DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 12/14/2020 has been placed of record in the file.
Claims 1, 9, and 17 have been amended.
Claims 1-4, 6, 8-12, 14, and 16-22 are pending.
The applicant’s arguments with respect to claims 1-4, 6, 8-12, 14, and 16-22 have been considered but are moot in view of the following new grounds of rejection.
The IDS filed 12/24/2020 has been considered.

Response to Amendment
Claims have been amended to further define the plurality of computing assets in the computing environment.  The amendment proves a change in scope to the independent claims as the independent claims now explicitly state that the at least one related computing asset is of the plurality of computing assets and reliant on a service provided by the first computing asset, etc.  However, none of the amended claims show a patentable distinction over the prior as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 103
8.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

10.	Claims 1, 3, 6, 8, 9, 11, 14, and 16-21 are rejected under 35 U.S.C. 103 as being unpatentable over Carver et al. (U.S. Patent Application Publication Number 2015/0365438), hereinafter referred to as Carver, in view of Wright et al. (U.S. Patent Application Publication Number 2005/0055578), hereinafter referred to as Wright, further in view of Smith-Mickelson et al. (U.S. Patent Application Publication Number 2006/0059568), hereinafter referred to as Smith.
Carver disclosed techniques for automatically implementing a response to one or more security incidents.  In an analogous art, Wright disclosed techniques for using security policies to protect resources in a network.  Also in an analogous art, Smith disclosed techniques for monitoring and control of network resources.  All of these systems deal with protecting resources in a computing network.
Regarding claim 1, Carver discloses a method of operating an advisement system to provide security actions in a computing environment, the method comprising: in a processing system of the advisement system, receiving communication reports indicative of communication interactions between a plurality of computing assets in the computing environment (paragraph 22, multiple computing devices in communication, and paragraph 38, packet capture monitoring systems); after identifying the communication interactions, identifying, by the advisement system, a security incident affecting a first computing asset of the plurality of computing assets (paragraph 48, security incident identified); obtaining enrichment information about the security incident from one or more resources (paragraph 16, insights); determining a rule set for the 
Carver does not explicitly state the one or more secondary security actions comprising actions to prevent communication requests from the first computing asset and permit outgoing communication requests to the first computing asset.  However, adaptive port blocking was well known in the art as evidenced by Wright.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability for the one or more secondary security actions comprising actions to prevent communication requests from the first computing asset and permit outgoing communication requests to the first computing asset as provided by Wright (see paragraph 267, outgoing traffic permitted and unsolicited incoming traffic blocked).  One of ordinary skill in the art would have recognized the benefit that providing adaptive port blocking in such a fashion would assist in providing flexibility for different levels of security protection and security features in a network (see Wright, paragraph 12).
reliant on a service provided by the first computing asset.  However, identifying and managing computing devices connected to a particular server under threat was well known in the art as evidenced by Smith.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Wright by adding the ability for the at least one related computing asset of the plurality of computing assets in communication with the first computing asset being reliant on a service provided by the first computing asset as provided by Smith (see paragraph 20, tracks connections by client, and when firewall blocks traffic to an affected server, redirects connection requests).  One of ordinary skill in the art would have recognized the benefit that limiting access or usage would assist in avoiding failures in network-connected systems (see Smith, paragraph 3).
Regarding claim 3, the combination of Carver, Wright, and Smith discloses wherein the one or more resources comprise one or more databases or websites (Carver, paragraph 14, receives information from intelligence feeds).
Regarding claim 6, the combination of Carver, Wright, and Smith discloses wherein the security action comprises an action to prevent outgoing communication requests from the first computing asset (Carver, paragraph 52, restricting communications capabilities of devices prevents spread of threat).
Regarding claim 8, the combination of Carver, Wright, and Smith discloses wherein identifying the security incident in the first computing asset in the plurality of computing assets 
Regarding claim 9, Carver discloses a non-transitory computer readable storage medium having instructions stored thereon, that when executed by an advisement computing system, direct the advisement computing system to perform a method of providing security actions in a computing environment, the method comprising: receiving communication reports indicative of communication interactions between a plurality of computing assets in the computing environment (paragraph 22, multiple computing devices in communication, and paragraph 38, packet capture monitoring systems); after identifying the communication interactions, identifying, by an advisement system, a security incident affecting a first computing asset of the plurality of computing assets (paragraph 48, security incident identified); obtain enrichment information about the security incident from one or more resources (paragraph 16, insights); determining a rule set for the security incident based on the enrichment information (paragraph 49, predefined ontology); determining at least one security action to be taken against the security incident in the first computing asset based on the rule set (paragraph 50, response strategy selected); identifying, by the advisement system and based on the communication interactions, at least one related computing asset of the plurality of computing assets in communication with the first computing asset affected by the security incident (paragraph 52, computing devices under threat); and determining one or more secondary security actions to be taken against the security incident in the at least one related computing asset based on the rule set, wherein the one or more secondary security actions comprise actions to prevent communication requests (paragraph 52, restricting communications capabilities of devices under threat).
actions to prevent communication requests from the first computing asset and permit outgoing communication requests to the first computing asset.  However, adaptive port blocking was well known in the art as evidenced by Wright.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability for the one or more secondary security actions comprising actions to prevent communication requests from the first computing asset and permit outgoing communication requests to the first computing asset as provided by Wright (see paragraph 267, outgoing traffic permitted and unsolicited incoming traffic blocked).  One of ordinary skill in the art would have recognized the benefit that providing adaptive port blocking in such a fashion would assist in providing flexibility for different levels of security protection and security features in a network (see Wright, paragraph 12).
The combination of Carver and Wright does not explicitly state the at least one related computing asset of the plurality of computing assets in communication with the first computing asset being reliant on a service provided by the first computing asset.  However, identifying and managing computing devices connected to a particular server under threat was well known in the art as evidenced by Smith.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Wright by adding the ability for the at least one related computing asset of the plurality of computing assets in communication with the first computing asset being reliant on a service provided by the first computing asset as provided by Smith (see paragraph 20, tracks connections by client, and when firewall blocks traffic to an 
Regarding claim 11, the combination of Carver, Wright, and Smith discloses wherein the one or more resources comprise one or more databases or websites (Carver, paragraph 14, receives information from intelligence feeds).
Regarding claim 14, the combination of Carver, Wright, and Smith discloses wherein the security action comprises an action to prevent outgoing communication requests from the first computing asset (Carver, paragraph 52, restricting communications capabilities of devices prevents spread of threat).
Regarding claim 16, the combination of Carver, Wright, and Smith discloses wherein identifying the security incident in the first computing asset in the plurality of computing assets comprises receiving a notification of the security incident in the first computing asset from a security information and event management (SIEM) (Carver, paragraph 38, SIEM).
Regarding claim 17, Carver discloses an apparatus to provide security actions in a computing environment, the apparatus comprising: one or more non-transitory computer readable storage media; a processing system operatively coupled with the one or more non-transitory computer readable storage media; processing instructions stored on the one or more non-transitory computer readable media that, when executed by the processing system, direct the processing system to at least: receive communication reports indicative of communication interactions between a plurality of computing assets in the computing environment (paragraph 22, multiple computing devices in communication, and paragraph 38, packet capture monitoring systems); identify a security incident affecting a first computing asset of a plurality of computing 
Carver does not explicitly state the security actions comprising actions implemented in the at least one computing asset to prevent the at least one computing asset from accepting communication requests from the first computing asset and permit outgoing communication requests to the first computing asset.  However, adaptive port blocking was well known in the art as evidenced by Wright.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability for the security actions comprising actions implemented in the at least one computing asset to prevent the at least one computing asset from accepting communication requests from the first computing asset and permit outgoing communication requests to the first computing asset as provided by Wright (see paragraph 267, outgoing traffic permitted and unsolicited incoming traffic blocked).  One of ordinary skill in the art would have recognized the benefit that providing adaptive port blocking in such a fashion would assist in providing flexibility for different levels of security protection and security features in a network (see Wright, paragraph 12).
reliant on a service provided by the first computing asset.  However, identifying and managing computing devices connected to a particular server under threat was well known in the art as evidenced by Smith.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Wright by adding the ability for the at least one related computing asset of the plurality of computing assets in communication with the first computing asset being reliant on a service provided by the first computing asset as provided by Smith (see paragraph 20, tracks connections by client, and when firewall blocks traffic to an affected server, redirects connection requests).  One of ordinary skill in the art would have recognized the benefit that limiting access or usage would assist in avoiding failures in network-connected systems (see Smith, paragraph 3).
Regarding claim 18, the combination of Carver, Wright, and Smith discloses wherein the security actions further comprise an action to prevent outgoing communication requests from the first computing asset (Carver, paragraph 52, restricting communications capabilities of devices prevents spread of threat).
Regarding claim 19, the combination of Carver, Wright, and Smith discloses wherein the processing instructions to obtain enrichment information related to the security incident direct the processing system to obtain enrichment information from at least one internal or external source related to the security incident (Carver, paragraph 14, receives information from intelligence feeds).
Regarding claim 20, the combination of Carver, Wright, and Smith discloses wherein the processing instructions to determine the security actions to be taken against the security incident based on the rule set direct the processing system to identify default security actions associated with the rule set to be taken against the security incident (Carver, paragraph 50, response strategy selected).
Regarding claim 21, the combination of Carver, Wright, and Smith discloses wherein the plurality of computing assets comprises physical computing systems or virtual machines (Carver, paragraph 22, multiple computing devices in communication).

11.	Claims 2, 4, 10, 12, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Carver in view of Wright, in view of Smith, further in view of Amsler (U.S. Patent Application Publication Number 2014/0259170).
The combination of Carver, Wright, and Smith disclosed techniques for automatically implementing a response to one or more security incidents.  In an analogous art, Amsler disclosed techniques for a risk assessment and managed security system for dealing with cyber threats.  Both systems deal directly with responding to security incidents in a computing network.
Regarding claim 2, the combination of Carver, Wright, and Smith discloses wherein determining the at least one security action to be taken against the security incident in the first computing asset based on the rule set comprises determining at least one default security action to be taken against the security incident in the first computing asset based on the rule set (Carver, paragraph 49, predefined ontology).

Regarding claim 4, the combination of Carver, Wright, and Smith discloses wherein determining the at least one security action to be taken against the security incident in the first computing asset based on the rule set comprises: identifying one or more suggested security actions to be supplied to an administrator based on the rule set (Carver, paragraph 56, possible actions, and Carver, paragraph 49, predefined ontology); and identifying a selected security action by the administrator (Carver, paragraph 57, operator selects possible action).
The combination of Carver, Wright, and Smith does not explicitly state identifying the one or more suggested security actions to be supplied based on a criticality rating for the first computing asset.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver, Wright, and Smith by adding the ability for 
Regarding claim 10, the combination of Carver, Wright, and Smith discloses wherein determining the at least one security action to be taken against the security incident in the first computing asset based on the rule set comprises determining at least one default security action to be taken against the security incident in the first computing asset based on the rule set (Carver, paragraph 49, predefined ontology).
The combination of Carver, Wright, and Smith does not explicitly state determining the at least one default security action to be taken based on a criticality rating for the first computing asset.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver, Wright, and Smith by adding the ability for determining the at least one default security action to be taken based on a criticality rating for the first computing asset as provided by Amsler (see paragraph 41, ranks devices by criticality).  One of ordinary skill in the art would have recognized the benefit that providing such information would assist in supplying a more comprehensive approach to presenting and analyzing security data (see Amsler, paragraph 4).
Regarding claim 12, the combination of Carver, Wright, and Smith discloses wherein determining the at least one security action to be taken against the security incident in the first 
The combination of Carver, Wright, and Smith does not explicitly state identifying the one or more suggested security actions to be supplied based on a criticality rating for the first computing asset.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver, Wright, and Smith by adding the ability for identifying the one or more suggested security actions to be supplied based on a criticality rating for the first computing asset as provided by Amsler (see paragraph 41, ranks devices by criticality).  One of ordinary skill in the art would have recognized the benefit that providing such information would assist in supplying a more comprehensive approach to presenting and analyzing security data (see Amsler, paragraph 4).
Regarding claim 22, the combination of Carver, Wright, and Smith discloses wherein determining the security actions to be taken against the security incident based on the rule set comprises determining suggested security actions to be supplied to an administrator based on the rule set (Carver, paragraph 56, possible actions, and Carver, paragraph 49, predefined ontology).
The combination of Carver, Wright, and Smith does not explicitly state determining the suggested security actions to be supplied based on a criticality rating for the first computing asset.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have .

Conclusion
12.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812.  The examiner can normally be reached on Monday thru Friday, 9am to 5pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493