the processor performs one or more pre-processing operations on each of the one or more incident responses prior to generating the hash values.
10. The incident management system as claimed in claim 9, wherein the one or more pre processing operations comprise at least one of casing of texts, removal of special characters, tokenization, correction of errors, lemmatization and removal of stop words from each of the one or more incident responses.
11. The incident management system as claimed in claim 8, wherein the domain of each of the one or more incident responses is determined using Natural Language Processing (NLP) techniques.
12. The incident management system as claimed in claim 8, wherein each of the plurality of pre-trained learning models comprise a multilayer staked model including at least one of an embedding layer, at least one Long Short-Term Memory (LSTM) layer and a dense layer with a sigmoid activation function.
13. The incident management system as claimed in claim 8, wherein the incident ticket landscape visibility comprises at least one of information related to the one or more incident tickets, frequency of occurrence and trends in the occurrence of the one or more incident tickets and mean turnaround time taken for generating the one or more incident responses to each of the one or more incident tickets.
14. The incident management system as claimed in claim 8, wherein the resource landscape visibility comprises at least one of information related to one or more resources available in the organization and time taken by the one or more resources for generating the one or more incident responses to each of the one or more incident tickets.
PCT/IN2019/050644 2018-09-06 2019-09-06 Method and system for managing incident response in an organization WO2020049595A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN201841029352 2018-09-06
IN201841029352 2018-09-06

Publications (1)

Publication Number Publication Date
WO2020049595A1 true WO2020049595A1 (en) 2020-03-12

Family

ID=69723013

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2019/050644 WO2020049595A1 (en) 2018-09-06 2019-09-06 Method and system for managing incident response in an organization

Country Status (1)

Country Link
WO (1) WO2020049595A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013059520A1 (en) * 2011-10-18 2013-04-25 Mcafee, Inc. Integrating security policy and event management

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013059520A1 (en) * 2011-10-18 2013-04-25 Mcafee, Inc. Integrating security policy and event management

Similar Documents

Publication Publication Date Title
US20240129331A1 (en) Threat Disposition Analysis and Modeling Using Supervised Machine Learning
US9336259B1 (en) Method and apparatus for historical analysis analytics
US20210042366A1 (en) Machine-learning system for servicing queries for digital content
US20190130310A1 (en) Cognitive it event handler
US11093535B2 (en) Data preprocessing using risk identifier tags
US20180150555A1 (en) Method and system for providing resolution to tickets in an incident management system
US10268824B2 (en) Method and system for identifying test cases for penetration testing of an application
US10636039B2 (en) Method of generating ontology based on plurality of tickets and an enterprise system thereof
US11030228B2 (en) Contextual interestingness ranking of documents for due diligence in the banking industry with topicality grouping
US20160132969A1 (en) Method and system for optimizing processing of insurance claims and detecting fraud thereof
CN110688536A (en) Label prediction method, device, equipment and storage medium
US20230104176A1 (en) Using a Machine Learning System to Process a Corpus of Documents Associated With a User to Determine a User-Specific and/or Process-Specific Consequence Index
Quick et al. Big Digital Forensic Data: Volume 1: Data Reduction Framework and Selective Imaging
US11593385B2 (en) Contextual interestingness ranking of documents for due diligence in the banking industry with entity grouping
US20170212726A1 (en) Dynamically determining relevant cases
WO2022012380A1 (en) Improved entity resolution of master data using qualified relationship score
WO2020049595A1 (en) Method and system for managing incident response in an organization
US20220374401A1 (en) Determining domain and matching algorithms for data systems
CN114493853A (en) Credit rating evaluation method, credit rating evaluation device, electronic device and storage medium
US20210295036A1 (en) Systematic language to enable natural language processing on technical diagrams
US10229169B2 (en) Eliminating false predictors in data-mining
US20160292618A1 (en) Mandating tasks at run-time for case management
US11551152B2 (en) Input feature significance identification based on batches of prediction
US11556810B2 (en) Estimating feasibility and effort for a machine learning solution
US11481368B2 (en) Automatically rank and route data quality remediation tasks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19857376

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19857376

Country of ref document: EP

Kind code of ref document: A1