Key management for compromised enterprise endpoints

US 10,063,373 B2
Filed: 11/23/2016
Issued: 08/28/2018
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

labeling processes on an endpoint with a labeling scheme in which the processes are either in, wherein the processes conform to a compliance policy administered for the endpoint from a remote threat management facility, or the processes are out, wherein the processes do not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;

for in processes of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system and limited to processes in compliance with the compliance policy;

detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and

in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption of the encrypted files through the file system for the in processes, thereby revoking access to the encrypted files by the processes executing on the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

60 Citations

View as Search Results

18 Claims

1. A method comprising:
- labeling processes on an endpoint with a labeling scheme in which the processes are either in, wherein the processes conform to a compliance policy administered for the endpoint from a remote threat management facility, or the processes are out, wherein the processes do not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;
  
  for in processes of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system and limited to processes in compliance with the compliance policy;
  
  detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and
  
  in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption of the encrypted files through the file system for the in processes, thereby revoking access to the encrypted files by the processes executing on the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising monitoring at least one of the processes for compliance with the compliance policy.
  - 3. The method of claim 2 wherein monitoring for compliance includes monitoring a behavior of the at least one of the processes.
  - 4. The method of claim 3 wherein the behavior includes an interaction with one or more other processes on the endpoint.
  - 5. The method of claim 1 further comprising monitoring at least one of the encrypted files for compliance with the compliance policy.
  - 6. The method of claim 1 wherein detecting the compromise of the endpoint includes receiving an indication of compromise (IOC).
  - 7. The method of claim 1 wherein an external monitoring facility detects the compromise of the endpoint.
  - 8. The method of claim 7 wherein the external monitoring facility sends a signal to the endpoint to set itself into a state of compromise when the compromise is detected.
  - 9. The method of claim 1 wherein an internal monitoring facility on the endpoint detects the compromise of the endpoint.
  - 10. The method of claim 1 wherein detecting the compromise of the endpoint includes receiving an IOC pattern from the endpoint indicative of a compromised state.
  - 11. The method of claim 1 wherein detecting the compromise of the endpoint is based on at least one of:
    - behavioral analysis, malware signature analysis, reputation, and access to a remote command and control resource.
  - 12. The method of claim 1 wherein the compromise includes exposure of at least one of the plurality of in processes to an external process.
  - 13. The method of claim 12 wherein the external process is known or suspected to be malicious.
  - 14. The method of claim 12 wherein a security status of the external process is unknown.

15. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- labeling processes on an endpoint with a labeling scheme in which the processes are either in, wherein the processes conform to a compliance policy administered for the endpoint from a remote threat management facility, or the processes are out, wherein the processes do not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;
  
  for in processes of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system and limited to processes in compliance with the compliance policy;
  
  detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and
  
  in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption of the encrypted files through the file system for the in processes, thereby revoking access to the encrypted files by the processes executing on the endpoint.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15 wherein the code further performs the step of monitoring at least one of the processes for compliance with the compliance policy.
  - 17. The computer program product of claim 15 wherein the compromise includes exposure of at least one of the plurality of in processes to an external object.

18. A system comprising:
- a threat management facility configured to manage threats to an enterprise, the threat management facility maintaining a compliance policy for endpoints in the enterprise; and
  
  an endpoint associated with the enterprise having a memory and a processor, the memory storing a plurality of processes, and the processor configured to label the processes with a labeling scheme in which the processes are either in, wherein the processes conform to the compliance policy, or the processes are out, wherein the processes do not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes, to provide, to the in processes of the endpoint, access to encrypted files through a file system, with access to the encrypted files controlled by the file system and limited to processes in compliance with the compliance policy, to detect a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy, and in response to detecting the compromise, to delete key material cached in the memory on the endpoint to prevent decryption of the encrypted files through the file system for the in processes, thereby revoking access to the encrypted files by the processes executing on the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Schutz, Harald, Thomas, Andrew J., Ray, Kenneth D., Schiappa, Daniel Salvatore
Primary Examiner(s)
Lewis, Lisa C

Application Number

US15/360,591
Publication Number

US 20170078093A1
Time in Patent Office

643 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/06   for supporting key manageme...

H04L 63/1408   by monitoring network traff...

H04L 9/0891   Revocation or update of sec...

Key management for compromised enterprise endpoints

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Key management for compromised enterprise endpoints

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links