Endpoint enabled for enterprise security assessment sharing

US 20080229414A1
Filed: 03/14/2007
Published: 09/18/2008
Est. Priority Date: 03/14/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements an architecture for an endpoint that arranged for use in a security enterprise environment, the architecture comprising:

a common assessment sharing agent that is arranged for implementing a publish and subscribe model for security assessments using a communication channel, each security assessment being arranged to provide contextual meaning to an object in the environment; and

a common assessment generating engine that is operatively coupled as a client to the common assessment sharing agent, and arranged for generating a security assessment by analyzing locally-available data pertaining to the object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints utilize an architecture that comprises a common assessment sharing agent and a common assessment generating agent. The common assessment sharing agent is arranged for subscribing to security assessments, publishing security assessments onto a channel, maintaining an awareness of configuration changes on the channel (e.g., when a new endpoint is added or removed), and implementing security features like authorization, authentication and encryption. A common assessment generating engine handles endpoint behavior associated with a security assessment including assessment generation, cancellation, tracking, and rolling-back actions based on assessments that have expired. The common assessment generating engine generates and transmits messages that indicate which local actions are taken.

103 Citations

View as Search Results

20 Claims

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements an architecture for an endpoint that arranged for use in a security enterprise environment, the architecture comprising:
- a common assessment sharing agent that is arranged for implementing a publish and subscribe model for security assessments using a communication channel, each security assessment being arranged to provide contextual meaning to an object in the environment; and
  
  a common assessment generating engine that is operatively coupled as a client to the common assessment sharing agent, and arranged for generating a security assessment by analyzing locally-available data pertaining to the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 10, 11, 12, 13, 14)
- - 2. The computer-readable medium of claim 1 in which the security assessment provides the contextual meaning using a pre-defined taxonomy.
  - 3. The computer-readable medium of claim 2 in which the pre-defined taxonomy utilizes a schematized vocabulary comprising object types and assessment categories.
  - 4. The computer-readable medium of claim 1 in which the common assessment generating engine is further arranged for generating the security assessment by correlating the locally-available data to a security assessment to which the endpoint subscribes.
  - 5. The computer-readable medium of claim 4 in which the generating utilizes a history of local actions taken by the endpoint.
  - 6. The computer-readable medium of claim 1 in which the common assessment generating engine is further arranged for invoking a response in accordance with a response policy.
  - 7. The computer-readable medium of claim 6 in which the response is one of taking a local action or taking no action.
  - 10. The computer-readable medium of claim 6 in which the common assessment generating engine is further arranged for generating an action-taken message that describes the local action.
  - 11. The computer-readable medium of claim 10 in which the common assessment sharing agent is arranged for sending the action-taken message over the communication channel.
  - 12. The computer-readable medium of claim 1 in which the common assessment generating engine is further arranged for generating a cancellation message for marking a security assessment as cancelled.
  - 13. The computer-readable medium of claim 1 in which the common assessment sharing agent is arranged for performing at least one of authorization, authentication, or encryption.
  - 14. The computer-readable medium of claim 1 in which the common assessment sharing agent is arranged for maintaining an awareness of security assessment channel configuration changes and adaptively reconfiguring itself responsively to such configuration changes.

8. The computer-readable medium of 7 in which the common assessment generating engine is further arranged for managing all active security assessments received over the channel, an active security assessment having a time-to-live field value that is unexpired.
- View Dependent Claims (9)
- - 9. The computer-readable medium of claim 8 in which the common assessment generating engine is further arranged for rolling-back the local action upon expiration of the time-to-live field value.

15. A method for extending an enterprise security topology to a new endpoint being added to the topology, the method comprising the steps of:
- maintaining one or more tables for describing a publish and subscribe model by which a publishing endpoint publishes a security assessment to which a subscribing endpoint subscribes according to a subscription, the security assessment describing an object being monitored by an endpoint, and the description using a taxonomy that is commonly-understood by a plurality of endpoints, the security assessment being further categorized by type and describing an object being monitored by an endpoint, and the description using a taxonomy that is commonly-understood by the plurality of endpoints; and
  
  updating the one or more tables with a description of a security assessment type for which the new endpoint publishes, and a description of a security assessment type to which the new endpoint subscribes.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 in which the maintaining and updating are performed using an abstraction layer on which the publish and subscribe model operates.
  - 17. The method of claim 16 in which the abstraction layer includes an API for reading security assessments to which an endpoint subscribes and an API for writing security assessments for which an endpoint publishes.

18. An enterprise security network, comprising:
- a plurality of endpoints, each of the endpoints being enabled with security assessment sharing functionality by which a publishing endpoint publishes a security assessment to which a subscribing endpoint subscribes according to a subscription, the security assessment describing an object being monitored by an endpoint, and the description using a taxonomy that is commonly-understood by the plurality of endpoints; and
  
  a communications channel, operatively coupled to the plurality of endpoints, and arranged for providing a transport layer over which a published security assessment is received by the subscribing endpoint.
- View Dependent Claims (19, 20)
- - 19. The enterprise security network of claim 18 further including a central management server that is arranged for subscribing to all security assessments published by the plurality of endpoints.
  - 20. The enterprise security network of claim 18 in which the publishing endpoint generates a security assessment by evaluating a combination of locally-available information about the object, a security assessment which describes the object, the security assessment received from another publishing endpoint, or any past local action taken by the publishing endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Helman, Yair, Barash, Uri, Malka, Joseph

Granted Patent

US 8,955,105 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/20 for managing network securi...

Endpoint enabled for enterprise security assessment sharing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint enabled for enterprise security assessment sharing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links