Cloud based systems and methods for determining security risks of users and groups

US 10,142,362 B2
Filed: 06/02/2016
Issued: 11/27/2018
Est. Priority Date: 06/02/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring and managing, by one or more servers in a cloud-based security system, entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system;

maintaining logs of transactions monitored through the cloud-based security system via the in-line manner;

obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions;

performing empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category;

identifying the risky entities based on one of the empirical scoring and analytics; and

updating policies and/or monitoring for the risky entities in the cloud-based security system based on the identifying, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced via the in-line manner by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method are implemented by one or more servers associated with a cloud-based security system, for determining security risks of entities including users or groups of users associated with the cloud-based security system and optimizing remediation based thereon. The method includes maintaining logs of transactions through the cloud-based security system; obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; performing empirical scoring on normalizing the plurality of attributes for ranking risky entities; identifying the risky entities based on one of the empirical scoring and analytics; and updating policies and/or monitoring in the cloud-based system based on the identifying. The cloud-based security system is multi-tenant system supporting a plurality of users, companies, and/or enterprises and the empirical scoring provides a deterministic comparison between the plurality of users, companies, and/or enterprises in the multi-tenant system.

63 Citations

View as Search Results

13 Claims

1. A method comprising:
- monitoring and managing, by one or more servers in a cloud-based security system, entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system;
  
  maintaining logs of transactions monitored through the cloud-based security system via the in-line manner;
  
  obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions;
  
  performing empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category;
  
  identifying the risky entities based on one of the empirical scoring and analytics; and
  
  updating policies and/or monitoring for the risky entities in the cloud-based security system based on the identifying, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced via the in-line manner by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the cloud-based security system is multi-tenant system supporting a plurality of users, companies, and/or enterprises and the empirical scoring provides a deterministic comparison between the plurality of users, companies, and/or enterprises in the multi-tenant system.
  - 3. The method of claim 1, wherein the plurality of attributes comprises primary attributes and secondary attributes, wherein the primary attributes define a transaction with a subject, a user, and a type of threat, and wherein the secondary attributes comprise insights based on parsing the transactions.
  - 4. The method of claim 1, wherein the empirical scoring comprises adjusting raw empirical scoring in a time period based on minimum values, maximum values, and a plurality of quantiles.
  - 5. The method of claim 1, wherein the categories comprise infected, malware, and suspicious and the modifiable weightings are applied such that infected is higher than malware which is higher than suspicious.

6. A cloud-based security system comprising:
- one or more cloud nodes comprising a hardware server each comprising memory storing instructions adapted to monitor and manage entities comprising users or groups of users for security threats and maintain logs of transactions through the cloud-based security system, wherein the entities are monitored via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system; and
  
  one or more hardware servers each comprising memory storing instructions that, when executed, cause a processor to;
  
  maintain logs of transactions monitored through the cloud-based security system via the in-line manner;
  
  obtain a plurality of attributes from the transactions while excluding impossible comparison items from the transactions;
  
  perform empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category;
  
  identify the risky entities based on one of the empirical scoring and analytics; and
  
  update policies and/or monitoring for the risky entities in the one or more cloud nodes based on the risky entities, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The cloud-based security system of claim 6, wherein the cloud-based security system is multi-tenant system supporting a plurality of users, companies, and/or enterprises and the empirical scoring provides a deterministic comparison between the plurality of users, companies, and/or enterprises in the multi-tenant system.
  - 8. The cloud-based security system of claim 6, wherein the plurality of attributes comprises primary attributes and secondary attributes, wherein the primary attributes define a transaction with a subject, a user, and a type of threat, and wherein the secondary attributes comprise insights based on parsing the transactions.
  - 9. The cloud-based security system of claim 6, wherein the empirical scoring comprises adjusting raw empirical scoring in a time period based on minimum values, maximum values, and a plurality of quantiles.
  - 10. The cloud-based security system of claim 6, wherein the categories comprise infected, malware, and suspicious and the modifiable weightings are applied such that infected is higher than malware which is higher than suspicious.

11. A log node in a cloud-based security system comprising:
- a network interface communicatively coupled to one or more nodes in the cloud-based security system, a data store, and a processor communicatively coupled to one another, wherein the cloud-based security system provides monitoring and management of entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system; and
  
  memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor to;
  
  maintain logs of transactions monitored through the cloud-based security system via the in-line manner;
  
  obtain a plurality of attributes from the transactions while excluding impossible comparison items from the transactions;
  
  perform empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category;
  
  identify the risky entities based on one of the empirical scoring and analytics; and
  
  update policies and/or monitoring for the risky entities in the cloud-based security system based on the risky entities, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system.
- View Dependent Claims (12, 13)
- - 12. The log node of claim 11, wherein the cloud-based security system is multi-tenant system supporting a plurality of users, companies, and/or enterprises and the empirical scoring provides a deterministic comparison between the plurality of users, companies, and/or enterprises in the multi-tenant system.
  - 13. The log node of claim 11, wherein the empirical scoring comprises adjusting raw empirical scoring in a time period based on minimum values, maximum values, and a plurality of quantiles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Weith, Loren, Desai, Deepen, Sinha, Amit
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Le, Canh

Application Number

US15/171,013
Publication Number

US 20170353483A1
Time in Patent Office

908 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/285   Clustering or classification

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Cloud based systems and methods for determining security risks of users and groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud based systems and methods for determining security risks of users and groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links