Behavioral-based control of access to encrypted content by a process

US 10,691,824 B2
Filed: 01/15/2019
Issued: 06/23/2020
Est. Priority Date: 02/12/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:

monitoring an exposure state of the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure, and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and

when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files stored on a storage resource remote from the endpoint through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

114 Citations

19 Claims

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
- monitoring an exposure state of the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure, and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and
  
  when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files stored on a storage resource remote from the endpoint through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint.
- View Dependent Claims (2, 3, 4)
- - 2. The computer program product of claim 1, wherein at least one of the two or more events includes opening a first file identified as exposed, and the first file is not one of the plurality of encrypted files.
  - 3. The computer program product of claim 1, wherein the file system filter conditionally decrypts one or more of the plurality of encrypted files using a cryptographic key.
  - 4. The computer program product of claim 3, wherein the file system filter is configured to respond to an indication of compromise for the endpoint by deleting the cryptographic key on the endpoint.

5. A method comprising:
- monitoring an exposure state of an endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and
  
  when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The method of claim 5, wherein the plurality of encrypted files is stored on a storage resource remote to the endpoint.
  - 7. The method of claim 5, further comprising identifying the endpoint as exposed based upon a scan of the endpoint, wherein the endpoint is a file that is not one of the plurality of encrypted files.
  - 8. The method of claim 5, wherein the endpoint is identified as exposed when the endpoint opens a network connection to a Uniform Resource Locator having a reputation that is poor.
  - 9. The method of claim 8, further comprising obtaining the reputation for the Uniform Resource Locator from a remote threat management facility.
  - 10. The method of claim 5, wherein the extension conditionally decrypts one or more of the plurality of encrypted files using a cryptographic key.
  - 11. The method of claim 10, wherein the extension is configured to respond to an indication of compromise for the endpoint by deleting the cryptographic key on the endpoint.
  - 12. The method of claim 5, wherein controlling access of the endpoint to the plurality of encrypted files includes maintaining access to any of the plurality encrypted files that have been opened by the endpoint before the endpoint became exposed, and preventing access to other ones of the plurality of encrypted files.
  - 13. The method of claim 5, further comprising monitoring a security state of the endpoint and restricting access by the endpoint to the plurality of encrypted files when the security state is compromised.
  - 14. The method of claim 13, wherein monitoring the security state includes remotely monitoring the security state at a threat management facility or locally monitoring the security state with a malware file scanner.
  - 15. The method of claim 5, further comprising initiating a remediation of the endpoint when the endpoint is exposed.
  - 16. The method of claim 15, wherein, if the remediation is successful, restoring access to all of the plurality of encrypted files by the endpoint.
  - 17. The method of claim 5, further comprising providing a notification to a user in a display of the endpoint, the notification indicating a required remediation step for the endpoint to resolve the exposure state, and the notification informing the user that an application associated with the endpoint cannot access additional files until the user completes the required remediation step.

18. A system comprising:
- an endpoint;
  
  a storage resource remote from the endpoint and in communication with the endpoint, the storage resource storing a plurality of encrypted files;
  
  a file system on the endpoint, the file system configured to manage access to the plurality of encrypted files by the endpoint, the file system including an extension configured to monitor an exposure state of the endpoint and to restrict access to the plurality of encrypted files based on the exposure state of the endpoint by conditionally decrypting one of the files of the plurality of encrypted files based on the exposure state;
  
  an integrity monitor configured to evaluate the exposure state of the endpoint by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and
  
  a remediation component configured to remediate the endpoint from the exposure state of exposed to the exposure state of secure for unrestricted access to the plurality of encrypted files.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein the integrity monitor is on the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D., Thomas, Andrew J., Merry, Anthony John, Schutz, Harald, Berger, Andreas, Shaw, John Edward Tyrone
Primary Examiner(s)
Getachew, Abiy

Application Number

US16/248,417
Publication Number

US 20190228172A1
Time in Patent Office

525 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/1408   by monitoring network traff...

Behavioral-based control of access to encrypted content by a process

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral-based control of access to encrypted content by a process

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links