Policy-driven compliance

US 10,033,766 B2
Filed: 04/19/2016
Issued: 07/24/2018
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing first network data, first host data, first process data, and first user data corresponding to a first flow that includes protected electronic information, the first network data captured by a first sensor of a first endpoint of a network, a second sensor of a second endpoint of the network, and a third sensor of a networking device along a data path corresponding to the first flow;

analyzing the first network data, the first host data, the first process data, and the first user data to determine a policy applicable to the first flow;

updating policy data based on an expected network action for the first flow and an actual network action for the first flow;

determining a first degree of accuracy of first flow data corresponding to the first flow captured by the first sensor;

determining a second degree of accuracy of second flow data corresponding to the first flow captured by the second sensor;

determining a third degree of accuracy of third flow data corresponding to the first flow captured by the third sensor; and

utilizing flow data having a highest degree of accuracy for the first flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network can achieve compliance by defining and enforcing a set of network policies to secure protected electronic information. The network can monitor network data, host/endpoint data, process data, and user data for traffic using a sensor network that provides multiple perspectives. The sensor network can include sensors for networking devices, physical servers, hypervisors or shared kernels, virtual partitions, and other network components. The network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. The network can determine expected network actions based on the policies, such as allowing traffic, denying traffic, configuring traffic for quality of service (QoS), or redirecting traffic along a specific route. The network can update policy data based on the expected network actions and actual network actions. The policy data can be utilized for compliance.

Citations

19 Claims

1. A method comprising:
- capturing first network data, first host data, first process data, and first user data corresponding to a first flow that includes protected electronic information, the first network data captured by a first sensor of a first endpoint of a network, a second sensor of a second endpoint of the network, and a third sensor of a networking device along a data path corresponding to the first flow;
  
  analyzing the first network data, the first host data, the first process data, and the first user data to determine a policy applicable to the first flow;
  
  updating policy data based on an expected network action for the first flow and an actual network action for the first flow;
  
  determining a first degree of accuracy of first flow data corresponding to the first flow captured by the first sensor;
  
  determining a second degree of accuracy of second flow data corresponding to the first flow captured by the second sensor;
  
  determining a third degree of accuracy of third flow data corresponding to the first flow captured by the third sensor; and
  
  utilizing flow data having a highest degree of accuracy for the first flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining a source endpoint group corresponding to the first flow; and
      
      determining the first flow includes protected electronic information based on the source endpoint group.
  - 3. The method of claim 1, further comprising:
    - assembling flow data for the first flow using a first packet captured by one of the first sensor, the second sensor, or the third sensor and a second packet captured by another of the first sensor, the second sensor, or the third sensor.
  - 4. The method of claim 1, wherein the first endpoint is a virtual partition, and the first network data further includes flow data captured by a fourth sensor of a host of the virtual partition.
  - 5. The method of claim 1, wherein the first host data includes information regarding at least one of a name of a host corresponding to the first flow, a network address of the host, an operating system of the host, CPU utilization by the host, network utilization by the host, disk space of the host, ports of the host, users logged into the host, scheduled jobs, or a file or a directory of the host.
  - 6. The method of claim 1, further comprising:
    - determining a state of at least one of a host, a process, or a user corresponding to the first flow based on at least one of the first host data, the first process data, or the first user data; and
      
      determining a source endpoint group for the first flow based on the state,wherein the policy is determined based at least in part on the source endpoint group.
  - 7. The method of claim 1, wherein the policy data comprises statistics regarding conformance and non-conformance of the policy, and the method further comprises:
    - mapping the policy to a compliance requirement; and
      
      generating a compliance report based on the mapping and the policy data.
  - 8. The method of claim 1, wherein the policy data comprises associations between flows not conforming to policies of the network, and the method further comprises:
    - determining the first flow does not conform to the policy;
      
      associating the first flow with the policy in the policy data; and
      
      determining a cause of non-conformance of the policy based on the policy data.
  - 9. The method of claim 1, further comprising:
    - determining a network topology for the network;
      
      determining an application dependency mapping for an application including the first endpoint as a component of the application; and
      
      determining, based at least in part on the network topology and the application dependency mapping, a set of policies for the application.
  - 10. The method of claim 1, wherein a first set of policies for the network comprises blacklist rules, and the method further comprises:
    - generating a second set of policies for the network by translating the first set of policies to whitelist rules.
  - 11. The method of claim 10, further comprising:
    - applying the second set of policies to network data traversing the network in a network environment simulating the network.

12. A system comprising:
- a processor device; and
  
  a memory device including instructions that, upon being executed by the processor, cause the system to perform operations comprising;
  
  monitor network data, host data, process data, and user data for flows traversing a network, the network data monitored by a first sensor of a first endpoint of the network, a second sensor of a second endpoint of the network, and a third sensor of a networking device of the network, the flows including protected electronic information;
  
  determine policies applicable to the flows based on the network data, host data, process data, and user data;
  
  determine, based at least in part on one of the host data, the process data, or the user data, expected network actions for the flows by applying the policies to the network data; and
  
  update policy data based on the expected network actions and actual network actions for the flows;
  
  determine a first degree of accuracy of first flow data corresponding to the first flow captured by the first sensor;
  
  determine a second degree of accuracy of second flow data corresponding to the first flow captured by the second sensor;
  
  determine a third degree of accuracy of third flow data corresponding to the first flow captured by the third sensor; and
  
  utilize flow data having a highest degree of accuracy for the first flow.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the first endpoint is a host, the host includes a virtual partition, the virtual partition includes a fourth sensor, and the network data is further monitored by the fourth sensor.
  - 14. The system of claim 13, wherein the first sensor is executed by a hypervisor or a shared kernel of the host.
  - 15. The system of claim 12, wherein the process data includes information regarding at least one of a name of a process corresponding to a first flow, an identifier of the process, a parent process of the process, a path of the process, CPU utilization of the process, a memory address for the process, scheduling information for the process, a priority of the process, a start time of the process, a terminal type corresponding to the process, CPU time taken by the process, a command that started the process, and a process owner.

16. A non-transitory computer-readable medium having computer readable instructions that, upon being executed by a processor of a first endpoint of a network, cause the first endpoint to perform operations comprising:
- send a first flow including protected electronic information to a second endpoint of the network;
  
  capture first network data, first host data, first process data, and first user data corresponding to the first flow, the first network data captured by a first sensor of the first endpoint, a second sensor of the second endpoint, and a third sensor of a networking device along a data path corresponding to the first flow;
  
  determine a policy applicable to the first flow based at least in part on one of the first host data, the first process data, and the first user data; and
  
  update policy data based on an expected network action for the first flow and an actual network action for the first flow;
  
  determine a first degree of accuracy of first flow data corresponding to the first flow captured by the first sensor;
  
  determine a second degree of accuracy of second flow data corresponding to the first flow captured by the second sensor;
  
  determine a third degree of accuracy of third flow data corresponding to the first flow captured by the third sensor; and
  
  utilize flow data having a highest degree of accuracy for the first flow.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the first user data includes information regarding at least one of a name of a user corresponding to the first flow, a real name of the user, an e-mail address of the user, a group of the user, terminal information for the user, a login time of the user, an expiration date of a login, an idle time of the user, or a file or a directory of the user.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the instructions further cause the first endpoint to:
    - determine a first endpoint group of the first flow; and
      
      determine a second endpoint group of the first flow,wherein the policy is determined based on the first endpoint group and the second endpoint group.
  - 19. The non-transitory computer-readable medium of claim 16, wherein the policy comprises at least one of statistics regarding conformance and non-conformance of the policy or associations between flows not conforming to policies of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gupta, Sunil Kumar, Yadav, Navindra, Watts, Michael Standish, Parandehgheibi, Ali, Gandham, Shashidhar, Kulshreshtha, Ashutosh, Deen, Khawar
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/133,155
Publication Number

US 20160359915A1
Time in Patent Office

826 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/04   Processing captured monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Policy-driven compliance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-driven compliance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links