公开(公告)号：US20190297118A1

公开(公告)日：2019-09-26

申请号：US16270819

申请日：2019-02-08

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes

IPC: H04L29/06 ,  G06F16/951 ,  H04W12/12 ,  G06F16/23 ,  G06F16/245 ,  H04L29/08 ,  G06F9/455 ,  G06F21/55

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

公开(公告)号：US09680846B2

公开(公告)日：2017-06-13

申请号：US14819443

申请日：2015-08-06

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes

IPC: G06F21/56 ,  H04L29/06 ,  G06F17/30 ,  G06F21/55 ,  H04L29/08

CPC classification number: H04L63/1416 ,  G06F17/30386 ,  G06F17/30528 ,  G06F17/30864 ,  G06F21/552 ,  H04L63/104 ,  H04L63/1441 ,  H04L63/145 ,  H04L67/10

Abstract: This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.

公开(公告)号：US11704405B2

公开(公告)日：2023-07-18

申请号：US17457152

申请日：2021-12-01

Applicant: ServiceNow, Inc.

Inventor： Richard Reybok ,  Andreas Seip Haugsnes ,  Kurt Joseph Zettel, II ,  Jeffrey Rhines ,  Henry Geddes ,  Volodymyr Osypov ,  Scott Lewis ,  Sean Brady ,  Mark Manning

IPC: G06F21/55 ,  H04L9/40

CPC classification number: G06F21/552 ,  H04L63/145

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

公开(公告)号：US20220083653A1

公开(公告)日：2022-03-17

申请号：US17457152

申请日：2021-12-01

Applicant: ServiceNow, Inc.

Inventor： Richard Reybok ,  Andreas Seip Haugsnes ,  Kurt Joseph Zettel, III ,  Jeffrey Rhines ,  Henry Geddes ,  Volodymyr Osypov ,  Scott Lewis ,  Sean Brady ,  Mark Manning

IPC: G06F21/55 ,  H04L29/06

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

公开(公告)号：US10225288B2

公开(公告)日：2019-03-05

申请号：US15002655

申请日：2016-01-21

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes

IPC: H04W12/12 ,  H04L29/06 ,  G06F21/55 ,  G06F17/30 ,  H04L29/08 ,  G06F9/455

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

公开(公告)号：US11388200B2

公开(公告)日：2022-07-12

申请号：US16270819

申请日：2019-02-08

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes

IPC: H04L9/40 ,  G06F16/23 ,  G06F16/245 ,  G06F16/951 ,  G06F21/55 ,  G06F9/455 ,  H04L67/1097 ,  H04W12/12

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

公开(公告)号：US09710644B2

公开(公告)日：2017-07-18

申请号：US14615202

申请日：2015-02-05

Applicant: ServiceNow, Inc.

Inventor： Richard Reybok ,  Andreas Seip Haugsnes ,  Kurt Joseph Zettel, II ,  Jeffrey Rhines ,  Henry Geddes ,  Volodymyr Osypov ,  Scott Lewis ,  Sean Brady ,  Mark Manning

IPC: G06F3/00 ,  G06F21/55 ,  H04L29/06

CPC classification number: G06F21/552 ,  H04L63/145

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

公开(公告)号：US10412103B2

公开(公告)日：2019-09-10

申请号：US15620596

申请日：2017-06-12

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes

IPC: H04L29/06 ,  G06F16/24 ,  G06F16/951 ,  G06F16/2457 ,  G06F21/55 ,  H04L29/08

Abstract: This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.

公开(公告)号：US11222111B2

公开(公告)日：2022-01-11

申请号：US16827127

申请日：2020-03-23

Applicant: ServiceNow, Inc.

Inventor： Richard Reybok ,  Andreas Seip Haugsnes ,  Kurt Joseph Zettel, II ,  Jeffrey Rhines ,  Henry Geddes ,  Volodymyr Osypov ,  Scott Lewis ,  Sean Brady ,  Mark Manning

IPC: G06F21/55 ,  H04L29/06

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

公开(公告)号：US10432674B1

公开(公告)日：2019-10-01

申请号：US15694166

申请日：2017-09-01

Applicant: ServiceNow, Inc.

Inventor： Andreas Seip Haugsnes ,  Markus Hahn

IPC: H04L29/06 ,  G06F16/23 ,  G06F16/245

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.