Method for enforcing endpoint health standards

US 10,542,030 B2
Filed: 02/14/2018
Issued: 01/21/2020
Est. Priority Date: 06/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method of securing a network from one or more vulnerabilities endpoints, the method comprising:

implementing, by an administrator of a network, a login web application that collects authentication credentials for accessing the network by an agent-less endpoint device;

implementing, by a security service provider distinct from the administrator of the network, a remote server for securing the network, the remote server of the security service provider hosts an interrogating inline frame that automatically integrates with the login web application of the administrator of the network based on an access attempt to the network by the agent-less endpoint device,wherein the automatic integration of the interrogating inline frame with the login web application occurs without requiring backend service integration of the interrogating inline frame with the login web application of the administrator;

implementing the interrogating inline frame that is operably integrated within the login web application that enables access to the network with successful login credentials from a user, wherein the interrogating inline frame comprises (i) a first inline frame that collects endpoint health data and that is integrated together with (ii) a second inline frame that enables a multi-factor authentication to the network, wherein implementing the interrogating inline frame includes;

(a) collecting with the second inline frame multifactor authentication data distinct from the login credentials from the user of the endpoint user device,(b) simultaneously, with the collection using the second inline frame, collecting with the first inline frame (b-i) a first set of data and (b-ii) a second set of data distinct from the login credentials, wherein the first set of data relates to web browser identification data of the web browser operated by the endpoint user device and the second set of data relates to endpoint device data relating to one or more attributes of an agent-less endpoint user device attempting to access the network;

interrogating by the interrogating inline frame the agent-less endpoint user device that is operating the web browser;

collecting by the interrogating inline frame responses to the interrogation, wherein the responses comprises the second set of data that includes the endpoint device data of the agent-less endpoint user device;

generating an endpoint security assessment of the agent-less endpoint user device and the web browser based on an evaluation of the collected web browser identification data and the collected endpoint device data against one or more predetermined endpoint health requirements of the network;

enabling the agent-less endpoint user device to successfully login to the network when the endpoint security assessment of the agent-less endpoint user device and the web browser satisfy the one or more predetermined endpoint health requirements of the network,ordisabling the agent-less endpoint user device from accessing the network when the endpoint security assessment of the agent-less endpoint user device and the web browser do not satisfy the one or more predetermined endpoint health requirements of the network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for enforcing standards regarding security vulnerabilities for an endpoint user device associated with a user includes collecting, at an inline frame implemented with a web application, endpoint health data of the endpoint user device in response to the user interfacing with the web application through the endpoint user device, generating endpoint health intelligence from the endpoint health data, the endpoint health intelligence indicating endpoint security health of the endpoint user device, generating a first endpoint health notification comprising the endpoint health intelligence, and notifying an administrator of network with the first endpoint health notification.

302 Citations

18 Claims

1. A method of securing a network from one or more vulnerabilities endpoints, the method comprising:
- implementing, by an administrator of a network, a login web application that collects authentication credentials for accessing the network by an agent-less endpoint device;
  
  implementing, by a security service provider distinct from the administrator of the network, a remote server for securing the network, the remote server of the security service provider hosts an interrogating inline frame that automatically integrates with the login web application of the administrator of the network based on an access attempt to the network by the agent-less endpoint device,wherein the automatic integration of the interrogating inline frame with the login web application occurs without requiring backend service integration of the interrogating inline frame with the login web application of the administrator;
  
  implementing the interrogating inline frame that is operably integrated within the login web application that enables access to the network with successful login credentials from a user, wherein the interrogating inline frame comprises (i) a first inline frame that collects endpoint health data and that is integrated together with (ii) a second inline frame that enables a multi-factor authentication to the network, wherein implementing the interrogating inline frame includes;
  
  (a) collecting with the second inline frame multifactor authentication data distinct from the login credentials from the user of the endpoint user device,(b) simultaneously, with the collection using the second inline frame, collecting with the first inline frame (b-i) a first set of data and (b-ii) a second set of data distinct from the login credentials, wherein the first set of data relates to web browser identification data of the web browser operated by the endpoint user device and the second set of data relates to endpoint device data relating to one or more attributes of an agent-less endpoint user device attempting to access the network;
  
  interrogating by the interrogating inline frame the agent-less endpoint user device that is operating the web browser;
  
  collecting by the interrogating inline frame responses to the interrogation, wherein the responses comprises the second set of data that includes the endpoint device data of the agent-less endpoint user device;
  
  generating an endpoint security assessment of the agent-less endpoint user device and the web browser based on an evaluation of the collected web browser identification data and the collected endpoint device data against one or more predetermined endpoint health requirements of the network;
  
  enabling the agent-less endpoint user device to successfully login to the network when the endpoint security assessment of the agent-less endpoint user device and the web browser satisfy the one or more predetermined endpoint health requirements of the network,ordisabling the agent-less endpoint user device from accessing the network when the endpoint security assessment of the agent-less endpoint user device and the web browser do not satisfy the one or more predetermined endpoint health requirements of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein:
    - interrogating by the interrogating inline frame the agent-less endpoint user device that is operating the web browser includes interrogating one or more client-side programs operating on the agent-less endpoint user device; and
      
      collecting by the interrogating inline frame responses to the interrogation includes collecting responses from the one or more client-side programs operating on the agent-less endpoint user device.
  - 3. The method of claim 1, wherein:
    - interrogating by the interrogating inline frame the agent-less endpoint user device that is operating the web browser includes interrogating the agent-less endpoint user device to determine endpoint configuration data comprising one or more of client TCP/IP configuration data, client operating system, client wireless settings, client hardware clock skew, and client MAC address of the agent-less endpoint user device; and
      
      collecting by the interrogating inline frame responses to the interrogation includes collecting endpoint configuration data of the agent-less endpoint user device.
  - 4. The method of claim 1, wherein:
    - interrogating by the interrogating inline frame the agent-less endpoint user device that is operating the web browser includes transmitting from the interrogating inline frame one or more probes to the agent-less endpoint user device; and
      
      collecting by the interrogating inline frame responses to the interrogation includes collecting responses to the one or more probes.
  - 5. The method of claim 1, wherein:
    - the agent-less user endpoint device comprises a user endpoint device without a host agent of the network installed on the user endpoint device.
  - 6. The method of claim 1, wherein:
    - the agent-less user endpoint device comprises a user endpoint device that is unmanaged by the network.
  - 7. The method of claim 1, wherein:
    - collecting the web browser identification data from the web browser includes collecting HTTP user-agent header data comprising a browser version number data and a browser type data.
  - 8. The method of claim 1, wherein:
    - the login web application enables access via virtual private network access to the network when authentication credentials via the login web application are successful and the endpoint security assessment of the agent-less endpoint user device and the web browser satisfy the predetermined endpoint health requirements of the network.
  - 9. The method of claim 1, further comprising:
    - interrogating by the interrogating inline frame the web browser operated by the agent-less endpoint user device; and
      
      collecting by the interrogating inline frame responses to the interrogation of the web browser, wherein the responses comprise a third set of data that includes endpoint browser data of the web browser.
  - 10. The method of claim 9, wherein:
    - interrogating by the interrogating inline frame the web browser includes interrogating one or more software applications installed in the web browser; and
      
      collecting by the interrogating inline frame responses to the interrogation of the web browser includes collecting responses from the one or more software applications installed in the web browser.
  - 11. The method of claim 1, wherein:
    - the interrogation by the interrogating inline frame of the agent-less endpoint user device is performed during an authentication attempt by the user of the agent-less endpoint user device through the login web application.
  - 12. The method of claim 1, further comprising:
    - setting a network access policy that enables the user of the agent-less endpoint user device to access the network for a restricted period when one or more aspects of the endpoint security assessment of the agent-less endpoint user device and the web browser does not satisfy one or more of the predetermined endpoint health requirements of the network.
  - 13. The method of claim 1, further comprising:
    - setting a network access policy that enables the user of the agent-less endpoint user device to access the network for a restricted number of times when one or more aspects of the endpoint security assessment of the agent-less endpoint user device and the web browser does not satisfy one or more of the predetermined endpoint health requirements of the network.
  - 14. The method of claim 1, further comprising:
    - implementing a first network access policy for accessing the network based on detecting that the agent-less endpoint user device;
      
      after installing a host agent onto the agent-less endpoint user device, implementing a second network access policy for accessing the network, wherein the second network access policy is less restrictive than the first network access policy.

15. A method of securing a network from agent-less endpoints, the method comprising:
- implementing, by an administrator of a network, a web application that collects login credentials for accessing the network by an agent-less endpoint device;
  
  implementing, by a security service provider distinct from the administrator of the network, a remote server for securing the network, the remote server of the security service provider hosts an inline frame that automatically integrates with the web application of the administrator of the network based on an access attempt to the network by the agent-less endpoint device,wherein the automatic integration of the inline frame with the web application occurs without requiring backend service integration of the inline frame with the web application of the administrator, wherein the inline frame comprises (i) a first inline frame that collects endpoint health data and that is integrated together with (ii) a second inline frame that enables a multi-factor authentication to the network, wherein implementing the inline frame includes;
  
  (a) collecting with the second inline frame multifactor authentication data distinct from the login credentials from the user of the endpoint user device,(b) simultaneously, with the collection using the second inline frame, collecting with the first inline frame (b-i) a first set of data and (b-ii) a second set of data distinct from the login credentials, wherein the first set of data relates to web browser identification data of the web browser operated by the endpoint user device and the second set of data relates to endpoint device data relating to one or more attributes of an agent-less endpoint user device attempting to access the network;
  
  generating an endpoint security assessment of the agent-less endpoint user device and the web browser based on an evaluation of the collected web browser identification data and the collected endpoint device data against predetermined endpoint health requirements of the network;
  
  enabling the agent-less endpoint user device to successfully login to the network via the web application when the endpoint security assessment of the agent-less endpoint user device and the web browser satisfy the predetermined endpoint health requirements of the network,ordisabling the agent-less endpoint user device from accessing the network via the web application when the endpoint security assessment of the agent-less endpoint user device and the web browser do not satisfy the predetermined endpoint health requirements of the network.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein:
    - the interrogation by the inline frame of the agent-less endpoint user device and the agent-less endpoint web browser is performed during an access attempt by the user of the agent-less endpoint user device through the login web application.

17. A system for securing a network from vulnerable endpoints, the system comprising:
- a web application server implemented by an administrator of a network that deploys a login web application that enables access to the network with successful login credentials from a user;
  
  an endpoint health computing server implemented by a remote server of a security service provider distinct from the administrator of the network, the remote server of the security service provider hosts an interrogating inline frame that automatically integrates with the login web application of the administrator of the network based on an access attempt to the network by the agent-less endpoint device, wherein the automatic integration of the interrogating inline frame with the login web application occurs without requiring backend service integration of the interrogating inline frame with the login web application of the administrator,the endpoint health computing server comprising a non-transitory computer-readable medium storing instructions that, when executed by one or more computer processors, perform steps of;
  
  implementing the interrogating inline frame that is operably integrated within a login web application that enables access to the network with successful login credentials from a user, wherein the interrogating inline frame comprises (i) a first inline frame that collects endpoint health data and that is integrated together with (ii) a second inline frame that enables a multi-factor authentication to the network, wherein implementing the interrogating inline frame includes;
  
  (a) collecting with the second inline frame multifactor authentication data distinct from the login credentials from the user of the endpoint user device,(b) simultaneously, with the collection using the second inline frame, collecting with the first inline frame (b-i) a first set of data and (b-ii) a second set of data distinct from the login credentials, wherein the first set of data relates to web browser identification data of the web browser operated by the endpoint user device and the second set of data relates to endpoint device data relating to one or more attributes of an agent-less endpoint user device attempting to access the network;
  
  generating an endpoint security assessment of the agent-less endpoint user device and the web browser based on an evaluation of the collected web browser identification data and the collected endpoint device data against one or more predetermined endpoint health requirements of the network;
  
  enabling the agent-less endpoint user device to successfully login to the network via the login web application when the endpoint security assessment of the agent-less endpoint user device and the web browser satisfy the one or more predetermined endpoint health requirements of the network,ordisabling the agent-less endpoint user device from accessing the network via the login web application when the endpoint security assessment of the agent-less endpoint user device and the web browser do not satisfy the one or more predetermined endpoint health requirements of the network.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein:
    - the interrogation by the interrogating inline frame of the agent-less endpoint user device is performed during an authentication attempt by the user of the agent-less endpoint user device through the login web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Lesniewski, Victor

Application Number

US15/896,382
Publication Number

US 20180173881A1
Time in Patent Office

706 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

Method for enforcing endpoint health standards

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

302 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for enforcing endpoint health standards

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links