Cloud based systems and methods for determining and visualizing security risks of companies, users, and groups

US 10,498,605 B2
Filed: 08/08/2017
Issued: 12/03/2019
Est. Priority Date: 06/02/2016
Status: Active Grant

First Claim

Patent Images

1. A method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies, the method comprising:

obtaining log data from the distributed security system, wherein the log data includes, for a plurality of users, threat types and block reasons by the distributed security system;

aggregating the log data to determine threats based on the threat types and block reasons for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company;

categorizing the threats for the entity to map behavior of the entity to pre-infection behavior, post-infection behavior, and suspicious behavior;

analyzing the threats to obtain a risk score for the entity, wherein the risk score is a weighted combination of the pre-infection behavior, the post-infection behavior, and the suspicious behavior;

performing one or more remedial actions for the entity; and

subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies include obtaining log data from the distributed security system; analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior; performing one or more remedial actions for the entity; and subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.

Citations

17 Claims

1. A method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies, the method comprising:
- obtaining log data from the distributed security system, wherein the log data includes, for a plurality of users, threat types and block reasons by the distributed security system;
  
  aggregating the log data to determine threats based on the threat types and block reasons for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company;
  
  categorizing the threats for the entity to map behavior of the entity to pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  analyzing the threats to obtain a risk score for the entity, wherein the risk score is a weighted combination of the pre-infection behavior, the post-infection behavior, and the suspicious behavior;
  
  performing one or more remedial actions for the entity; and
  
  subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the plurality of levels of aggregation are each a form of a Structured Query Language (SQL) query on the log data.
  - 3. The method of claim 1, wherein the categorized threats are segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior.
  - 4. The method of claim 3, wherein the post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior.
  - 5. The method of claim 1, wherein the entity comprises a company, group, or location and the risk score comprises a combination of risk scores associated with users of the company, group, or location.
  - 6. The method of claim 5, further comprising:
    - comparing the risk score to a plurality of risk scores for other entities; and
      
      performing the one or more remedial actions based on the comparing.
  - 7. The method of claim 1, further comprising:
    - performing one or more additional remedial actions based on the determined efficacy.
  - 8. The method of claim 1, wherein the one or more remedial actions comprise adding or changing services for the entity from the distributed security system.

9. A distributed security system configured to determine and address risk of users, groups of users, locations, and/or companies, the distributed security system comprising:
- one or more cloud nodes configured to monitor for security threats and maintain logs of transactions; and
  
  one or more servers each comprising memory storing instructions that, when executed, cause a processor toobtain log data from the distributed security system, wherein the log data includes, for a plurality of users, threat types and block reasons by the distributed security system;
  
  aggregate the log data to determine threats based on the threat types and block reason for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company;
  
  categorize the threats for the entity to map behavior of the entity to pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  analyze the threats to obtain a risk score for the entity, wherein the risk score is a weighted combination of the pre-infection behavior, the post-infection behavior, and the suspicious behavior;
  
  perform one or more remedial actions for the entity; and
  
  subsequently obtain updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The distributed security system of claim 9, wherein the plurality of levels of aggregation are each a form of a Structured Query Language (SQL) query on the log data.
  - 11. The distributed security system of claim 9, wherein the categorized threats are segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior.
  - 12. The distributed security system of claim 11, wherein the post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior.
  - 13. The distributed security system of claim 9, wherein the entity comprises a company, group, or location and the risk score comprises a combination of risk scores associated with users of the company, group, or location.
  - 14. The distributed security system of claim 13, wherein the instructions that, when executed, further cause a processor tocompare the risk score to a plurality of risk scores for other entities;
    - andperform the one or more remedial actions based on the comparing.
  - 15. The distributed security system of claim 9, wherein the instructions that, when executed, further cause a processor toperform one or more additional remedial actions based on the determined efficacy.
  - 16. The distributed security system of claim 9, wherein the one or more remedial actions comprise adding or changing services for the entity from the distributed security system.

17. A log node in a distributed system configured to determine and address risk of users, groups of users, locations, and/or companies, the log node comprising:
- a network interface, a data store, and a processor communicatively coupled to one another; and
  
  memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor toobtain log data from the distributed security system, wherein the log data includes, for a plurality of users, threat types and block reasons by the distributed security system;
  
  aggregate the log data to determine threats based on the threat types and block reason for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company;
  
  categorize the threats for the entity to map behavior of the entity to pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  analyze the threats to obtain a risk score for the entity, wherein the risk score is a weighted combination of the pre-infection behavior, the post-infection behavior, and the suspicious behavior;
  
  cause or suggest performance one or more remedial actions for the entity; and
  
  subsequently obtain updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Weith, Loren, Desai, Deepen, Sinha, Amit
Primary Examiner(s)
Zaidi, Syed A

Application Number

US15/672,115
Publication Number

US 20170359220A1
Time in Patent Office

847 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/25   Integrating or interfacing ...

G06F 16/285   Clustering or classification

H04L 41/0893   Assignment of logical group...

H04L 63/0227   Filtering policies mail mes...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Cloud based systems and methods for determining and visualizing security risks of companies, users, and groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud based systems and methods for determining and visualizing security risks of companies, users, and groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links