Just-in-time encryption

US 10,628,597 B2
Filed: 04/14/2016
Issued: 04/21/2020
Est. Priority Date: 04/14/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for just-in-time encryption of files detected on an endpoint, the computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

adding a file system extension to the endpoint, the file system extension providing use of a key to access files whenever a security state of the endpoint is not compromised and withholding use of the key whenever the security state of the endpoint is compromised;

for a plurality of unsecure files existing on the endpoint, initializing encryption of the plurality of unsecure files with a background process using the key when the file system extension is added to the endpoint to provide a plurality of encrypted files;

monitoring the security state of the endpoint;

providing access to the plurality of encrypted files by a process other than the background process executing on the endpoint using the file system extension;

detecting an access, by the process, to a new file not yet encrypted by the background process with the key for secure use on the endpoint;

if the security state of the endpoint is not compromised, encrypting the new file with the background process using the key immediately upon detecting the access by the process to add the new file the plurality of encrypted files; and

if the security state of the endpoint is compromised, deleting the key from the endpoint to prevent access by the process to the plurality of encrypted files, initiating a remediation of the endpoint, and in response to successful remediation of the endpoint, recovering the key to the endpoint from a remote key management system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

On an endpoint that encrypts local files to protect against data leakage and other harmful malware events, newly detected files are dynamically encrypted when they are detected as long as the endpoint is not compromised. If a compromised state is detected, the newly detected file will not be added to the encrypted files until the endpoint can be remediated and the compromised state resolved.

Citations

14 Claims

1. A computer program product for just-in-time encryption of files detected on an endpoint, the computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- adding a file system extension to the endpoint, the file system extension providing use of a key to access files whenever a security state of the endpoint is not compromised and withholding use of the key whenever the security state of the endpoint is compromised;
  
  for a plurality of unsecure files existing on the endpoint, initializing encryption of the plurality of unsecure files with a background process using the key when the file system extension is added to the endpoint to provide a plurality of encrypted files;
  
  monitoring the security state of the endpoint;
  
  providing access to the plurality of encrypted files by a process other than the background process executing on the endpoint using the file system extension;
  
  detecting an access, by the process, to a new file not yet encrypted by the background process with the key for secure use on the endpoint;
  
  if the security state of the endpoint is not compromised, encrypting the new file with the background process using the key immediately upon detecting the access by the process to add the new file the plurality of encrypted files; and
  
  if the security state of the endpoint is compromised, deleting the key from the endpoint to prevent access by the process to the plurality of encrypted files, initiating a remediation of the endpoint, and in response to successful remediation of the endpoint, recovering the key to the endpoint from a remote key management system.

2. A method for just-in-time encryption of files detected on an endpoint, the method comprising:
- adding a file system extension to the endpoint, the file system extension providing use of a key to access files whenever a security state of the endpoint is not compromised and withholding use of the key whenever the security state of the endpoint is compromised;
  
  for a plurality of unsecure files existing on the endpoint, initializing encryption of the plurality of unsecure files with a background process using the key when the file system extension is added to the endpoint to provide a plurality of encrypted files;
  
  monitoring the security state of the endpoint;
  
  providing access to the plurality of encrypted filed by a process other than the background process executing on the endpoint using the file system extension;
  
  detecting an access, by the process, to a new file not yet encrypted by the background process with the key for secure use on the endpoint;
  
  if the security state of the endpoint is not compromised, encrypting the new file with the background process using the key immediately upon detecting the access by the process to add the new file to the plurality of encrypted files; and
  
  if the security state of the endpoint is compromised, deleting the key from the endpoint to prevent access by the process to the plurality of encrypted files, initiating a remediation of the endpoint, and in response to successful remediation of the endpoint, recovering the key to the endpoint from a remote key management system.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 3. The method of claim 2 wherein monitoring the security state includes monitoring the security state with static analysis.
  - 4. The method of claim 2 wherein monitoring the security state includes monitoring the security state with behavioral analysis.
  - 5. The method of claim 2 wherein monitoring the security state includes monitoring an exposure of the process to an unknown data source.
  - 6. The method of claim 2 wherein monitoring the security state of the endpoint includes monitoring the security state of the process executing on the endpoint.
  - 7. The method of claim 2 wherein the key is a symmetric key.
  - 8. The method of claim 2 wherein providing access to the plurality of encrypted files by the process includes decrypting files with the key with a file system filter coupled between the process and a file system of the endpoint.
  - 9. The method of claim 2 wherein providing access to the plurality of encrypted files by the process includes decrypting files with the key at a mount point coupled between the process and a file system of the endpoint.
  - 10. The method of claim 2 wherein monitoring the security state of the endpoint includes remotely monitoring a heartbeat of the endpoint.
  - 11. The method of claim 2 wherein monitoring the security state of the endpoint includes monitoring network traffic originating from the endpoint at a gateway for an enterprise network that includes the endpoint.

12. A system comprising:
- an endpoint;
  
  a first memory on the endpoint storing a key;
  
  a second memory on the endpoint storing a file system extension, the file system extension providing use of the key to access files whenever a security state of the endpoint is not compromised and withholding use of the key whenever the security state of the endpoint is compromised;
  
  a process executing on a processor on the endpoint;
  
  a background process executing on the processor on the endpoint to initially encrypt a plurality of unsecure files existing on the endpoint when the file system extension is added to the endpoint to provide a plurality of encrypted files encrypted by the key and stored in the second memory; and
  
  a security agent executing on the processor, the security agent configured to monitor a security state of the endpoint and to detect a potential security compromise of the endpoint, wherein the processor is configured to detect an access to a new file while the background process is executing to encrypt the plurality of unsecure files, the new file existing on the second memory as one of the plurality of unsecure files prior to initializing encryption of the plurality of unsecure files and not yet encrypted with the key for secure use on the endpoint, if the security state of the endpoint is not compromised, encrypt the new file with the background process using the key immediately upon access by the process to add the new file to the plurality of encrypted files encrypted by the key, and if the security state of the endpoint is compromised, delete the key from the endpoint to prevent access by the process to the plurality of encrypted files, initiate a remediation of the endpoint, and in response to successful remediation of the endpoint, recover the key to the endpoint from a remote key management system.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12 further comprising a remote management facility configured to remotely monitor the security state of the endpoint based on a heartbeat received from the endpoint.
  - 14. The system of claim 12 further comprising an enterprise gateway configured to remotely monitor the security state of the endpoint based on network traffic originating from the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Berger, Andreas, Schutz, Harald, Ray, Kenneth D., Merry, Anthony John, Gruber, Norbert, Hein, Markus, Wintersberger, Gerald, Wenzel, Artur
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Cohen, Harvey I

Application Number

US15/099,542
Publication Number

US 20170302458A1
Time in Patent Office

1,468 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2125   Just-in-time application of...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3263   involving certificates, e.g...

Just-in-time encryption

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Just-in-time encryption

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links