Intermediate encryption for exposed content

US 10,686,827 B2
Filed: 04/14/2016
Issued: 06/16/2020
Est. Priority Date: 04/14/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on an endpoint, performs the steps of:

providing a first key to a process executing on the endpoint, the first key providing access to a plurality of files on the endpoint;

detecting a potential security compromise to the endpoint;

in response to detecting the potential security compromise, providing a second key to the process different than the first key;

encrypting a first one of the plurality of files that is open by the process with the second key;

storing the first one of the plurality of files after encryption with the second key;

revoking the first key from the process to prevent access to other ones of the plurality of files by the process;

initiating a remediation of the potential security compromise; and

if the potential security compromise is resolved, returning the first key to the process and transcribing the first one of the plurality of files for access using the first key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint encrypts local files with a key to protect file contents. If the endpoint or processes on the endpoint becomes exposed to potentially harmful locations or resources, the key can be revoked to prevent access to encrypted files on the endpoint. In order to facilitate continued operation of the endpoint, files that are currently open can be encrypted with a second key so that the corresponding data is isolated from the other encrypted files while remaining accessible to current users.

114 Citations

20 Claims

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on an endpoint, performs the steps of:
- providing a first key to a process executing on the endpoint, the first key providing access to a plurality of files on the endpoint;
  
  detecting a potential security compromise to the endpoint;
  
  in response to detecting the potential security compromise, providing a second key to the process different than the first key;
  
  encrypting a first one of the plurality of files that is open by the process with the second key;
  
  storing the first one of the plurality of files after encryption with the second key;
  
  revoking the first key from the process to prevent access to other ones of the plurality of files by the process;
  
  initiating a remediation of the potential security compromise; and
  
  if the potential security compromise is resolved, returning the first key to the process and transcribing the first one of the plurality of files for access using the first key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1 wherein revoking the first key includes physically removing the first key from the endpoint.
  - 3. The computer program product of claim 2 wherein returning the first key to the process includes recovering the first key from a remote key management system.
  - 4. The computer program product of claim 1 further comprising code that performs the step of, if the potential security compromise is resolved, deleting the second key and saving the first one of the plurality of files.
  - 5. The computer program product of claim 1 wherein detecting the potential security compromise to the endpoint includes identifying a compromised state on the endpoint.
  - 6. The computer program product of claim 5 wherein identifying the compromised state includes identifying malicious software based on at least one of static analysis and behavioral analysis.
  - 7. The computer program product of claim 5 wherein detecting the potential security compromise includes detecting an exposure of the process to an unknown data source.

8. A method comprising:
- providing a first key to a process executing on an endpoint, the first key providing access to a plurality of files on the endpoint;
  
  detecting a potential security compromise to the endpoint;
  
  in response to detecting the potential security compromise, providing a second key to the process different than the first key;
  
  encrypting a first one of the plurality of files that is open by the process with the second key;
  
  revoking the first key from the process to prevent access to other ones of the plurality of files by the process; and
  
  if the potential security compromise is resolved, returning the first key to the process and transcribing the first one of the plurality of files for access using the first key.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The method of claim 8 wherein revoking the first key includes physically removing the first key from the endpoint.
  - 10. The method of claim 9 wherein returning the first key to the process includes recovering the first key from a remote key management system.
  - 11. The method of claim 8 further comprising, if the potential security compromise is resolved, deleting the second key and saving the first one of the plurality of files.
  - 12. The method of claim 8 wherein detecting the potential security compromise to the endpoint includes identifying a compromised state on the endpoint.
  - 13. The method of claim 12 wherein identifying the compromised state includes identifying malicious software based on static analysis.
  - 14. The method of claim 12 wherein identifying the compromised state includes identifying malicious software based on behavioral analysis.
  - 15. The method of claim 8 wherein detecting the potential security compromise includes identifying a compromised state of the process.
  - 16. The method of claim 8 wherein detecting the potential security compromise includes detecting an exposure of the process to an unknown data source.
  - 17. The method of claim 8 further comprising initiating a remediation of the potential security compromise.
  - 18. The method of claim 17 further comprising storing the first one of the plurality of files after encryption with the second key and before initiating the remediation.

19. A system comprising:
- an endpoint;
  
  a first memory on the endpoint storing a first key;
  
  a second memory on the endpoint storing a plurality of files encrypted by the first key;
  
  a process executing on a processor on the endpoint, the process using the first key to access a first one of the plurality of files; and
  
  a security agent executing on the processor, the security agent configured to detect a potential security compromise to the endpoint, wherein the processor is configured to provide, in response to detecting the potential security compromise, a second key to the process different than the first key, to respond to the potential security compromise by encrypting the first one of the plurality of files with the second key, to provide access by the process to the second key, and to revoke the first key from the process to prevent access by the process to other ones of the plurality of files.
- View Dependent Claims (20)
- - 20. The system of claim 19 wherein the processor is further configured to initiate a remediation of the potential security compromise, and to respond to a successful remediation of the potential security compromise by returning the first key to the process for access to the plurality of files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Schutz, Harald, Merry, Anthony John, Ray, Kenneth D., Berger, Andreas
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US15/098,720
Publication Number

US 20170302696A1
Time in Patent Office

1,524 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/068   using time-dependent keys, ...

H04L 63/1441   Countermeasures against mal...

H04L 9/006   involving public key infras...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3213   using tickets or tokens, e....

Intermediate encryption for exposed content

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intermediate encryption for exposed content

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links