A little-mentioned press release passed through my mail last week. NetClarity was assigned a patent titled Proactive network security system to protect against hackers, patent No. 7,346,922. I read through the patent, and I have to say it aptly describes a NAC product and function that has been available before the filing of July 26, 2004. I wouldn't be surprised if NetClarity starts beating the pavement trying to drum up license fees.
I have nothing against NetClarity, and, to be fair, I didn't even reach out to the company for comment. I just think this patent is another reason the U.S. patent process is doing more harm than good. The patent describes "a proactive network security system to protect against hackers for the proactive automated defense against hackers by automatically finding, reporting, communicating with countermeasures about and removing the common vulnerabilities and exposures (CVEs) that they exploit." In other words, the invention (though I am loath to call it that) describes a process to scan for vulnerabilities and enact automatic remediation. OoooK. Like THAT wasn't done prior to 2001 when the patent was filed.
This patent should not have been issued. With a little research, I could probably dig up actual products that performed precisely what is described in this patent and have been in use for several years. What is more surprising is seeing the patents that were referenced, like the patent No. 7,086,089, Systems and methods for network security, which describes storing data about systems, communicating that data to a processor, and searching the data for security problems, a.k.a., a security event management system. There also is patent No. 7,159,237, A method and system for dynamic network intrusion monitoring, detection, and response, which describes monitoring, event correlation, and identification of security events and includes a knowledge base, like a security operations center.
I read the patents in enough detail to unravel some of the obfuscated language, vague terminology, and broad claims. What I see claimed in each case is that the listed inventors mashed up a bunch of existing technology and processes and said, "Look! We have a new thing," when, in reality, they simply wrote down what either already existed or was pretty obvious. How these applications received a patent is beyond me.
Can It Be Enforced?
Back to the point. In my nonlegal opinion, I can't see how this patent can be enforced. The wording is sufficiently vague that the result is, quite frankly, an obvious business process. Scanning for vulnerabilities and then patching the vulnerabilities is a well-known, longstanding process that often used multiple tools. It's what the patent describes. I could even apply that same logic to server and desktop management systems and patch management systems that have been in use for years.
Then there are parts of the patent that are highly specific. At certain points, the patent specifies searching for Common Vulnerabilities and Exposures against a list managed by the Mitre Group or using SSL to transmit results back to a server. So does that mean if a system doesn't use Mitre's CVE or some other encryption the patent doesn't apply? I don't know.