Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed have been fully considered.
Examiner has incorporated Chen US 2022/0366340 to teach patch cadence in an effort to expedite prosecution but maintains the positions made in the previous office actions with regard to determination of a patch cadence.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340
As per claim 8. Kassoumeh teaches A method of performing risk management of networked systems, the method comprising: performing at least one of external network assessments and external web application assessments; determining a patching cadence on the networked systems; analyzing historic data breaches of the networked systems; performing an environmental risk assessment on networked systems; assessing risks associated with vendors of networked systems; and performing compliance and control gap assessment. (Column 2 lines 13-50)(Column 7 lines 30-47)(Column 31 lines 44-53)(Column 34 lines 13-22) (claim 10) (teaches cyber security risk level score based on questionnaires and assessment including vendors, patching cadence, breach history, compliance)
Crabtree more explicitly teaches that the assessment is an external assessment of a network including vulnerability assessment of patch cadence, environment risk, open ports. Crabtree teaches identifying potential vulnerabilities at a network layer of the networked system. [0004][0048][0063]-[0065][0069][0103] (teaches external cybersecurity risk analysis, vulnerability analysis via external reconnaissance and scans, including port scans vulnerabilities, security audits, vulnerability detection, including network and application layers)
It would have been obvious to one of ordinary skill in the art to use the teaching of Crabtree with Kassoumeh because it provides a more comprehensive risk analysis.
Badhwar teaches determining a patching cadence comprises: identifying available patches for various portions of networked systems that have yet to be installed; and determining the patching cadence based on either a date a given patch was available or a date a patchable vulnerability was identified. [0073][0074] (teaches patch status, length of time to patch, and risk score)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to teach the patch status of Badhwar with the prior art because it increases the accuracy of the security assessment.
Chen teaches determining a patching cadence on the networked systems corresponding to a timing of system updates for the networked systems. [0048] (monthly) [0053] (
Security updates and device update cadence) [0058] (device health score based on monthly cadence and latest security updates) Table 1 (showing risk/health based on system updates and recent activity)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to teach the cadence of Chen with the prior art because it increases the accuracy of entity health status.
Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340 in view of Wolpoff US 2021/0200595.
As per claim 9. Wolpoff teaches The method of claim 8 further comprising: harvesting domain records based on one or more root domains of the networked systems; identifying externally facing assets of the networked systems; and gathering geolocation and open port information of the networked systems. [0009][0033][0034][0071][0086][0096][0097] (teaches obtaining records of domains, location, and open ports of the networked systems)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Wolpoff with the prior art because it adds more information to assess network security.
Claim(s) 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340in view of Fokker US 2022/0103575
As per claim 13. Fokker teaches The method of claim 8 further comprising discovering networked-systems data on dark-web sources to identify one or more of breach sources, dates of available data, and credentials associated with the networked systems. [0019][0025][0027][0039]-[0043] (teaches scraping the dark web for cybercriminal artifacts including breaches, dates and credentials)
It would have been obvious to one of ordinary skill in the art to use the teaching of Fokker at the time the invention was filed with the prior art because it increases security data.
Claim(s) 14, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340 in view of Ranum US 2014/0013434.
As per claim 14. Ranum teaches The method of claim 8 further comprising detecting malware and malicious activity on the networked system. [0020] (teaches local and remote scanning via an agent for malware by comparing hashes to malware signatures)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Ranum with the prior art because it increases the system security.
As per claim 15. Ranum teaches The method of claim 14, wherein detecting malware and malicious activity comprises: installing an internal agent on the networked systems; and performing, with the internal agent, a malware assessment by generating hashes of files stored on the networked and comparing the hashes to known hash values for known malware. [0020] (teaches local and remote scanning via an agent for malware by comparing hashes to malware signatures)
Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340in view of Ward US 2020/0111038
As per claim 16. Ward teaches The method of claim 8, wherein performing an environmental risk assessment on networked systems comprises collecting data from government resources to build historical data on environmental threats. [0005][0061] (teaches historical risk data from NOAA and USGS)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Ward with the prior art because it increases the vulnerability assessment data input.
Claim(s) 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340 in view of Kavi US 2018/0205755.
As per claim 17. Kavi teaches The method of claim 8 further comprising assessing a cloud configuration of the networked systems. [0005][0006][0020][0021][0034] (teaches vulnerability detection including cloud configuration.)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Kavi with the prior art because it increases the vulnerability assessment data input.
Claim(s) 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340in view of Kremer US 20220350923
As per claim 18. Kremer teaches The method of claim 8 further comprising performing an insider threat assessment using internal security information and event management of the networked systems. [0025]-[0028] (teaches insider threat assessment based on user telemetry)
It would have been obvious at the time the invention was filed to use the teaching of Kremer with the prior art because it increases the security of the system.
Claim(s) 19, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kassoumeh US 10,546,135 in view of Crabtree US 2021/0360032 in view of Badhwar US 2021/0194883 in view of Chen US 2022/0366340 in view of Gourisetti US 2021/0110319
As per claim 19. Gourisetti teaches The method of claim 8 further comprising performing a second-level risk assessment. [0028][0030][0031][0044][0089] (teaches risk assessment and measuring the impact of an attack)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Gourisetti with the prior art because it improves risk assessment accuracy.
As per claim 20. Gourisetti teaches The method of claim 19, wherein the second-level risk assessment comprises: determining an initial risk assessment based on risk likelihood and impact; and performing a qualitative risk assessment to determine an impact of a threat. [0028][0030][0031][0044][0089] (teaches risk assessment and measuring the impact of an attack)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439