Techniques for monitoring privileged users and detecting anomalous activities in a computing environment

US 10,701,094 B2
Filed: 06/18/2018
Issued: 06/30/2020
Est. Priority Date: 06/22/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising, at a computer system of a security management system:

obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service;

identifying, in the activity data, one or more actions that are privileged with respect to the cloud service;

identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant;

categorizing the set of users as privileged;

determining, using the activity data, one or more risk scores for the one or more users;

determining that a risk score for user in the set of users is greater than a threshold;

determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service;

determining one or more instructions to send to the service provider system; and

sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.

Citations

20 Claims

1. A computer-implemented method comprising, at a computer system of a security management system:
- obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service;
  
  identifying, in the activity data, one or more actions that are privileged with respect to the cloud service;
  
  identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant;
  
  categorizing the set of users as privileged;
  
  determining, using the activity data, one or more risk scores for the one or more users;
  
  determining that a risk score for user in the set of users is greater than a threshold;
  
  determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service;
  
  determining one or more instructions to send to the service provider system; and
  
  sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the one or more actions are identified using a list of actions associated with the cloud service, wherein actions in the list of actions are categorized as privileged with respect to the cloud service.
  - 3. The computer-implemented method of claim 1, wherein the one or more actions is identified using a list of administrative actions.
  - 4. The computer-implemented method of claim 1, further comprising:
    - using the one or more actions and past activity data to generate a model, the model describing a pattern of usage of the cloud service that is privileged with respect to the cloud service; and
      
      using the model to identify the set of users.
  - 5. The computer-implemented method of claim 1, further comprising:
    - grouping the actions performed during used of the cloud service; and
      
      identifying a group of actions that includes an action that is privileged, wherein the set of users is identified using the group of actions.
  - 6. The computer-implemented method of claim 1, wherein risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service.
  - 7. The computer-implemented method of claim 1, wherein risk scores are computed as a weight sum of risk indicators.
  - 8. The computer-implemented method of claim 1, wherein risk scores for users categorized as privileged are computed with greater weights than are risk scores for non-privileged users.
  - 9. The computer-implemented method of claim 1, wherein a privileged action is an action that, when executed by a first user, can modify the cloud service in a manner that affects use of the cloud service by other users.
  - 10. The computer-implemented method of claim 1, wherein a privileged action is an action that, when executed by a first user, can affect user accounts of other users of the cloud service.

11. A computing system of a security management system, comprising:
- one or more processors; and
  
  a memory coupled to and readable by the one or more processors, the memory including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  obtaining activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service;
  
  identifying, in the activity data, one or more actions that are privileged with respect to the cloud service;
  
  identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant;
  
  categorizing the set of users as privileged;
  
  determining, using the activity data, one or more risk scores for the one or more users;
  
  determining that a risk score for user in the set of users is greater than a threshold;
  
  determining a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service;
  
  determining one or more instructions to send to the service provider system; and
  
  sending the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing system of claim 11, wherein the one or more actions are identified using a list of actions associated with the cloud service, wherein the list of actions is categorized as privileged with respect to the cloud service.
  - 13. The computing system of claim 11, wherein the one or more actions is identified using a list of administrative actions.
  - 14. The computing system of claim 11, the memory further including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - using the one or more actions and past activity data to generate a model, the model describing a pattern of usage of the cloud service that is privileged with respect to the cloud service; and
      
      using the model to identify the set of users.
  - 15. The computing system of claim 11, the memory further including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - grouping the actions performed during used of the cloud service; and
      
      identifying a group of actions that includes an action that is privileged, wherein the set of users is identified using the group of actions.

16. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors of a computing system of a security management system, cause the one or more processors to:
- obtain activity data from a service provider system, wherein the activity data describes actions performed during use of a cloud service, wherein the actions are performed by one or more users associated with a tenant, wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service;
  
  identify, in the activity data, one or more actions that are privileged with respect to the cloud service;
  
  identify, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant;
  
  categorize the set of users as privileged;
  
  determine, using the activity data, one or more risk scores for the one or more users;
  
  determine that a risk score for user in the set of users is greater than a threshold;
  
  determine a security control for the service provider system, wherein the security control is used by the service provider system to configure access to the cloud service;
  
  determine one or more instructions to send to the service provider system; and
  
  send the one or more instructions to the service provider system, wherein the one or more instructions cause the security control to be changed with respect to the user, wherein access to the cloud service by the user is modified due to the change to the security control.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the one or more actions are identified using a list of actions associated with the cloud service, wherein the list of actions is categorized as privileged with respect to the cloud service.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the one or more actions is identified using a list of administrative actions.
  - 19. The non-transitory computer-readable medium of claim 16, further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - use the one or more actions and past activity data to generate a model, the model describing a pattern of usage of the cloud service that is privileged with respect to the cloud service; and
      
      use the model to identify the set of users.
  - 20. The non-transitory computer-readable medium of claim 16, the memory further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - group the actions performed during used of the cloud service; and
      
      identify a group of actions that includes an action that is privileged, wherein the set of users is identified using the group of actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kirti, Ganesh, Biswas, Kamalendu, Perera, Merenne Sumedha Nalin
Primary Examiner(s)
Goodchild, William J.

Application Number

US16/011,538
Publication Number

US 20180375886A1
Time in Patent Office

743 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 41/28   Restricting access to netwo...

H04L 43/04   Processing captured monitor...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04W 12/086   using security domains

Techniques for monitoring privileged users and detecting anomalous activities in a computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for monitoring privileged users and detecting anomalous activities in a computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links