Method of and system for enterprise information asset protection through insider attack specification, monitoring and mitigation
First Claim
1. Apparatus for protecting an enterprise data server against insider attack, comprising:
- at least one processor;
code executable on a processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack, wherein the given policy specification language enables the authorized entity to specify at least policy filter that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
code executable on a processor to monitor a trusted user'"'"'s given data access against a set of one or more policy filters;
code executable by a processor to analyze the trusted user'"'"'s given data access against the set of one or more policy filters;
code executable by a processor to determine whether the trusted user'"'"'s given data access is indicative of a given action as specified by a given policy filter in the set of policy filters; and
code executable by a processor if the trusted user'"'"'s given data access is indicative of a given action as specified by the given policy filter for taking the given response specified by the policy filter.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of“anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.
-
Citations
15 Claims
-
1. Apparatus for protecting an enterprise data server against insider attack, comprising:
-
at least one processor;
code executable on a processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack, wherein the given policy specification language enables the authorized entity to specify at least policy filter that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
code executable on a processor to monitor a trusted user'"'"'s given data access against a set of one or more policy filters;
code executable by a processor to analyze the trusted user'"'"'s given data access against the set of one or more policy filters;
code executable by a processor to determine whether the trusted user'"'"'s given data access is indicative of a given action as specified by a given policy filter in the set of policy filters; and
code executable by a processor if the trusted user'"'"'s given data access is indicative of a given action as specified by the given policy filter for taking the given response specified by the policy filter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of protecting an enterprise information asset against insider attack, comprising:
-
specifying a policy filter that defines a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server;
monitoring a trusted user'"'"'s given data access with respect to the given enterprise data server;
analyzing the given data access against the policy filter;
determining whether the trusted user'"'"'s given data access is indicative of the given action as specified by the policy filter;
if the trusted user'"'"'s given data access is indicative of the given action as specified in the policy filter, taking a given action. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for protecting an enterprise information asset against insider attack, comprising:
-
at least one or more processors;
code executing on a given processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack;
code executing on a given processor that determines whether a trusted user'"'"'s given data access to an enterprise resource is indicative of the insider attack; and
code executing on a given processor and responsive to the insider attack for taking a given mitigation action.
-
Specification