- Portsmouth NH, US Peter Geremia - Portsmouth NH, US Richard Goodwin - York ME, US Sean Moore - Hollis NH, US Vincent Mutolo - Portsmouth NH, US Jess P. Parnell - Grayson GA, US Jonathan R. Rogers - Hampton Falls NH, US
International Classification:
H04L 9/40
Abstract:
A packet-filtering network appliance such as a threat intelligence gateway (TIG) protects TCP/IP networks from Internet threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their associated flows are sent to cyberanalysis applications located at security operations centers (SOCs) and operated by cyberanalysts. Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, which generates a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses. The present disclosure describes incident logging, in which a single incident log efficiently incorporates the logs of the many flows that comprise the incident, thereby potentially reducing resource consumption while improving the informational/cyberanalytical value of the incident log for cyberanalysis when compared to the component flow logs. Incident logging vs. flow logging can be automatically and adaptively switched on or off depending on the combination of resource consumption and informational/cyberanalytical value.
Methods And Systems For Efficient Network Protection
- Portsmouth NH, US Jess Parnell - Grayson GA, US Jonathan R. Rogers - Hampton Falls NH, US
International Classification:
H04L 29/06 H04L 12/26
Abstract:
Methods and systems are disclosed for integrating cyber threat intelligence (CTI), threat metadata, and threat intelligence gateways with analysis systems to form efficient and effective system for active, proactive, and reactive network protection. A network gateway may be composed of multiple stages. A first stage may include a threat intelligence gateway (TIG). A second stage may include one or more cyber analysis systems that ingest TIG-filtered communications and associated threat metadata signals. A third stage may include network protection logic that determines which protective actions. The gateway may be provisioned and configured with rules that specify the network protection policies to be enforced. The gateway may ingest all communications flowing between the protected network and the unprotected network.
- Portsmouth NH, US Jonathan R. Rogers - Hampton Falls NH, US Jess Parnell - Grayson GA, US Zachary Ehnerd - Atlanta GA, US
International Classification:
G06F 21/55 G06N 99/00
Abstract:
A cyber threat intelligence (CTI) gateway device may receive rules for filtering TCP/IP packet communications events that are configured to cause the CTI gateway device to identify communications corresponding to indicators, signatures, and behavioral patterns of network threats. The CTI gateway device may receive packets that compose endpoint-to-endpoint communication events and, for each event, may determine that the event corresponds to criteria specified by a filtering rule. The criteria may correspond to one or more of the network threat indicators, signatures, and behavioral patterns. The CTI gateway may create a log of the threat event and forward the threat event log to a task queue managed by a cyberanalysis workflow application. Human cyberanalysts use the cyberanalysis workflow application to service the task queue by removing the task at the front of the queue, investigating the threat event, and deciding whether the event is a reportable finding that should be reported to the proper authorities. In order to improve the efficiency of the workflow process, tasks in the queue are ordered by the likelihood, or probability, that cyberanalysts will determine the associated threat events to be reportable findings; thus, high-likelihood events are investigated first likelihoods are computed using human-designed algorithms and machine-learned algorithms that are applied to characteristics of the events. Low-likelihood events may be dropped from the work queue to further improve efficiency.
Engility Corporation - Greater Atlanta Area since Jul 2010
Development Team Lead
Titan Technologies, Corp. since May 1999
President
Education:
Dowling College 1999 - 2003
Bachelor of Business, Finance
Skills:
Security Information Security Network Security Cissp Computer Security Networking Virtualization Disaster Recovery Leadership Routers Systems Engineering Management Information Assurance Security Clearance Microsoft Sql Server Network Administration Information Security Management Windows Server Vmware Dod Microsoft Certified Professional System Administration Government Contracting Ccna
Interests:
Digital Investigations Counter Cyberespionage Intelligence and Counter Intelligence Network Security Cyber Warfare Incident Response
Certifications:
Ts/Sci, Top Secret Sensitive Compartmented Information (Active) C|Eh- Certified Ethical Hacker Gcia- Giac Certified Intrusion Analyst Cissp- Certified Information Systems Security Professional L|Pt- Licensed Penetration Tester Mcse+S- Microsoft Certified Systems Engineer Plus Security Cnda- Certified Network Defense Architect Ccna- Cisco Certified Network Administrator Ecsa- Certified Security Analyst Acsp- Apple Certified Support Professional Gcfa- Certification Forensic Analyst (Class Taken Studying For Test) Ec-Council Giac (Isc)² Microsoft Cisco Apple Ceh- Certified Ethical Hacker Gcfa- Giac Certified Forensic Analyst Certified Ethical Hacker (Ceh) Giac Certified Forensic Analyst (Gcfa) Certified Information Systems Security Professional (Cissp) Licensed Penetration Tester (Lpt) Microsoft Certified Systems Engineer Plus Security (Mcse+S) Cisco Certified Network Administrator (Ccna) Giac Certified Intrusion Analyst (Gcia) Certified Network Defense Architect (Cnda) Ec-Council Certified Security Analyst (Ecsa) Apple Certified Support Professional (Acsp)