Provision and execution of customized security assessments of resources in a virtual computing environment
First Claim
1. A system, comprising:
- an electronic data store storing;
a security assessment data object containing a plurality of parameter-value pairs; and
an ingestion function that associates the security assessment data object with sensor results produced by a first sensor and comprising a plurality of data elements, such that each parameter-value pair of the plurality of parameter-value pairs has a corresponding data element of the plurality of data elements; and
a security assessment system comprising one or more hardware computing devices in communication with the electronic data store and configured to execute specific computer-executable instructions that upon execution cause the security assessment system to;
receive information describing a first rules package comprising a plurality of rules that evaluate security characteristics of a computing resource, the first rules package being prevented from accessing the sensor results to evaluate the security characteristics, a first rule of the plurality of rules being configured to read instances of the security assessment data object;
receive a request to perform a security assessment of a first virtual machine instance, the security assessment using the first sensor and the first rules package;
cause the first sensor to perform a data collection action on the first virtual machine instance to produce the sensor results;
using the ingestion function, copy the data elements in the sensor data that correspond to the plurality of parameter-value pairs in the security assessment data object into a first instance of the security assessment data object; and
cause the first rule of the first rules package to be executed against the first instance of the security assessment data object to produce an assessment result.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems for performing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a security assessment service that enables the use of third-party-authored rules packages in the security assessment. The third-party rules package includes rules that can operate on telemetry and configuration data of the target computing resource, produced by sensors that are native to the computing environment, but the sensor protocols, message format, and sensitive data are not exposed to the rules. An interface, such as an ingest function, may be used to convert telemetry data in the form of sensor messages into assessment data objects. The assessment data objects contain the data elements the rules evaluate, and may also have corresponding retrieval methods that are exposed to the rules; the rules call the retrieval methods to extract parameter-value pairs from the data object.
-
Citations
20 Claims
-
1. A system, comprising:
-
an electronic data store storing; a security assessment data object containing a plurality of parameter-value pairs; and an ingestion function that associates the security assessment data object with sensor results produced by a first sensor and comprising a plurality of data elements, such that each parameter-value pair of the plurality of parameter-value pairs has a corresponding data element of the plurality of data elements; and a security assessment system comprising one or more hardware computing devices in communication with the electronic data store and configured to execute specific computer-executable instructions that upon execution cause the security assessment system to; receive information describing a first rules package comprising a plurality of rules that evaluate security characteristics of a computing resource, the first rules package being prevented from accessing the sensor results to evaluate the security characteristics, a first rule of the plurality of rules being configured to read instances of the security assessment data object; receive a request to perform a security assessment of a first virtual machine instance, the security assessment using the first sensor and the first rules package; cause the first sensor to perform a data collection action on the first virtual machine instance to produce the sensor results; using the ingestion function, copy the data elements in the sensor data that correspond to the plurality of parameter-value pairs in the security assessment data object into a first instance of the security assessment data object; and cause the first rule of the first rules package to be executed against the first instance of the security assessment data object to produce an assessment result. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising one or more hardware computing devices configured to execute specific computer-executable instructions that upon execution cause the system to:
-
receive rules package data for a first rules package comprising a plurality of rules that, to determine one or more security characteristics of a computing resource, evaluate assessment data associated with the computing resource, the first rules package being prevented from evaluating sensor results produced by one or more sensors that perform data collection and monitoring actions on the computing resource; receive a request to perform a security assessment of a target computing resource using the first rules package; cause a first set of the data collection and monitoring actions to be performed on the target computing resource; receive first data generated from the first set of the data collection and monitoring actions; using an ingestion function that associates a data object with the sensor results, convert the first data into the assessment data; and cause the first rules package to be executed against the assessment data to produce an assessment result. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system, comprising one or more hardware computing devices configured to execute specific computer-executable instructions that upon execution cause the system to:
-
receive sensor results obtained by a plurality of sensors monitoring a computing resource, the sensor results having a first data structure; using an ingestion function that associates the first data structure with a second data structure different from the first data structure, convert the sensor results to assessment data having the second data structure, the assessment data retaining a plurality of data elements of the sensor results; prevent a first rules package configured to evaluate security characteristics of the computing resource from accessing the sensor results, wherein the first rules package requires the plurality of data elements and is configured to extract the plurality of data elements from the second data structure; and perform a security assessment of the computing resource using the first rules package on the assessment data. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification