MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM

US 20090328222A1
Filed: 06/25/2008
Published: 12/31/2009
Est. Priority Date: 06/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method for cross-mapping between object types in an enterprise security environment, the object types including user and host machine, the method comprising the steps of:

associating objects in the environment across object types by tracking usage of host machines by users;

receiving a security assessment describing a security incident involving an object in the environment, the security assessment being arranged to provide contextual meaning to the security incident and being defined with a time interval over which the security assessment is valid; and

cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain.

150 Citations

20 Claims

1. A method for cross-mapping between object types in an enterprise security environment, the object types including user and host machine, the method comprising the steps of:
- associating objects in the environment across object types by tracking usage of host machines by users;
  
  receiving a security assessment describing a security incident involving an object in the environment, the security assessment being arranged to provide contextual meaning to the security incident and being defined with a time interval over which the security assessment is valid; and
  
  cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 including a further step of sharing security assessments among networked endpoints over a commonly-utilized security assessment sharing channel.
  - 3. The method of claim 2 in which the sharing is implemented using a publish and subscribe model by which a publishing endpoint publishes the semantic abstraction to which a subscribing endpoint subscribes according to a subscription, the subscription being based on an object type.
  - 4. The method of claim 3 in which the contextual meaning is provided using a pre-defined taxonomy that utilizes a schematized vocabulary comprising object types and assessment categories.
  - 5. The method of claim 4 in which the assessment categories include at least one of vulnerable, compromised, under attack, of interest, corrupted, or malicious.
  - 6. The method of claim 1 including a further step of taking a response in accordance with a response policy, the response comprising a local action at an endpoint.
  - 7. The method of claim 6 including a further step of rolling back the local action once the received security assessment is no longer valid.
  - 8. The method of claim 2 including a further step of collecting notifications generated by the endpoints, the notifications being associated with local actions taken by the endpoints.
  - 9. The method of claim 2 including a further step of collecting the security assessments generated by the endpoints in a central location.

10. A method performed by an enterprise security assessment sharing system deployed in an enterprise network comprising a plurality of endpoints that share security assessments, the method comprising the steps of:
- detecting a security incident involving an object in the enterprise network;
  
  performing cross-mapping between object types to identify at least one other potentially compromised object of a different type than the object involved with the security incident, the object types including user and host machine;
  
  generating a security assessment pertaining to a compromised object, the security assessment providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy, and comprising a plurality of attributes, at least one of which is fidelity that is used to express a degree of confidence the endpoint has in the security assessment, and further being usable to trigger the generation of other security assessment by receiving endpoints;
  
  iterating the steps of performing cross-object mapping and generating a security assessment; and
  
  reducing the fidelity of a security assessment with each round of object cross-mapping.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 in which at least one of the endpoints in the plurality of endpoints comprises a security solution object, the object selected from one of security product, security solution, management product, management solution, security service, or management service.
  - 12. The method of claim 10 in which the generated security assessment includes a plurality of fields, at least one of which is a time-to-live field that is arranged to express an estimate by an endpoint for a time period for which the security assessment is expected to be valid.
  - 13. The method of claim 10 in which the fidelity of a security assessment is reduced after a round of object cross-mapping that is insufficient to trigger generation of a new security assessment.
  - 14. The method of claim 10 in which a security assessment is generated in view of locally available information at an endpoint.
  - 15. The method of claim 14 in which the locally-available information further comprises one or more previous local actions taken by the endpoint.

16. A method performed by a host security endpoint in an enterprise network, the method comprising the steps of:
- associating objects in the environment across object types by tracking usage of host machines by users;
  
  determining a privilege level of users logged on to the enterprise network;
  
  receiving a security assessment published by a network endpoint describing a security incident involving an object in the network, the security assessment being arranged to provide contextual meaning to the security incident and being defined by attributes including severity of the security incident and fidelity which expresses a level of confidence of the publishing endpoint in the security assessment;
  
  cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type; and
  
  generating a new security assessment about a cross-mapped object, the generating being performed in light of the privilege level.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 in which the object types include at least one of host, user, service, data, or enterprise.
  - 18. The method of claim 16 in which the security assessment is further defined by a time-to-live that expresses an estimate by an endpoint for a time period for which the security assessment is expected to be valid.
  - 19. The method of claim 16 in which the generating comprises adjusting either the severity or fidelity of the new security assessment in view of the privilege level.
  - 20. The method of claim 19 in which the severity or fidelity is adjusted downwards for compromised users who are logged on with other than administrator privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Helman, Yair, Arzi, Lior

Granted Patent

US 8,689,335 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1425 Traffic logging, e.g. anoma...

MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links