Techniques for monitoring privileged users and detecting anomalous activities in a computing environment
First Claim
1. A computer-implemented method comprising, at a computer system of a security management system:
- obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service;
identifying, in the activity data, one or more actions that are privileged with respect to the cloud service;
identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant;
categorizing the set of users as privileged;
determining, using the activity data, one or more risk scores for the one or more users;
determining that a risk score for user in the set of users is greater than a threshold;
determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service;
determining one or more instructions to send to the service provider system; and
sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control.
1 Assignment
0 Petitions
Accused Products
Abstract
In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.
-
Citations
20 Claims
-
1. A computer-implemented method comprising, at a computer system of a security management system:
-
obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service; identifying, in the activity data, one or more actions that are privileged with respect to the cloud service; identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant; categorizing the set of users as privileged; determining, using the activity data, one or more risk scores for the one or more users; determining that a risk score for user in the set of users is greater than a threshold; determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service; determining one or more instructions to send to the service provider system; and sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing system of a security management system, comprising:
-
one or more processors; and a memory coupled to and readable by the one or more processors, the memory including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service; identifying, in the activity data, one or more actions that are privileged with respect to the cloud service; identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant; categorizing the set of users as privileged; determining, using the activity data, one or more risk scores for the one or more users; determining that a risk score for user in the set of users is greater than a threshold; determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service; determining one or more instructions to send to the service provider system; and sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors of a computing system of a security management system, cause the one or more processors to:
-
obtain activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service; identify, in the activity data, one or more actions that are privileged with respect to the cloud service; identify, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant; categorize the set of users as privileged; determine, using the activity data, one or more risk scores for the one or more users; determine that a risk score for user in the set of users is greater than a threshold; determine a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service; determine one or more instructions to send to the service provider system; and send the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control. - View Dependent Claims (17, 18, 19, 20)
-
Specification