Firewall techniques for colored objects on endpoints
First Claim
1. A method comprising:
- providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint;
labeling data on the endpoint as secure data for type-dependent processing;
monitoring the application executing on the endpoint;
on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection;
applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data;
communicating the reportable event through the network from the endpoint to the application firewall; and
limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event.
5 Assignments
0 Petitions
Accused Products
Abstract
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
64 Citations
20 Claims
-
1. A method comprising:
-
providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint; labeling data on the endpoint as secure data for type-dependent processing; monitoring the application executing on the endpoint; on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection; applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data; communicating the reportable event through the network from the endpoint to the application firewall; and limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product comprising a non-transitory computer readable medium bearing computer executable code that, when executing on one or more computing devices, performs the steps of:
-
providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint; labeling data on the endpoint as secure data for type-dependent processing; monitoring the application executing on the endpoint; on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection; applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data; communicating the reportable event through the network from the endpoint to the application firewall; and limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by applications executing on endpoints in an enterprise; and an endpoint of the enterprise having a processor and a memory, the memory storing an application executing on the endpoint, and the processor configured to label data on the endpoint as secure data for type-dependent processing, monitor the application executing on the endpoint, to color the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection, to apply a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data, to communicate the reportable event through the network from the endpoint to the application firewall, and to limit access by the application through the gateway to a network resource with the application firewall based on the reportable event.
-
Specification