DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restriction warranted at applicant’s initial time of filing for patent. 
Priority
Applicant claim[s] domestic priority under 35 USC 119e to provisional applications:
62/979376, filed on 02/20/2020
62/979378, filed on 02/20/2020
62/832773, filed on 04/11/2019
Information Disclosure Statement
Applicant filed NO information disclosure statement at initial time of filing for patent. 
Drawings
Applicant’s drawings filed on 04/10/2020 have been inspected and follows MPEP 608.02. 
Specification
Applicant’s specification filed on 04/10/2020 has been inspected and follows MPEP 608.01. 
Claim Objections
NO objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th 6th or F
It is in the examiner’s opinion that claim[s] 1 – 20 do not invoke means for or step plus functional claim language. 
Claim Rejections - 35 USC § 112
NO rejections warranted at applicant’s initial time of filing for patent. 
Double Patenting
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 9, 16 is/are rejected under 35 U.S.C. 102(a)(2) as being taught by Kibler et al. [US PGPUB # 2019/0052664]
As per claim 1. Kibler does teach a method for providing security services from a telecommunications network [Kibler, paragraph: 0028, lines 1 – 10, Embodiments of systems and methods for assessing the cybersecurity of a computer network are described herein. Further and alternative aspects and features of the disclosed principles will be appreciated from the following detailed description and the accompanying drawings. As will be appreciated, the principles relating to assessing the cybersecurity of a computer network and updating that assessment on an ongoing basis as disclosed herein are capable of being carried out in other and different embodiments], the method comprising: 
generating, at a computing device, a security infrastructure profile [Kibler, paragraph: 0072, lines 5 – 7, In embodiments, an API can be provided for incident client data, for those participating in the monitoring levels of service, to be generalized and fed to the data store 160, which in turn will update specific elements of their risk profile] comprising a first network security device of a first network and a second network security device of a second network [Kibler, Figure # 2, component: 195, 191 and paragraph: 0088, The cybersecurity system 195 installed within the client 191 [i.e. applicant’s first network security device and second network security device of a second network] provides periodic updates regarding operational characteristics of the client computing environment that are configured to allow the cyber-risk score to be re-calculated. The data store 160 can be used as a central repository for risk analysis data.]; 
receiving, at the computing device, threat intelligence data comprising identification of a source computing device associated with a network threat and a risk score associated with communications originating from the source computing device [Kibler, Figure # 1, and paragraph: 0037, lines 6 – 15, The cybersecurity processor 158 can be specially programmed with the cybersecurity risk program 152 to monitor and log the cybersecurity risk conditions occurring within the policyholder computing environment 191, to determine a security risk score based upon the data sent from the policyholder computing environment 191 to the computing environment 150 via the external network 190, and to provide monitoring services, as selected, using a threat alert data stream from the web client 193.]; and 
transmitting, based on a comparison [Kibler, paragraph: 0114, lines 12 – 19, The cybersecurity risk program of the CyberMatics system can calculate a residual risk score by determining the difference between the implicit risk score and the control effectiveness score. A client's implicit risk score and residual risk scores are then compared to produce the overall cyber-risk maturity score. The lower the score reflected the better the client is doing in protecting their organization against the current threat environment.] of the risk score of the threat intelligence data to a risk threshold value of a security trigger [Kibler, paragraph: 0051, lines 1 – 7, The cybersecurity risk reduction module of the cybersecurity risk program can be configured to select a cybersecurity control that is determined to not be present within the client's computer network 191 to recommend for inclusion in the computer network based upon its calculated effectiveness either being above a predetermined threshold or within a predetermined range of most effective choices. ], information to configure the first network security device of the first network and the second network security device of the second network to apply a security policy to communications originating from the source computing device associated with the network threat [Kibler, paragraph: 0049, lines 1 – 6, The SOC module includes a computer executable code segment that can be configured to provide cybersecurity alerting functions and to take remedial measures within the policyholder computing environment 191 in response to cybersecurity threat data received from the web client 193 pertaining to the policyholder computing environment 191].
As per network device claim # 9 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “processing device,” “communication port,” and “non-transitory computer readable medium,” is taught by the prior art of Kibler at paragraph: 0007, lines 1 – 9. 
As per network system claim # 16 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected.
***The examiner notes that applicant’s recited: “network security management device,” and “non-transitory computer readable medium,” is taught by the prior art of Kibler at Figure # 2, component # 195.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1, 6, 9, 14, 16, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kibler et al. [US PGPUB # 2019/0052664] in view of Heckman et al. [US PUB # 20190207968]
As per claim 1. Kibler does teach a method for providing security services from a telecommunications network [Kibler, paragraph: 0028, lines 1 – 10, the method comprising: 
generating, at a computing device, a security infrastructure profile [Kibler, paragraph: 0072, lines 5 – 7, In embodiments, an API can be provided for incident client data, for those participating in the monitoring levels of service, to be generalized and fed to the data store 160, which in turn will update specific elements of their risk profile] comprising a first network security device of a first network and a second network security device of a second network [Kibler, Figure # 2, component: 195, 191 and paragraph: 0088, The cybersecurity system 195 installed within the client computing environment 191 [i.e. applicant’s first network security device and second network security device of a second network] provides periodic updates regarding operational characteristics of the client computing environment that are configured to allow the cyber-risk score to be re-calculated. The data store 160 can be used as a central repository for risk analysis data.]; 
receiving, at the computing device, threat intelligence data comprising identification of a source computing device associated with a network threat and a risk score associated with communications originating from the source computing device [Kibler, Figure # 1, and paragraph: 0037, lines 6 – 15, The cybersecurity processor 158 can be specially programmed with the cybersecurity risk program 152 to monitor and log the cybersecurity risk conditions occurring within the policyholder computing environment 191, to determine a security risk score based upon the data sent from the policyholder computing environment 191 to the computing environment 150 via the external network 190, and to provide monitoring services, as selected, using a threat alert data stream from the web client 193.]; and 
transmitting, based on a comparison [Kibler, paragraph: 0114, lines 12 – 19, The cybersecurity risk program of the CyberMatics system can calculate a residual risk score by determining the difference between the implicit risk score and the control effectiveness score. A client's implicit risk score and residual risk scores are then compared to produce the overall cyber-risk maturity score. The lower the score reflected the better the client is doing in protecting their organization against the current threat environment] of the risk score of the threat intelligence data to a risk threshold value of a security trigger [Kibler, paragraph: 0051, lines 1 – 7, The cybersecurity risk reduction module of the cybersecurity risk program can be configured to select a cybersecurity control that is determined to not be present within the client's computer network 191 to recommend for inclusion in the computer network based upon its calculated effectiveness either being above a predetermined threshold or within a predetermined range of most effective choices.]. 
Kibler as does not teach clearly information to configure the first network security device of the first network and the second network security device of the second network to apply a security policy to communications originating from the source computing device associated with the network threat.
However, Heckman does teach information to configure the first network security device of the first network and the second network security device of the second network to apply a security policy to communications originating from the source computing device associated with the network threat [Figure # 3, and paragraph: 0091, lines 1 – 4, and lines 8 – 14, In block 306, the enterprise system may develop an integrated action plan for the organization using the generated cybersecurity/privacy risk framework profile and a maturity model assessment. In this manner, any changes or feedback may be incorporated as required, and the final integrated action plan may be presented to the organization. Detailed roadmaps, corrective action plans, and/or project plans that lead to evolving or increasingly mature cybersecurity/privacy capabilities required to keep ahead of the advancing and evolving cyber-threats may be included.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Kibler and Heckman in order for the monitoring of the client environment/policy holder’s computing environment of a policyholder’s organization for threat data, and the generation of a risk profile of Kibler to include real-time monitoring of the environment and generation of a risk profile of the environment of Heckman. This would allow for a very adaptive mechanism that monitors and generates risk scores of an environment of the organization at an/a instant/command. See paragraph: 0066, lines 42 – 52 of Heckman. 
As per claim 6. Kibler does tech the method of claim 1, further comprising:
providing, via a user interface [Kibler, Figure # 1, paragraph: 0040, In one embodiment, the client 154 hosts an application front end of the cybersecurity risk program 152. The application front end can generally include any component of the cybersecurity risk program 152 that can receive input from the user 177 or the client 154, communicate the input to the cybersecurity risk program 152, receive output from the cybersecurity risk program 152, and present the output to the user 177 and/or the client 154. In one embodiment, the application front end can be a stand-alone system.], an interactive alert associated with the comparison of the risk score of the data to the risk threshold value of the security trigger [Kibler, paragraph: 0052, lines 11 – 18, The display module can be configured to transmit the residual risk score via the web-enabled interface 180 to the client portal 191 for display in the graphical user interface. The display module can be configured, in response to the monitoring module receiving the valid threat alert, to transmit an alert message via the web-enabled interface 180 to the client portal 191 for display in the graphical user interface]; and 
receiving, via the user interface [Kibler, Figure # 1, paragraph: 0040, In one embodiment, the client 154 hosts an application front end of the cybersecurity risk program 152. The application front end can generally include any component of the cybersecurity risk program 152 that can receive input from the user 177 or the client 154, communicate the input to the cybersecurity risk program 152, receive output from the cybersecurity risk program 152, and present the output to the user 177 and/or 154. In one embodiment, the application front end can be a stand-alone system.], an authorization to transmit the information to configure the first network security device of the first network and the second network security device of the second network [Kibler, paragraph: 0049, lines 10 – 17, In embodiments, the monitoring module is configured to monitor a data feed, such as one from the web client 193, received from a cybersecurity system installed within the computer network for a valid threat alert, and, in response to receiving the valid threat alert, to actively modify the computer network by implementing a protective measure configured to reduce the threat.].
As per network device claim # 9 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “processing device,” “communication port,” and “non-transitory computer readable medium,” is taught by the prior art of Kibler at paragraph: 0007, lines 1 – 9. 
As per network device claim # 14 that includes the same or similar claim limitations as method claim # 6, and is similarly rejected. 

As per network system claim # 16 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected.
***The examiner notes that applicant’s recited: “network security management device,” and “non-transitory computer readable medium,” is taught by the prior art of Kibler at Figure # 2, component # 195.
As per network system claim # 20 that includes the same or similar claim limitations as method claim # 6, and is similarly rejected. 

Claim[s] 2 – 5, 8, 10 – 13, 17 - 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kibler et al. [US PGPUB # 2019/0052664] in view of Heckman et al.  as applied to claim[s] 1 above, and further in view of Pearcy et al. [US PGPUB # 20150172323]
As per claim 2. Kibler and Heckman do teach what is taught in the rejection of claim 1 above. 
Kibler and Heckman do not clearly teach the method of claim 1, further comprising: identifying a first plurality of network security devices of the first network and a second plurality of network security devices of the second network for inclusion in a security sub-system of security infrastructure profile; and configuring the security sub-system based on the threat intelligence data.
However, Pearcy does teach the method of claim 1, further comprising: 
identifying a first plurality of network security devices of the first network and a second plurality of network security devices of the second network for inclusion in a security sub-system of security infrastructure profile [paragraph: 0011, lines 3 – 22, the actions of identifying a particular security event detected in a particular computing system, the particular security event detected as targeting a particular computing device included in the particular computing system. A particular grouping of assets in a plurality of asset groupings defined for devices within the particular computing system [i.e. applicant’s first plurality of network security devices of a first network] can be identified as including the particular computing device. A source of the particular security event can be identified associated with at least one second computing device and at least one of a geographic location and a grouping of assets included in the plurality of asset groupings can be associated with the source of the particular security event. [i.e. applicant’s second plurality of network security devices of the second network] Data can be generated that is adapted to cause or render a presentation of a graphical representation of the particular security event on a display device [i.e. applicant’s security sub-system], the graphical representation including: a first graphical element representing the particular computing device as included in the particular grouping of assets and a second graphical element representing the source associated with the at least one of a geographic location and a grouping of assets included in the plurality of asset groupings.]; and 
configuring the security sub-system based on the threat intelligence data [paragraph: 0014, lines 2 – 9, The graphical representation can include a view of a geographic map and at least one of the first and second graphical elements can be overlaid on the view of the geographic map. The source can be associated with a particular geographic location included in the view of the geographic map and the particular geographic location can be identified from a device identifier associated with the source.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Kibler as modified and Pearcy in order for the monitoring of the client environment/policy holder’s computing environment of a policyholder’s organization for threat data, and the generation of a risk profile of Kibler as modified to include geo-mapping engine with geographic map of Pearcy. This would allow for the display of threat data to the user in 
As per claim 3. Kibler as modified does teach the method of claim 2 wherein the identifying of the first plurality of network security devices and the second plurality of network security devices in the security sub-system is based on a geographic location of the first plurality of network security devices and the second plurality of network security devices [Pearcy, paragraph: 0011, lines 3 – 22, the actions of identifying a particular security event detected in a particular computing system, the particular security event detected as targeting a particular computing device included in the particular computing system. A particular grouping of assets in a plurality of asset groupings defined for devices within the particular computing system [i.e. applicant’s first plurality of network security devices of a first network] can be identified as including the particular computing device. A source of the particular security event can be identified associated with at least one second computing device and at least one of a geographic location and a grouping of assets included in the plurality of asset groupings can be associated with the source of the particular security event. [i.e. applicant’s second plurality of network security devices of the second network] Data can be generated that is adapted to cause or render a presentation of a graphical representation of the particular security event on a display device [i.e. applicant’s security sub-system], the graphical representation including: a first graphical element representing the particular computing device as included in the particular grouping of assets and a second graphical element representing the source associated with the at 
As per claim 4. Kibler as modified does teach the method of claim 2 wherein the identifying of the first plurality of network security devices and the second plurality of network security devices in the security sub-system is based on a type of network security device of the first plurality of network security devices and the second plurality of network security devices [Pearcy, paragraph: 0039, lines 7 – 15, Further, devices within the system can be associated with particular groupings of devices and sub-systems defined within the monitored system. Such groupings can be created as a function of the system (e.g., grouping of devices by IP address range, or some other automatically or arbitrarily selected attribute), while other groupings can be more logical, such as devices grouped by a defined user group, office, model, device type, etc.]. 
As per claim 5. Kibler as modified does teach the method of claim 2 wherein the security trigger is associated with the security sub-system of the security infrastructure profile [Pearcy, paragraph: 0011, lines 3 – 22, the actions of identifying a particular security event detected in a particular computing system, the particular security event detected as targeting a particular computing device included in the particular computing system. A particular grouping of assets in a plurality of asset groupings defined for devices within the particular computing system [i.e. applicant’s first plurality of network security devices of a first network] can be identified as including the particular computing device. A source of the particular security event can be identified associated with at least one second computing device and at least one of a geographic location and a grouping of assets included in the plurality of asset groupings can be associated with the source of the particular security event. [i.e. applicant’s second plurality of network security devices of the second network] Data can be generated that is adapted to cause or render a presentation of a graphical representation of the particular security event on a display device [i.e. applicant’s security sub-system],].
As per claim 8. Kibler does teach the method of claim 4 wherein altering the configuration of the first network security device is based a source identification associated with the first event matching the identification of the source computing device associated with the network threat [Kibler, paragraph: 0051, lines 1 – 7, The cybersecurity risk reduction module of the cybersecurity risk program can be configured to select a cybersecurity control that is determined to not be present within the client's computer network 191 to recommend for inclusion in the computer network based upon its calculated effectiveness either being above a predetermined threshold or within a predetermined range of most effective choices].
As per network device claim # 10 that includes the same or similar claim limitations as method claim # 2, and is similarly rejected. 

As per network device claim # 11 that includes the same or similar claim limitations as method claim # 3, and is similarly rejected. 

As per network device claim # 12 that includes the same or similar claim limitations as method claim # 4, and is similarly rejected. 

As per network device claim # 13 that includes the same or similar claim limitations as method claim # 5, and is similarly rejected. 

As per network system claim # 17 that includes the same or similar claim limitations as method claim # 2, and is similarly rejected. 

As per network system claim # 18 that includes the same or similar claim limitations as method claim # 3, and is similarly rejected. 

As per network system claim # 19 that includes the same or similar claim limitations as method claim # 4, and is similarly rejected. 

Claim[s] 7, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kibler et al. [US PGPUB # 2019/0052664] in view of Heckman et al. [US PUB # 20190207968] as applied to claim[s] 6 above, and further in view of Hudis et al. [US PGPUB # 2009/0177514]
As per claim 7. Kibler and Heckman do teach what is taught in the rejection of claim # 6 above. 
Kibler and Heckman do not teach clearly the method of claim 6, further comprising:
receiving, from the first network security device and at the computing device, an event log associated with the operation of the first network security device; and
altering, based on a comparison of the event log and the threat intelligence data, a configuration of the first network security device comprising installing a security rule associated with a first event of the event log.
However, Hudis does teach the method of claim 6, further comprising:
receiving, from the first network security device and at the computing device, an event log associated with the operation of the first network security device [paragraph: 0072, lines 1 – 7, In most typical ESAS implementations, a specialized endpoint called an ESAS central server is utilized. The ESAS central server is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to security incidents in the environment. The ESAS central server provides administrators with a comprehensive view of the history and current status of the enterprise as a whole and of each ESAS-enabled endpoint.]; and
altering, based on a comparison of the event log and the threat intelligence data, a configuration of the first network security device comprising installing a security rule associated with a first event of the event log [paragraph: 0072, lines 7 – 18, The utilization of the security assessments enables an administrator to compactly and efficiently configure response policies to incidents that are detected across the entire enterprise. The security assessments function as natural anchors, or starting points, to define enterprise-wide security response policies. A streamlined and consistent management interface is thus enabled to define the desired responses for each type of security assessment across the entire enterprise.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Kibler as modified and Hudis in order for the monitoring of the client environment/policyholder’s computing environment of a policyholder’s organization for threat data, and the generation of a risk profile in the form of a geo-map of Kibler as modified to include ESAS server with log messaging service of Hudis. This would allow for the received threat data to include logging messages that are sent to the user/organization administrator that specifically details threat information of the specific source of the threat data and comparison/history of previous threat data from the source[s]. See paragraph: 0076, lines 5 – 12 of Hudis. 
As per network device claim # 15 that includes the same or similar claim limitations as method claim # 7, and is similarly rejected. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Mulchandani et al, who does teach presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434