Cloud based systems and methods for determining security risks of users and groups
First Claim
1. A method comprising:
- monitoring and managing, by one or more servers in a cloud-based security system, entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system;
maintaining logs of transactions monitored through the cloud-based security system via the in-line manner;
obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions;
performing empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category;
identifying the risky entities based on one of the empirical scoring and analytics; and
updating policies and/or monitoring for the risky entities in the cloud-based security system based on the identifying, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced via the in-line manner by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and method are implemented by one or more servers associated with a cloud-based security system, for determining security risks of entities including users or groups of users associated with the cloud-based security system and optimizing remediation based thereon. The method includes maintaining logs of transactions through the cloud-based security system; obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; performing empirical scoring on normalizing the plurality of attributes for ranking risky entities; identifying the risky entities based on one of the empirical scoring and analytics; and updating policies and/or monitoring in the cloud-based system based on the identifying. The cloud-based security system is multi-tenant system supporting a plurality of users, companies, and/or enterprises and the empirical scoring provides a deterministic comparison between the plurality of users, companies, and/or enterprises in the multi-tenant system.
63 Citations
13 Claims
-
1. A method comprising:
-
monitoring and managing, by one or more servers in a cloud-based security system, entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system; maintaining logs of transactions monitored through the cloud-based security system via the in-line manner; obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; performing empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category; identifying the risky entities based on one of the empirical scoring and analytics; and updating policies and/or monitoring for the risky entities in the cloud-based security system based on the identifying, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced via the in-line manner by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A cloud-based security system comprising:
-
one or more cloud nodes comprising a hardware server each comprising memory storing instructions adapted to monitor and manage entities comprising users or groups of users for security threats and maintain logs of transactions through the cloud-based security system, wherein the entities are monitored via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system; and one or more hardware servers each comprising memory storing instructions that, when executed, cause a processor to; maintain logs of transactions monitored through the cloud-based security system via the in-line manner; obtain a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; perform empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category; identify the risky entities based on one of the empirical scoring and analytics; and update policies and/or monitoring for the risky entities in the one or more cloud nodes based on the risky entities, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A log node in a cloud-based security system comprising:
-
a network interface communicatively coupled to one or more nodes in the cloud-based security system, a data store, and a processor communicatively coupled to one another, wherein the cloud-based security system provides monitoring and management of entities comprising users or groups of users via an in-line manner where the entities connect to the Internet through the cloud-based security system and where the cloud-based security system is external from the entities and associated enterprise networks, wherein the in-line manner comprises traffic between an entity and the Internet being processed through the cloud-based security system; and memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor to; maintain logs of transactions monitored through the cloud-based security system via the in-line manner; obtain a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; perform empirical scoring on normalizing the plurality of attributes for ranking risky entities, wherein the empirical scoring comprises categorizing violations detected via the in-line manner and based on security policy into categories and applying modifiable weightings thereto and determining a risk score as a weighted combination of normalized scores for each of the categories, wherein the categories are related to infections, malware, and suspicious behavior, wherein the weighted combination includes weights for severity of the categories and for length of time of infection of each category; identify the risky entities based on one of the empirical scoring and analytics; and update policies and/or monitoring for the risky entities in the cloud-based security system based on the risky entities, wherein the updated policies adjust what functionality the risky entities are allowed to perform on the Internet enforced by the cloud-based security system, and wherein the updated monitoring intensifies the monitoring via the cloud-based security system. - View Dependent Claims (12, 13)
-
Specification