Information security implementations with extended capabilities

US 10,462,165 B1
Filed: 12/10/2014
Issued: 10/29/2019
Est. Priority Date: 03/12/2010
Status: Active Grant

First Claim

Patent Images

1. A security system comprising:

at least one central server coupled to a plurality of client computers and configured to;

provide configuration data to each of the plurality of client computers, the configuration data including parameters that define criteria for identifying sensitive data and trigger events on the plurality of client computers, the trigger events defined by the configuration data as a function of a sensitivity level of the sensitive data and monitored data communications;

in response to a notification received from one of the plurality of client computers, monitor data communications of the one of the plurality of client computers for sensitive data by reviewing data communications therefrom;

restrict transmission for a subset of the reviewed data communications in response to detecting sensitive data;

receive identified data from applications running on the plurality of client computers and that indicates an access of sensitive data matching the criteria indicated by the configuration data;

in response to the identified data indicating that a first trigger event occurred, determine whether or not the identified data indicates that a second trigger event occurred, wherein the first trigger event includes at least access of an external email address and the second trigger event includes at least use of a cut and paste operation; and

select and perform a security action based on the determination of the occurrence of the first and second trigger events, an association between the first and second trigger events, and a risk-level based on the association of the first and second trigger events.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, devices or methods provide for control of sensitive data in a computer system that includes at least one central server communicatively-coupled to a plurality of client computers. A particular method relates to the execution of software code on the at least one central server to monitor data communications of the plurality of client computers for sensitive data. A subset of the data communications is restricted when sensitive data is detected. Configuration data is provided to each of the plurality of client computers. Software code is executed on each of the plurality of client computers to detect accesses to sensitive data by one or more applications running on a client computer. Actions of the one or more applications running on a client computer are monitored to determine whether or not a trigger event has occurred. In response to determining that the trigger event has occurred, a notification is sent.

Citations

21 Claims

1. A security system comprising:
- at least one central server coupled to a plurality of client computers and configured to;
  
  provide configuration data to each of the plurality of client computers, the configuration data including parameters that define criteria for identifying sensitive data and trigger events on the plurality of client computers, the trigger events defined by the configuration data as a function of a sensitivity level of the sensitive data and monitored data communications;
  
  in response to a notification received from one of the plurality of client computers, monitor data communications of the one of the plurality of client computers for sensitive data by reviewing data communications therefrom;
  
  restrict transmission for a subset of the reviewed data communications in response to detecting sensitive data;
  
  receive identified data from applications running on the plurality of client computers and that indicates an access of sensitive data matching the criteria indicated by the configuration data;
  
  in response to the identified data indicating that a first trigger event occurred, determine whether or not the identified data indicates that a second trigger event occurred, wherein the first trigger event includes at least access of an external email address and the second trigger event includes at least use of a cut and paste operation; and
  
  select and perform a security action based on the determination of the occurrence of the first and second trigger events, an association between the first and second trigger events, and a risk-level based on the association of the first and second trigger events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the central server is configured to use known sets of sensitive and non-sensitive data to apply a learning algorithm that defines parameters for detecting sensitive data.
  - 3. The system of claim 1, wherein the central server is configured to receive the configuration data as part of a viral definitions file that identifies both sensitive data and potential viruses.
  - 4. The system of claim 1, wherein the central server is configured to scan content of directories designated as secure and to identify sensitive data according to results of the scan, and wherein the sensitive data is encrypted according to different levels of protection as a function of trigger events, a type of portable medium to which the sensitive data is saved, and the sensitivity level of the data.
  - 5. The system of claim 1, wherein:
    - the identified data includes a first data file associated with a low risk-level and a second data file associated with a high risk-level; and
      
      the central server is configured and arranged to generate a report documenting high-risk events for further review via at least one of the plurality of client computers.
  - 6. The system of claim 5, wherein the first and second trigger events each include one or more of sending data to email groups, uploading files to remote locations, editing sensitive data, attempts to access restricted data storage locations, inclusion of internal links within external communications, cut-and-paste with sensitive data in an active window and print screen;
    - wherein the association between the first trigger event and the second trigger event is provided from one of a plurality of event relationships that define how the system responds with the security action; and
      
      wherein the at least one central server is configured to adjust the trigger events and responses thereto based on input received from the one or more client computers.
  - 7. The system of claim 5, wherein:
    - the plurality of client computers are configured to detect accesses to sensitive data by applications running on the plurality of client computers; and
      
      the central server is configured and arranged to receive from at least one of the plurality of client computers, input customizing content of reports to be provided to the plurality of client computers.
  - 8. The system of claim 1, wherein the system is configured to categorize the sensitivity level of data according to a creator and a user of the data.
  - 9. The system of claim 8, wherein the sensitivity level of the data is in response to a level of secure access afforded to the creator and the user of the data.
  - 10. The system of claim 8, wherein the plurality of client computers are configured to tag transmitted data, in response to the transmitted data including sensitive data, and wherein the at least one central server is configured to select from a plurality of scan levels in response to the tag data.
  - 11. The system of claim 1, further including a security database configured as a reference for storing and identifying sensitive data, wherein the database includes keywords, locations, document types, specific content and heuristic signatures arranged for access by the system to assess and determine a risk level.
  - 12. The system of claim 1, when the at least one central server is further configured to verify correct operation of security software on at least one client computer of the plurality of client computers by:
    - performing actions to trigger a test trigger event at the at least one client computer; and
      
      determining whether the at least one client computer transmits a notification indicating the test trigger event has occurred.
  - 13. The system of claim 1, wherein the central server is configured to:
    - determine that the second trigger event occurred at a time of the first trigger event;
      
      determine that the first trigger event and the second trigger event are associated with one another in a trigger-event web that defines relationships between the trigger events and risk-levels of associated trigger events; and
      
      select the security action based on a determination that the first trigger event and the second trigger event are associated with one another in a trigger-event web.

14. A method for control of sensitive data in a computer system that includes at least one central server communicatively-coupled to a plurality of client computers, the method comprising:
- receiving, from the least one central server, configuration data that specifies characteristics for both nefarious software code and sensitive data;
  
  scanning, using a viral security program residing on a particular client computer of the plurality of client computers, file locations according to the characteristics specified by the configuration data;
  
  identifying, based upon results of the scanning, file locations containing sensitive data;
  
  in response to identifying the file locations, encapsulating data packets associated with the files stored in the file locations containing sensitive data to include tag data indicating a risk-level for the data packets;
  
  detecting in the encapsulated data packets, a first trigger event that is associated with access to the sensitive data by one or more applications running on the particular client computer, wherein the first trigger event includes at least access of an external email address, and detecting occurrence of a second trigger event including at least use of a cut and paste operation; and
  
  transmitting, in response to detecting the first and second trigger events, a notification to the at least one central server.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein the configuration data includes a trigger-event web that includes a plurality of events and interconnections that define the first and second trigger events, and wherein the specified characteristics are determined from one of the following:
    - a keyword, a location, a document type, specific content, and a heuristic signature.
  - 16. The method of claim 15, wherein the detecting is further in response to detecting multiple events from the plurality of events and an interconnection between the multiple events.
  - 17. The method of claim 14, further comprising tagging screenshot data to indicate a list of programs that were active at a time the screenshot was taken, wherein scanning file locations according to the characteristics includes determining a particular file location associated with the configuration data, and determining whether the particular file location corresponds to a file location storing sensitive data.
  - 18. The method of claim 14, wherein at least one of the first trigger event and the second trigger event includes sending sensitive data to a social network, and wherein the method further comprises logging the trigger event.
  - 19. The method of claim 14, further comprising encapsulating, in response to the detecting the first trigger event or the second trigger event, an encrypted file to include data specifying a location of an unencrypted copy of the encrypted file.
  - 20. The method of claim 14, further comprising:
    - detecting access to sensitive data by a particular application;
      
      monitoring, in response to the detecting access, a sequence of subsequent data accesses by the particular application; and
      
      storing the sequence of subsequent data accesses for review by the at least one central server.
  - 21. The method of claim 20, further comprising adding a tag, that specifies a risk level, to data corresponding to the sequence of subsequent data accesses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
8X8, Inc.
Original Assignee
8X8, Inc.
Inventors
Salour, Mehdi
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Amorin, Carlos E

Application Number

US14/566,172
Time in Patent Office

1,784 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3041   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 21/60   Protecting data

G06F 21/6245   Protecting personal data, e...

H04L 63/1425   Traffic logging, e.g. anoma...

Information security implementations with extended capabilities

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Information security implementations with extended capabilities

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links