Gracefully handling endpoint feedback when starting to monitor
First Claim
1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:
- determining a risk level corresponding to an entity associated with an endpoint;
selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior;
comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and
changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and
whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and
,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score.
9 Assignments
0 Petitions
Accused Products
Abstract
A method, system and computer-usable medium for adaptively assessing risk associated with an endpoint, comprising: determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency and a duration of an endpoint monitoring interval; collecting user behavior to collect user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity; comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed; and changing the risk score of the user to the current risk score when the risk score of the user has changed.
-
Citations
14 Claims
-
1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:
-
determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval; collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior; comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and
whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and
,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for; determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval; collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior; comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and
whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and
,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
-
determining a risk level corresponding to an entity associated with an endpoint; collecting user behavior associated with the entity via the endpoint; processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior; comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and changing the risk score of the entity to the current risk score when the risk score of the entity has changed. - View Dependent Claims (10, 11, 12, 13, 14)
-
Specification