Identifying sensitive data writes to data stores
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving, over a network and from a data access detection plugin running on a device with an application, a data access event notification corresponding to access by the application to a set of sensitive data;
creating a data event object, the data event object including at least one or more metadata items associated with the data access event notification;
writing, based at least in part on a determination by a policy service, a data log entry, the data log entry based at least in part on at least a subset of the data event object;
determining, based at least in part on a similar characteristic between the data log entry and one or more other entries in a computer system log, that the data log entry is correlated with the one or more other entries;
determining, based at least in part on the data log entry being correlated with the one or more other entries, a confidence value for a data access rule violation having occurred with the set of sensitive data;
determining a data store location based at least in part on a metadata item included in the data event object;
searching, in the data store location, for a set of data corresponding at least in part to a subset of the set of sensitive data; and
as a result of locating the set of data corresponding at least in part to the subset of the set of sensitive data, performing, based at least in part on the confidence value and a sensitivity of the set of sensitive data, one or more operations to mitigate further access to the set of sensitive data.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type of violation are performed to mitigate the improper data access.
-
Citations
21 Claims
-
1. A computer-implemented method, comprising:
-
receiving, over a network and from a data access detection plugin running on a device with an application, a data access event notification corresponding to access by the application to a set of sensitive data; creating a data event object, the data event object including at least one or more metadata items associated with the data access event notification; writing, based at least in part on a determination by a policy service, a data log entry, the data log entry based at least in part on at least a subset of the data event object; determining, based at least in part on a similar characteristic between the data log entry and one or more other entries in a computer system log, that the data log entry is correlated with the one or more other entries; determining, based at least in part on the data log entry being correlated with the one or more other entries, a confidence value for a data access rule violation having occurred with the set of sensitive data; determining a data store location based at least in part on a metadata item included in the data event object; searching, in the data store location, for a set of data corresponding at least in part to a subset of the set of sensitive data; and as a result of locating the set of data corresponding at least in part to the subset of the set of sensitive data, performing, based at least in part on the confidence value and a sensitivity of the set of sensitive data, one or more operations to mitigate further access to the set of sensitive data. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
at least one computing device that implements one or more services, wherein the one or more services; receive a data access event notification over a network and from a library module running on a device with an application, as a result of the application accessing a set of data; record a log entry corresponding to the data access event notification in a data access log, the log entry based at least in part on a metadata item associated with the data access event notification; determine, based at least in part on a similar characteristic between the log entry and one or more other entries of computer system events, that the log entry is correlated with the one or more other entries; identify, based at least in part on the log entry being correlated with the one or more other entries, that a data access rule violation has occurred in accordance with a confidence value and a factor relating to a sensitivity of the set of data; and consequent to having identified the data access rule violation, perform one or more operations to mitigate further access to the set of data based at least in part on a result of a search of a data store location for data matching at least part of the set of data, the data store location depending at least in part on the metadata item associated with the data access event notification, the one or more operations depending at least in part on the data access rule violation. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to:
-
record a data access event log entry, generated by a client, corresponding to a data access event notification, the data access event notification received over a network and from a library module running on a device with an application corresponding to one or more data accesses, by the application, to at least a subset of a set of data, the data access event log entry including at least a metadata item associated with the data access event notification; determine, based at least in part on a similar characteristic between the data access event log entry and one or more other entries in a computer system log of one or more computer system events, that the data access event log entry is correlated with the one or more other entries; determine, based at least in part on the data access event log entry being correlated with the one or more other entries, that one or more data access rule violations have occurred in accordance with a confidence value; and perform, based at least in part on the confidence value and an indication of sensitivity of at least a first subset of the set of data, one or more operations to mitigate further access to at least the first subset of the set of data, the first subset of the set of data based at least in part on a second subset of the set of data, the one or more operations based at least in part on a search in one or more data store locations for data matching at least part of the set of data, the one or more data store locations based at least in part on the metadata item associated with one or more data access events, the one or more operations depending at least in part on an evaluation of one or more data access rules, the one or more data access rules provided by a policy system. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification