Systems and methods for contextual and cross application threat detection and prediction in cloud applications
First Claim
1. A method, implemented by a computer system of a network security system, for detecting threat activity related to a cloud application, comprising:
- receiving, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application;
receiving, from a system that is different from the service provider system, contextual data associated with a user associated with the user account;
generating a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account;
determining a measure of anomalous activity using the profile;
determining one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application;
determining one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and
sending the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for contextual and cross application threat detection in cloud applications in accordance with embodiments of the invention are disclosed. In one embodiment, a method for detecting threat activity in a cloud application using past activity data from cloud applications includes receiving activity data concerning actions performed by a user account associated with a user within a monitored cloud application, receiving external contextual data about the user that does not concern actions performed using the user account within the monitored cloud application, where the external contextual data is retrieved from outside of the monitored cloud application, deriving a baseline user profile using the activity data and external contextual data and associating the baseline user profile with the user account, and determining the likelihood of anomalous activity using the baseline user profile.
-
Citations
28 Claims
-
1. A method, implemented by a computer system of a network security system, for detecting threat activity related to a cloud application, comprising:
-
receiving, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application; receiving, from a system that is different from the service provider system, contextual data associated with a user associated with the user account; generating a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account; determining a measure of anomalous activity using the profile; determining one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application; determining one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and sending the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting threat activity related to a cloud application, the system comprising:
-
a processor; and memory coupled to and readable by the processor, the memory including one or more instructions that, when executed by the processor, cause the processor to; receive, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application; receive, from a system that is different from the service provider system, contextual data associated with a user associated with the user account; generate a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account; determine a measure of anomalous activity using the profile; determine one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application; determine one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and send the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification