BACKGROUND OF THE INVENTION

Field of the Invention

[0001] The invention relates to computer security, and, in non-limiting embodiments or aspects, a method and system for prioritizing information technology findings for remediating information technology assets to enhance computer security, network security, and/or computer system and network performance.

Description of Related Art

[0002] Information technology (IT) systems include a plurality of IT assets that interact (e.g., communicate) in a network to facilitate information processing. An IT system operates most effectively and most securely when IT assets are functioning properly and correctly interacting with one another according to IT security rules.

[0003] However, an IT asset of the IT system may not be in compliance with an IT security rule (be non-compliant, such as malfunctioning or having an IT security finding associated therewith), requiring remediation to be restored to its compliant state {e.g., secure state). Further, it is often the case that multiple assets are non- compliant simultaneously or during a short time period, making it difficult or impossible to remediate all of the non-compliant IT assets simultaneously. Thus, certain non-compliant IT assets may be remediated before other simultaneously non- compliant IT assets can be addressed.

[0004] Not all IT asset non-compliance has the same risk and/or severity associated with them. For example, a first IT asset non-compliance may pose only a moderate risk to the IT system, while a second, simultaneous IT asset non- compliance may pose a high risk to the IT system that, if not immediately remediated, could lead to catastrophic damage to the IT system. Existing methods and systems for prioritizing information security findings for remediating IT assets fail to account for the relative aggregate risk and/or severity of all outstanding IT asset non-compliance. SUMMARY OF THE INVENTION

[0005] Accordingly, provided is an improved method and system for prioritizing information technology findings for remediating information technology assets to enhance computer and/or network security.

[0006] According to a non-limiting embodiment or aspect, provided is a method for prioritizing information technology security findings for remediating information technology assets, including: determining, with at least one processor, a plurality of information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each information technology security finding, determining, with at least one processor, at least one finding score based at least partially on information technology risk or severity associated with the information technology security finding; automatically determining, with at least one processor, at least one information technology asset score for each information technology asset of the at least one information technology asset based at least partially on the at least one finding score associated with at least one information technology security finding affecting the information technology asset; based on the at least one information technology asset score, prioritizing, with at least one processor, remediation of the at least one information technology asset; and based on the prioritization, remediating, with at least one processor, the at least one information technology asset.

[0007] In one non-limiting embodiment or aspect, the at least one information technology asset score may be based at least partially on at least one information technology security exception score of at least one information technology security exception to the at least one information technology security rule. The at least one information technology asset may include a plurality of information technology assets, and the prioritizing may include prioritizing a first information technology asset of the plurality of information technology assets over a second information technology asset of the plurality of information technology assets. The at least one information technology asset score may be determined based at least partially on aggregate risk and/or aggregate severity scores for each of the associated at least one information technology security findings and/or each information technology security exception associated with the at least one information technology asset. The remediating may include communicating a security fix to the at least one information technology asset. The remediating may include quarantining the at least one information technology asset. The remediating may include directing or controlling remediation of the at least one information technology asset.

[0008] According to a non-limiting embodiment or aspect, provided is a system for prioritizing information technology security findings for remediating information technology assets, including at least one server computer including at least one processor, the at least one server computer programmed and/or configured to: determine a plurality of information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each information technology security finding, determine at least one finding score based at least partially on information technology risk or severity associated with the information technology security finding; automatically determine at least one information technology asset score for each information technology asset of the at least one information technology asset based at least partially on the at least one finding score associated with at least one information technology security finding affecting the information technology asset; based on the at least one information technology asset score, prioritize remediation of the at least one information technology asset; and based on the prioritization, remediate the at least one information technology asset.

[0009] In one non-limiting embodiment or aspect, the at least one information technology asset score may be based at least partially on at least one information technology security exception score of at least one information technology security exception to the at least one information technology security rule. The at least one information technology asset may include a plurality of information technology assets, and the at least one server computer may prioritize the plurality of information technology assets by prioritizing a first information technology asset of the plurality of information technology assets over a second information technology asset of the plurality of information technology assets. The at least one information technology asset score may be determined based at least partially on aggregate risk and/or aggregate severity scores for each of the associated at least one information technology security findings and/or each information technology security exception associated with the at least one information technology asset. The remediating may include communicating a security fix to the at least one information technology asset. The remediating may include quarantining the at least one information technology asset. The remediating may include directing or controlling remediation of the at least one information technology asset.

[0010] According to a non-limiting embodiment or aspect, provided is a method for prioritizing information technology security findings for remediating information technology assets including: determining, with at least one processor, a plurality of historical information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each historical information technology security finding, determining, with at least one processor, at least one finding score based at least partially on information technology risk or severity associated with the historical information technology security finding; for each of the at least one information technology asset, determining, with at least one processor, a predictive security score based at least partially on at least one finding score associated with the information technology asset; determining, with at least one processor, a rule-based remediation protocol based at least partially on the predictive security score of each of the at least one information technology asset; and based on the rule-based remediation protocol, remediating, with at least one processor, the at least one information technology asset.

[0011] In one non-limiting embodiment or aspect, the remediating may include communicating a security fix to the at least one information technology asset. The remediating may include quarantining the at least one information technology asset. The remediating may include delaying remediation of the at least one information technology asset for a time period. The remediating may include directing or controlling remediation of the at least one information technology asset.

[0012] According to a non-limiting embodiment or aspect, provided is a system for prioritizing information technology security findings for remediating information technology assets, including at least one server computer including at least one processor, the at least one server computer programmed and/or configured to: determine a plurality of historical information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each historical information technology security finding, determine at least one finding score based at least partially on information technology risk or severity associated with the historical information technology security finding; for each of the least one information technology asset, determine a predictive security score based at least partially on at least one finding score associated with the information technology asset; determine a rule-based remediation protocol based at least partially on the predictive security score of each of the at least one information technology asset; and based on the rule-based remediation protocol, remediate the at least one information technology asset.

[0013] In one non-limiting embodiment or aspect, the remediating may include communicating a security fix to the at least one information technology asset. The remediating may include quarantining the at least one information technology asset. The remediating may include delaying remediation of the at least one information technology asset for a time period. The remediating may include directing or controlling remediation of the at least one information technology asset.

[0014] Further embodiments or aspects are set forth in the following numbered clauses:

[0015] Clause 1 : A method for prioritizing information technology security findings for remediating information technology assets, comprising: determining, with at least one processor, a plurality of information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each information technology security finding, determining, with at least one processor, at least one finding score based at least partially on information technology risk or severity associated with the information technology security finding; automatically determining, with at least one processor, at least one information technology asset score for each information technology asset of the at least one information technology asset based at least partially on the at least one finding score associated with at least one information technology security finding affecting the information technology asset; based on the at least one information technology asset score, prioritizing, with at least one processor, remediation of the at least one information technology asset; and based on the prioritization, remediating, with at least one processor, the at least one information technology asset.

[0016] Clause 2: The method of clause 1 , wherein the at least one information technology asset score is based at least partially on at least one information technology security exception score of at least one information technology security exception to the at least one information technology security rule.

[0017] Clause 3: The method of clause 1 or 2, wherein the at least one information technology asset comprises a plurality of information technology assets, and wherein the prioritizing comprises prioritizing a first information technology asset of the plurality of information technology assets over a second information technology asset of the plurality of information technology assets.

[0018] Clause 4: The method of any of the preceding clauses, wherein the at least one information technology asset score is determined based at least partially on aggregate risk and/or aggregate severity scores for each of the associated at least one information technology security findings and/or each information technology security exception associated with the at least one information technology asset.

[0019] Clause 5: The method of any of the preceding clauses, wherein the remediating comprises communicating a security fix to the at least one information technology asset.

[0020] Clause 6: The method of any of the preceding clauses, wherein the remediating comprises quarantining the at least one information technology asset.

[0021] Clause 7: The method of any of the preceding clauses, wherein the remediating comprises directing or controlling remediation of the at least one information technology asset.

[0022] Clause 8: A system for prioritizing information technology security findings for remediating information technology assets, comprising at least one server computer including at least one processor, the at least one server computer programmed and/or configured to: determine a plurality of information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each information technology security finding, determine at least one finding score based at least partially on information technology risk or severity associated with the information technology security finding; automatically determine at least one information technology asset score for each information technology asset of the at least one information technology asset based at least partially on the at least one finding score associated with at least one information technology security finding affecting the information technology asset; based on the at least one information technology asset score, prioritize remediation of the at least one information technology asset; and based on the prioritization, remediate the at least one information technology asset.

[0023] Clause 9: The system of clause 8, wherein the at least one information technology asset score is based at least partially on at least one information technology security exception score of at least one information technology security exception to the at least one information technology security rule.

[0024] Clause 10: The system of clause 8 or 9, wherein the at least one information technology asset comprises a plurality of information technology assets, and wherein the at least one server computer prioritizes the plurality of information technology assets by prioritizing a first information technology asset of the plurality of information technology assets over a second information technology asset of the plurality of information technology assets.

[0025] Clause 1 1 : The system of any of clauses 8-10, wherein the at least one information technology asset score is determined based at least partially on aggregate risk and/or aggregate severity scores for each of the associated at least one information technology security findings and/or each information technology security exception associated with the at least one information technology asset.

[0026] Clause 12: The system of any of clauses 8-1 1 , wherein the remediating comprises communicating a security fix to the at least one information technology asset.

[0027] Clause 13: The system of any of clauses 8-12, wherein the remediating comprises quarantining the at least one information technology asset.

[0028] Clause 14: The system of any of clauses 8-13, wherein the remediating comprises directing or controlling remediation of the at least one information technology asset.

[0029] Clause 15: A method for prioritizing information technology security findings for remediating information technology assets comprising: determining, with at least one processor, a plurality of historical information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each historical information technology security finding, determining, with at least one processor, at least one finding score based at least partially on information technology risk or severity associated with the historical information technology security finding; for each of the at least one information technology asset, determining, with at least one processor, a predictive security score based at least partially on at least one finding score associated with the information technology asset; determining, with at least one processor, a rule- based remediation protocol based at least partially on the predictive security score of each of the at least one information technology asset; and based on the rule-based remediation protocol, remediating, with at least one processor, the at least one information technology asset.

[0030] Clause 16: The method of clause 15, wherein the remediating comprises communicating a security fix to the at least one information technology asset.

[0031] Clause 17: The method of clause 15 or 16, wherein the remediating comprises quarantining the at least one information technology asset.

[0032] Clause 18: The method of any of clauses 15-17, wherein the remediating comprises delaying remediation of the at least one information technology asset for a time period.

[0033] Clause 19: The method of any of clauses 15-18, wherein the remediating comprises directing or controlling remediation of the at least one information technology asset.

[0034] Clause 20: A system for prioritizing information technology security findings for remediating information technology assets, comprising at least one server computer including at least one processor, the at least one server computer programmed and/or configured to: determine a plurality of historical information technology security findings affecting at least one information technology asset based on at least one information technology security rule; for each historical information technology security finding, determine at least one finding score based at least partially on information technology risk or severity associated with the historical information technology security finding; for each of the at least one information technology asset, determine a predictive security score based at least partially on at least one finding score associated with the information technology asset; determine a rule-based remediation protocol based at least partially on the predictive security score of each of the at least one information technology asset; and based on the rule-based remediation protocol, remediate the at least one information technology asset.

[0035] Clause 21 : The system of clause 20, wherein the remediating comprises communicating a security fix to the at least one information technology asset.

[0036] Clause 22: The system of clause 20 or 21 , wherein the remediating comprises quarantining the at least one information technology asset.

[0037] Clause 23: The system of any of clauses 20-22, wherein the remediating comprises delaying remediation of the at least one information technology asset for a time period. [0038] Clause 24: The system of any of clauses 20-23, wherein the remediating comprises directing or controlling remediation of the at least one information technology asset.

[0039] These and other features and characteristics of the present invention, as well as the methods of operation and functions of the related elements of structures and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the invention. As used in the specification and the claims, the singular form of “a,”“an,” and“the” include plural referents unless the context clearly dictates otherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

[0040] Additional advantages and details of the invention are explained in greater detail below with reference to the exemplary embodiments that are illustrated in the accompanying schematic figures, in which:

[0041] FIG. 1 shows a schematic view of one non-limiting embodiment or aspect of a system for prioritizing IT security findings for remediating IT assets, the system including an IT system having a remediation system for remediating the IT security findings affecting the IT assets;

[0042] FIG. 2 shows a schematic view of one non-limiting embodiment or aspect of a remediation system for remediating IT security findings affecting IT assets;

[0043] FIG. 3A shows a table including exemplary asset scores corresponding to assets in an IT system;

[0044] FIG. 3B shows a table including exemplary finding scores corresponding to IT security findings in an IT system;

[0045] FIG. 3C shows a table including exemplary exception scores corresponding to IT security exceptions in an IT system;

[0046] FIG. 4 shows a step diagram of one non-limiting embodiment or aspect of a method for prioritizing IT security findings for remediating IT assets; [0047] FIG. 5 shows a step diagram of one non-limiting embodiment or aspect of a method for prioritizing IT security findings for remediating IT assets;

[0048] FIG. 6 shows a process flow diagram of one non-limiting embodiment or aspect of a method for prioritizing IT security findings for remediating IT assets;

[0049] FIG. 7 shows a process flow diagram of one non-limiting embodiment or aspect of a method for prioritizing IT security findings for remediating IT assets; and

[0050] FIG. 8 shows a user interface according to a one non-limiting embodiment or aspect provided based on a system for prioritizing IT security findings for remediating IT assets.

DESCRIPTION OF THE INVENTION

[0051] For purposes of the description hereinafter, the terms “end,” “upper,” “lower,”“right,”“left,”“vertical,”“horizon tal,”“top,”“bottom,”“lateral,”“longitudinal, ” and derivatives thereof shall relate to the invention as it is oriented in the drawing figures. However, it is to be understood that the invention may assume various alternative variations and step sequences, except where expressly specified to the contrary. It is also to be understood that the specific devices and processes illustrated in the attached drawings, and described in the following specification, are simply exemplary embodiments or aspects of the invention. Hence, specific dimensions and other physical characteristics related to the embodiments or aspects disclosed herein are not to be considered as limiting.

[0052] As used herein, the terms "communication" and "communicate" may refer to the reception, receipt, transmission, transfer, provision, and/or the like of information (e.g., data, signals, messages, instructions, commands, and/or the like). For one unit {e.g., a device, a system, a component of a device or system, combinations thereof, and/or the like) to be in communication with another unit means that the one unit is able to directly or indirectly receive information from and/or transmit information to the other unit. This may refer to a direct or indirect connection {e.g., a direct communication connection, an indirect communication connection, and/or the like) that is wired and/or wireless in nature. Additionally, two units may be in communication with each other even though the information transmitted may be modified, processed, relayed, and/or routed between the first and second unit. For example, a first unit may be in communication with a second unit even though the first unit passively receives information and does not actively transmit information to the second unit. As another example, a first unit may be in communication with a second unit if at least one intermediary unit ( e.g ., a third unit located between the first unit and the second unit) processes information received from the first unit and communicates the processed information to the second unit. In some non-limiting embodiments, a message may refer to a network packet {e.g., a data packet, and/or the like) that includes data. It will be appreciated that numerous other arrangements are possible.

[0053] As used herein, the term "server" may refer to or include one or more processors or computers, storage devices, or similar computer arrangements that are operated by or facilitate communication and processing for multiple parties in a network environment, such as the Internet, although it will be appreciated that communication may be facilitated over one or more public or private network environments and that various other arrangements are possible. Further, multiple computers, e.g., servers or other computerized devices, directly or indirectly communicating in the network environment may constitute a "system," such as a merchant's point-of-sale system. Reference to“a server” or“a processor,” as used herein, may refer to a previously-recited server and/or processor that is recited as performing a previous step or function, a different server and/or processor, and/or a combination of servers and/or processors. For example, a first server and/or a first processor that is recited as performing a first step or function may refer to the same or different server and/or a processor recited as performing a second step or function.

[0054] As used herein, the term“computing device” may refer to one or more electronic devices that are configured to directly or indirectly communicate with or over one or more networks. The computing device may be a mobile device. As an example, a mobile device may include a cellular phone {e.g., a smartphone or standard cellular phone), a portable computer, a wearable device {e.g., watches, glasses, lenses, clothing, and/or the like), a personal digital assistant (PDA), and/or other like devices. In other non-limiting embodiments, the computing device may be a desktop computer, or other non-mobile computer. Furthermore, the term “computer” may refer to any computing device that includes the necessary components to receive, process, and output data, and normally includes a display, a processor, a memory, an input device, and a network interface. An“application” or “application program interface” (API) refers to computer code or other data sorted on a computer-readable medium that may be executed by a processor to facilitate the interaction between software components, such as a client-side front-end and/or server-side back-end for receiving data from the client. An“interface” refers to a generated display, such as one or more graphical user interfaces (GUIs) with which a user may interact, either directly or indirectly (e.g., through a keyboard, mouse, etc.).

[0055] As used herein, the term“information technology system” or“IT system” may refer to a plurality of IT assets directly or indirectly communicating in one or more network environments to facilitate information processing. Information processing may include creating, modifying, communicating, storing, and/or securing electronic data, as examples. As used herein, the term “information technology asset” or“IT asset” may refer to one or more devices, subsystems, and/or processes used to facilitate information processing. An IT asset may include physical devices for facilitating information processing, such as computing devices, processors, servers, storage devices, and other hardware. An IT asset may include software used to facilitate information processing, such as one or more software applications. In some examples, an IT asset may include a subsystem of IT assets {e.g., a computer system within the IT system) for facilitating information processing. An IT asset may also include a combination of software and hardware components for facilitating information processing.

[0056] As used herein, the term “information technology security rule” or “IT security rule” may refer to one or more regulations or parameters by which an IT asset operates. The IT security rule may also regulate the way in which IT assets operate with respect to one another {e.g., communicate with one another). An IT security rule may be based on a governmental law or statute, an industry standard, a best practice, a preferred practice, a company policy, an asset-specific manual, or any other relevant IT-related source of rules.

[0057] As used herein, the term“information technology security finding” or“IT security finding” may refer to a determination that an IT asset is non-compliant or is at risk of becoming non-compliant with an IT security rule. As used herein, the term “information technology security exception” or“IT security exception” may refer to a case in which an IT security rule does not apply to an IT asset. The IT security exception may be a temporary or permanent exception to the IT security rule. The IT security exception may be condition based, such that if a condition is satisfied, the IT security exception to the IT security rule is in force for the IT asset. For example, an IT asset may not be compliant with an IT security rule; however, an IT security exception may be in effect such that the IT asset is considered compliant even though it is non-compliant with the IT security rule.

[0058] Non-limiting embodiments or aspects of the present invention are directed to a method and system for prioritizing IT security findings for remediating IT assets. Non-limiting embodiments or aspects of the method and system allow for an IT system, including multiple IT assets that interact to facilitate information processing, to be maintained more effectively and securely. Non-limiting embodiments or aspects of the present invention allow for the prioritization and remediation of non- compliant IT assets in an order that minimizes the risks the non-compliant IT assets pose to the IT system. Furthermore, non-limiting embodiments or aspects of the present invention allow for the prioritization and remediation of the IT assets most severely affected by the presence of IT findings in the IT system ahead of less severely affected IT assets. The prioritization and remediation may also consider both the risks associated with the non-compliant IT assets and the most severely affected IT assets in combination. Non-limiting embodiments or aspects of the present invention may allow for the determination of a predictive security score for the IT assets based at least partially on a finding score based on historical IT security findings for the IT asset. A rule-based remediation protocol may be determined based at least partially on the predictive security scores, which may be used to remediate the IT assets, in some cases, before the IT asset even becomes non-compliant since the predictive security score may indicate a likelihood of the IT security asset to become non-compliant (e.g., have an IT security finding) during a future time period. Non-limiting embodiments or aspects of the present invention also provide for an improved IT infrastructure in which IT assets may be automatically remediated based on prioritization and machine learning.

[0059] Referring to FIG. 1 , a system 1000 for prioritizing IT security findings for remediating IT assets is shown according to a non-limiting embodiment or aspect. The system 1000 may include an IT system 10 having a plurality of IT assets 12a-12i communicating in a network environment to facilitate information processing. The IT assets 12a-12i may include individual hardware devices, software programs, computer systems, and/or the like. Each of the IT assets 12a-12i in the IT system 10 may be in communication with another of the IT assets 12a-12i in the IT system 10. It will be appreciated that various arrangements are possible.

[0060] Referring to FIGS. 1 and 2, in some non-limiting embodiments or aspects the IT system 10 may include a remediation system 14, which may be configured to remediate non-compliant IT assets 12a-12i in the IT system 10. A non-compliant IT asset 12a-12i may be defined as an IT asset having an IT security finding associated therewith (as discussed herein). The remediation system 14 may include a remediation processor 16 in communication with the IT assets 12a-12i and may initiate remediation of any IT assets 12a-12i that are determined to be non- compliant.

[0061] The remediation processor 16 may determine that an IT asset is non- compliant using any suitable method. For example, the remediation processor 16 may determine that an IT asset is non-compliant by communicating with the IT asset. For example, the remediation processor 16 may communicate to the IT asset, such as by running diagnostics on the IT asset or directing diagnostics to be run on the IT asset to determine whether the IT asset is non-compliant (is non-compliant with an IT security rule). In some examples, the remediation processor 16 may collect diagnostic data from the IT assets 12a-12i, may generate diagnostic data based on raw data received from the IT assets 12a-12i, may cause the IT assets 12a-12i to conduct individual diagnostic tests, and/or the like. In some examples, the remediation processor 16 may retrieve data from the IT asset to determine whether the IT asset is non-compliant. The remediation processor 16 may retrieve data from the IT asset periodically in batches or continuously to determine whether the IT asset is non-compliant. The remediation processor 16 may determine that the IT asset is non-compliant based at least partially on a lack of or a delayed signal or communication from the IT asset.

[0062] With continued reference to FIG. 2, in some non-limiting embodiments or aspects, the remediation system 14 may include a rules database 18. The rules database 18 may store IT security rules associated with the IT assets 12a-12i that define conditions under which the IT assets 12a-12i are considered non-compliant. The rules database 18 may be local or remote to the remediation system 14. The IT security rules may be based on a governmental law or statute, an industry standard, a best practice, a preferred practice, a company policy, an asset-specific manual, or other relevant IT-related source. The remediation processor 16 may be in communication with the rules database 18 and may determine IT security findings associated with the IT assets 12a-12i (e.g., determine whether any IT assets 12a-12i are non-compliant based on the IT security rules stored in the rules database 18).

[0063] With continued reference to FIG. 2, in some non-limiting embodiments or aspects, the remediation system 14 may include an exceptions database 20. The exceptions database 20 may store IT security exceptions associated with the IT assets 12a-12i. In some examples, the exceptions database 20 and rules database 18 may be part of a single database. The IT security exceptions define cases in which an IT security rule does not apply to the IT assets 12a-12i. The IT security exception may be applicable to the associated IT security rule for a predefined period of time or may be indefinitely defined as an IT security exception to the IT security rule. The remediation processor 16 may be in communication with the exceptions database 20 and may determine whether any IT security exception applies to one of the IT assets 12a-12i having an IT security finding for being non- compliant with an IT security rule.

[0064] With continued reference to FIG. 2, in some non-limiting embodiments or aspects, the remediation system 14 may include a historical findings database 22. The historical findings database 22 may store IT security findings associated with the IT assets 12a-12i and determined by the remediation processor 16 during a time period. The remediation processor 16 may be in communication with the historical findings database 22.

[0065] Referring to FIGS. 1 -3C, in some non-limiting embodiments the remediation processor 16 may communicate with at least one of the IT assets 12a- 12i, the rules database 18, and/or the exceptions database 20 to determine a plurality of security findings affecting at least one of the IT assets 12a-12i (e.g., determine which IT assets 12a-12i are non-compliant with the IT security rules). For each IT security finding, the remediation processor 16 may determine at least one finding score based at least partially on the IT risk or IT severity associated with the IT security finding. An IT risk may refer to the potential exposure of the IT system 10 to harm from the existence of the IT security finding. An IT severity may refer to extent of the non-compliance associated with the IT asset.

[0066] Referring to FIG. 3B, exemplary IT security findings scores are shown for exemplary IT security findings according to a non-limiting embodiment or aspect. For example, for IT security Finding #1 in FIG. 3B, the remediation processor 16 determined that IT Asset #2 (e.g., IT asset 12b from FIG. 1 ) was non-compliant with IT security Rule #1 and determined the finding score to be 8.6 on a scale of 0-10, with 0 being the least serious IT security finding score and 10 being the most serious finding score. It will be appreciated that numerical scales other than 1 -10 may be used, and that grading scales other than numerical scales may be used {e.g., A-F, pass/fail, low/high, and/or the like).

[0067] With continued reference to FIGS. 1 -3C, in some non-limiting embodiments or aspects, the remediation processor 16 may automatically determine at least one IT asset score for each IT asset. The IT asset score may be based at least partially on the finding scores associated with the plurality of IT security findings affecting the IT assets 12a-12i. FIG. 3A shows exemplary IT asset scores for the exemplary IT Assets #1 -9 (e.g., IT assets 12a-12i from FIG. 1 ) according to a non-limiting embodiment or aspect. FIG. 3A shows the IT security rules with which each IT asset 12a-12i is non-compliant. For example, IT Asset #1 12a is compliant with every IT security rule, while IT Asset #8 12h is non-compliant with IT security Rules #5, #32, and #75. FIG. 3A also shows the IT security exceptions which apply to each IT asset, providing an exception to at least one of the IT security rules with which that IT asset is non-compliant.

[0068] As shown in FIG. 3A, in some non-limiting embodiments or aspects, the remediation processor 16 may determine at least one IT asset score for each IT asset. The remediation processor 16 may determine an overall score as the IT asset score, which may consider all factors weighed in determining IT asset scores. The remediation processor 16 may determine a severity score as the IT asset score, which may more heavily weigh factors associated with IT severity associated with the IT asset compared to IT risk associated with the IT asset, but may include certain factors associated with IT risk associated with the IT asset. This severity score may be considered“severity dominant” in that it is weighed toward considering factors associated with IT severity associated with the IT asset. The remediation processor 16 may determine a risk score as the IT asset score, which may more heavily weigh factors associated with IT risk associated with the IT asset compared to IT severity associated with the IT asset, but may include certain factors associated with IT severity associated with the IT asset. This risk score may be considered “risk dominant” in that it is weighed toward considering factors associated with IT risk associated with the IT asset. The remediation processor 16 may determine a severity without risk score as the IT asset score, which may only consider factors associated with IT severity associated with the IT asset and does not include factors associated with IT risk associated with the IT asset. It will be appreciated that other IT asset scores may be determined by the remediation processor 16 by selecting a certain subset of factors to include in determining the IT asset score or weighing the included factors in a specific way. The IT asset scores may be determined based at least partially on aggregate IT risk factors and/or aggregate IT severity factors for each relevant IT security finding and/or each IT security exception associated with the IT asset. The example shown in FIG. 3A uses a 0-10 scale similar to that shown in FIG. 3B for the IT asset scores, but it will be appreciated that any type of scale (numerical or otherwise) may be used.

[0069] Referring to FIG. 3C, the remediation processor 16 may determine an IT security exception score for each IT security exception to the at least one IT security rule. The example shown in FIG. 3C uses a 0-10 scale similar to that shown in FIG. 3B, but it will be appreciated again that any type of scale (numerical or otherwise) may be used. The IT asset score determined by the remediation processor 16 may be based at least partially on the relevant IT security exception scores.

[0070] In some non-limiting embodiments or aspects, the remediation processor 16 may prioritize remediation of the IT assets 12a- 12i based on the at least one IT asset score. The remediation processor 16 may prioritize remediation of the IT assets 12a-12i based on a single IT asset score. For example, the prioritization may be based on the Security Score, in which case Asset #9 (from FIG. 3A) would be receive the highest priority. For example, the prioritization may be based on the risk score, in which case Asset #8 (from FIG. 3A) would receive the highest priority. However, the remediation processor 16 may prioritize remediation of the IT assets 12a-12i based on some combination of the IT asset scores, such as equally or unequally weighing each score to determine prioritization of remediation.

[0071] In some non-limiting embodiments or aspects, the remediation processor 16 may remediate the IT assets based on the prioritization. For example, the remediation of the IT assets may be executed in an order determined by the prioritization. The terms“remediate” and“remediation,” as used herein, may refer to any action taken to facilitate addressing an IT security finding associated with the IT asset. For example, remediation may include the remediation processor 16 communicating and/or applying a security fix to the IT asset (e.g., the IT asset itself or a governing entity thereof), such as a communicating a patch to the IT asset and/or installing the patch. As another example, remediation may include the remediation processor 16 quarantining the IT asset within the IT system 10. Remediation may also include the remediation processor 16 directing or controlling remediation of the IT asset, such as directing another system, device, or an individual to fix the IT asset in a specific order or scheduling remediation of the IT asset. In some examples, remediation may include the remediation processor 16 delaying remediation of the IT asset for a designated time period or directing that remediation of the IT asset be delayed for a designated time period. The prioritization and remediation as previously described may allow for the IT system 10 (and the IT assets therein) to be remediated in the most effective and secure manner and/or in the manner that reduces risk to the IT system 10.

[0072] As described above, the prioritization and the remediation based on the prioritization may be based on the at least one IT asset score, such that the prioritization and remediation is“asset centric.” In this way, the IT asset with the highest asset score may be remediated first, including all findings and/or exceptions associated with that highest priority IT asset. However, it will be appreciated that prioritization and remediation may be“finding centric,” such that the prioritization and remediation is based on the finding scores where the IT security finding with the highest finding score may be remediated first, including every IT asset associated with that highest priority IT security finding. It will also be appreciated that analogous prioritization and remediation may be“exception centric,” such that the prioritization and remediation is based on the exception scores where the IT security exception with the highest exception score may be remediated first, including every IT asset associated with that highest priority IT security exception. In non-limiting embodiments, a combination of “asset centric,” “finding centric,” and “exception centric” prioritization and remediation methods may also be used.

[0073] Therefore, in some non-limiting embodiments or aspects, all IT security findings associated with the highest priority IT asset may be remediated first. However, in other non-limiting embodiments or aspects, a first IT security finding and/or exception associated with a first IT asset may be remediated first and then a second IT security finding and/or exception associated with a second IT asset may be remediated second before the remaining IT security findings and/or exceptions are remediated for the first IT asset. Certain IT assets, certain IT security findings, and/or certain IT security exceptions may be remediated according to the prioritization determined most efficient and/or most risk reducing by the remediation processor 16.

[0074] Referring back to FIGS. 1 -3C, in some non-limiting embodiments or aspects, and as previously mentioned, the remediation processor 16 may determine a plurality of IT security findings affecting one or more of the IT assets 12a-12i based on at least one IT security rule. The IT security findings may be communicated by the remediation processor 16 to the historical findings database 22 for storage. The IT security findings communicated to the historical findings database 22 by the remediation processor 16 may be considered historical IT security findings.

[0075] At a later time, the historical findings database 22 may communicate a plurality of historical IT security findings, which occurred over a time period, to the remediation processor 16. For each historical IT security finding, the remediation processor 16 may determine at least one finding score in the same way as shown in FIG. 3B and previously described in connection therewith. The finding score in this non-limiting embodiment or aspect may be based at least partially on the IT risk or IT severity associated with the historical IT security finding.

[0076] Referring to FIG. 3A, for each IT asset, the remediation processor 16 may determine at least one predictive security score based at least partially on the finding scores associated with the historical IT security findings associated with each of the IT assets. The predictive security score may consider all relevant factors or some subset thereof and may be determined in the same manner as the previously- described methods associated with the overall score, severity score, risk score, severity without risk score, or other asset score. Thus, the predictive security score may be severity dominant, risk dominant, or exclusively severity considering (without risk inclusion), as previously described. The predictive security score may reflect the likelihood of the IT security asset to become non-compliant (have an IT security finding) during a future time period, based at least partially on an analysis by the remediation processor 16 of the historical security findings (e.g., from the finding scores thereof). Any type of scale, such as the 1 -10 scale shown in FIG. 3A, may be used.

[0077] With continued reference to FIG. 3A, in some non-limiting embodiments or aspects, the remediation processor 16 may determine a rule-based remediation protocol based at least partially on the predictive security score of each IT asset. The remediation protocol may include rules that determine when or if the remediation processor 16 should remediate the IT security asset. For example, the remediation protocol may determine that a specific asset not be remediated until the predictive security score reaches a certain threshold. The remediation protocol may also include rules that determine an order in which remediation of the IT assets may be affected.

[0078] In some non-limiting embodiments or aspects, based on the remediation protocol, the remediation processor 16 may remediate the at least one IT asset as previously described. Remediation based on the historical IT security findings and the rule-based remediation protocol may allow for preventative remediation of the IT system 10 (and the assets therein) before a future IT security finding even occurs.

[0079] Referring to FIG. 4, a method 4000 for prioritizing IT security findings for remediating IT assets 12a-12i is shown. At step 400, the remediation processor 16 may determine a plurality of IT security findings affecting the at least one IT asset based on at least one IT security rule. At step 402, the remediation processor 16 may determine, for each IT security finding, at least one finding score based at least partially on the IT risk or IT severity associated with the IT security finding. At step 404, the remediation processor 16 may automatically determine at least one IT asset score for each IT asset based at least partially on the at least one finding score associated with the at least one IT security finding affecting the IT asset. At step 406, the remediation processor 16 may, based on the IT asset score, prioritize remediation of the at least one IT asset. At a step 408, the remediation processor 16 may remediate the at least one IT asset as previously described.

[0080] Referring to FIG. 5, a method 5000 for prioritizing IT security findings for remediating IT assets 12a-12i is shown. At step 500, the remediation processor 16 may determine a plurality of historical IT security findings affecting at least one IT asset based on at least one IT security rule. At step 502, the remediation processor 16 may determine, for each historical IT security finding, at least one finding score based at least partially on the IT risk or IT severity associated with the historical IT security finding. At step 504, for each IT asset, the remediation processor 16 may determine a predictive security score based at least partially on finding scores associated with the IT security asset. At a step 506, the remediation processor 16 may determine a rule-based remediation protocol based at least partially on the predictive security score of each IT asset. At a step 508, the remediation processor 16 may remediate, as previously described, the at least one IT asset based on the rule-based remediation protocol.

[0081] Referring to FIG. 8, a graphical user interface 8000 may be provided to allow users, such as owners and/or managers of each IT asset, to view the health of their IT asset based on the previously described systems and methods for remediating IT security findings affecting IT assets. As used herein, the health of the IT asset may include data related to the IT security findings and IT security exceptions associated with the IT asset.

[0082] With continued reference to FIG. 8, the interface 8000 may display an asset identifier to identify the IT asset associated with the displayed data (“Asset #2785 in FIG. 8). The interface 8000 may also display the name of the IT asset and a brief description of the IT asset. Various other information related to specifications of the IT asset may also be displayed.

[0083] With continued reference to FIG. 8, the interface 8000 may display a health score for the IT asset associated with the displayed data (“18,121” in FIG 8). The health score may be any of the previously described asset scores, finding scores, exception scores, or some combination thereof. The interface may display information regarding IT security findings associated with the IT asset. The IT security findings may be sorted by the type of IT security finding (e.g., findings associated with security of the asset, mobile security of the asset, the firewall, and other relevant groupings). Each IT security finding may be assigned a level {e.g., critical, high, medium, low, very low) associated with risk and/or severity associated with the finding. Colors, numerical rankings, or other sorting differentiators may be assigned to each level so that the user can more easily see the risk and/or severity associated with the IT security findings associated with the IT asset.

[0084] The interface 8000 may display information regarding IT security exceptions associated with the IT asset. The IT security exceptions may be sorted by the status of IT security exception {e.g., draft exceptions, submitted exceptions, approved exceptions, expired exceptions, and other relevant groupings). Each IT security exception may be assigned a level {e.g., critical, high, medium, low, very low) associated with risk and/or severity associated with the exception. Colors, numerical rankings, or other sorting differentiators may be assigned to each level so that the user can more easily see the risk and/or severity associated with the IT security exceptions associated with the IT asset. [0085] The interface 8000 may display more or less detailed information compared to that shown in FIG. 8. More information may be displayed to show the user how the displayed health score was determined. For example, the same information shown in the tables of FIGS. 3A-3C may be displayed in an interface so that the user may see more specifically how the health score for the IT asset was determined and how the IT asset compares to other IT assets. Colors, numerical rankings, or other sorting differentiators may be used to aid the user in viewing the risk and/or severity associated with the IT asset, IT security findings, and/or IT security exceptions.

[0086] The interface may show the user the prioritization of IT assets relative to one another. For example the interface may display a table that prioritizes a first IT asset before a second IT asset based at least partially on the asset scores, finding scores, exception scores, or any other score described herein. The user may interact with the interface 8000 to modify and/or confirm the prioritization of the IT assets prior to or during remediation. The user may initiate the remediation by interacting with the interface. In this way, the user may control remediation of the IT assets.

[0087] It will be appreciated that the interface 8000 shown in FIG. 8 is only one exemplary interface, and any interface that shows the user information regarding the IT asset may be used. The interface may show the user information at a high level, or may provide more detailed information based on user preference.

EXAMPLES

[0088] The following examples are provided to illustrate embodiments or aspects of the method and system for prioritizing IT security findings for remediating IT assets and are not meant to be limiting.

Example 1

[0089] Referring to FIGS. 1 -6, and particularly FIG. 6, a non-limiting example of a method 6000 for prioritizing IT security findings for remediating IT assets is shown for Corporation, Inc. (hereinafter“Corporation”) having an IT system 10 as shown in FIGS. 1 and 2. Corporation’s IT system 10 includes Assets #1 -9, which are IT assets 12a-12i as previously described. Assets #1 -9 12a-12i are in communication with one another in the IT system 10, as shown in FIG. 1 .

[0090] Referring to FIG. 6, at a first step (s1 ), the rules database 18 communicates with the remediation processor 16 to communicate at least one IT security rule to the remediation processor 16. The IT security rules may be based on applicable United States law (or laws other countries or regions in which Corporation operates), standards applicable for Corporation’s industry, Corporation’s best practices, Corporation’s preferred practice, the Corporation’s company policies, an asset-specific manual for specific Assets #1 -9 12a-12i, or other relevant IT-related source of rules. At a second step (s2), Assets #1 -9 12a-12i communicate with the remediation processor 16 such that the remediation processor 16 can determine whether any of Assets #1 -9 12a-12i is non-compliant with an IT security rule. The remediation processor 16 periodically runs diagnostic test on Assets #1 -9 12a-12i and/or determines whether Assets #1 -9 12a-12i are non-compliant with an IT security rule in any other suitable way.

[0091] With continued reference to FIG. 6, at a third step (s3), the remediation processor 16 determines a plurality of IT security findings affecting Assets #1 -

9 12a-12i based on the IT security rules from the rules database 18 (from the first step (s1 )) and the communication with Assets #1 -9 12a-12i (from the second step (s2)). At a fourth step (s4), the remediation processor 16 determines a finding score for each IT security finding based at least partially on IT risk or IT severity associated with the IT security finding. FIGS. 3A and 3B show the IT security findings and finding scores associated with Assets #1 -9 12a-12i. FIGS. 3A and 3C show the IT security exceptions to the IT security rules and IT security exception scores, respectively. All scores in FIGS. 3A-3C are provided on a 1 -10 scale.

[0092] With continued reference to FIG. 6, at a fifth step (s5), the remediation processor 16 automatically determines at least one technology asset score for

Assets #1 -9 12a-12i based partially on the at least one finding score from the fourth step (s4). FIG. 3A shows exemplary assets scores for Assets #1 -9 12a-12i, including an overall score, a security score, a risk score, and a severity without risk score, as previously described. These scores are provided on a 1 -10 scale, as previously described.

[0093] With continued reference to FIG. 6, at a sixth step (s6), the remediation processor 16 prioritizes remediation of Assets #1 -9 12a-12i based on the at least one IT asset score. The prioritization may be performed using one or some combination of the overall score, the security score, the risk score, and the severity without risk score, or other form of IT asset score. As previously discussed, the prioritization in the sixth step (s6) may be“finding centric,”“exception centric”, or may use a combination of asset scores, finding scores, and/or exception scores to determine prioritization. At a seventh step (s7) the remediation processor 16 communicates with Assets #1 -9 12a-12i to remediate Assets #1 -9 12a-12i based on the prioritization from the sixth step (s6). In this way, Corporation’s IT system 10 is remediated more efficiently and the risks associated with the IT system 10 are reduced.

Example 2

[0094] Referring to FIGS. 1 -5 and 7 and, in particular, FIG. 7, a non-limiting example of a method 7000 for prioritizing IT security findings for remediating IT assets 12a-12i is shown for Corporation (from Example 1 ) having the same IT system 10 as described in Example 1.

[0095] The first through third steps (s1 -s3) from Example 1 (see FIG. 6) are identical to the first through third steps (p1 -p3) for Example 2 (see FIG. 7).

[0096] At a fourth step (p4), the remediation processor 16 communicates the plurality of IT security findings affecting Assets #1 -9 12a-12i to the historical findings database 22 for storage, and these IT security findings in the historical findings database 22 are considered historical IT security findings. At a later time period, at a fifth step (p5), the historical findings database 22 communicates IT security findings from a time period to the remediation processor 16. In this way, the historical findings database 22 communicates the IT security findings communicated from the remediation processor 16 back to the remediation processor 16 for the relevant time period.

[0097] With continued reference to FIG. 7, at a sixth step (p6), the remediation processor 16 determines a plurality of historical IT security findings affecting Assets #1 -9 12a-12i based on the at least one IT security rule from the first step (p1 ). At a seventh step (p7), for each historical IT security finding, the remediation processor 16 determines at least one finding score based at least partially on the IT risk or IT severity associated with the historical IT security finding. FIGS. 3A and 3B show the historical IT security findings and finding scores associated with Assets #1 -9 12a-12i. FIGS. 3A and 3C show the IT security exceptions to the IT security rules and exception scores. The scores are provided on a 1 -10 scale.

[0098] At an eighth step (p8), for each of Assets #1 -9 12a-12i, the remediation processor 16 determines the predictive security score shown in FIG. 3A and previously described. These predictive security scores are provided on a 1 -10 scale, as previously described. The predictive security score reflects the likelihood of Assets #1 -9 12a-12i to become non-compliant (have an IT security finding) during a future time period, based at least partially on an analysis by the remediation processor 16 of the historical security findings (e.g., based on the finding scores).

[0099] At a ninth step (p9), the remediation processor 16 determines a rule-based remediation protocol based at least partially on the predictive security score for Assets #1 -9 12a-12i. At a tenth step (p10), the remediation processor 16 communicates with Assets #1 -9 12a-12i to remediate Assets #1 -9 12a-12i based on the rule-based remediation protocol from the ninth step (p9). In this way, Corporation’s IT system 10 is remediated to allow for preventative remediation of the IT system 10 (and the IT assets therein 12a-12i) before a future IT security finding even occurs.

[00100] Although the invention has been described in detail for the purpose of illustration based on what is currently considered to be the most practical and preferred embodiments, it is to be understood that such detail is solely for that purpose and that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover modifications and equivalent arrangements that are within the spirit and scope of the appended claims. For example, it is to be understood that the present invention contemplates that, to the extent possible, one or more features of any embodiment can be combined with one or more features of any other embodiment.