MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM
First Claim
1. A method for cross-mapping between object types in an enterprise security environment, the object types including user and host machine, the method comprising the steps of:
- associating objects in the environment across object types by tracking usage of host machines by users;
receiving a security assessment describing a security incident involving an object in the environment, the security assessment being arranged to provide contextual meaning to the security incident and being defined with a time interval over which the security assessment is valid; and
cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type.
2 Assignments
0 Petitions
Accused Products
Abstract
Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain.
150 Citations
20 Claims
-
1. A method for cross-mapping between object types in an enterprise security environment, the object types including user and host machine, the method comprising the steps of:
-
associating objects in the environment across object types by tracking usage of host machines by users; receiving a security assessment describing a security incident involving an object in the environment, the security assessment being arranged to provide contextual meaning to the security incident and being defined with a time interval over which the security assessment is valid; and cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method performed by an enterprise security assessment sharing system deployed in an enterprise network comprising a plurality of endpoints that share security assessments, the method comprising the steps of:
-
detecting a security incident involving an object in the enterprise network; performing cross-mapping between object types to identify at least one other potentially compromised object of a different type than the object involved with the security incident, the object types including user and host machine; generating a security assessment pertaining to a compromised object, the security assessment providing an assignment of context by an endpoint to security-related information using a pre-defined taxonomy, and comprising a plurality of attributes, at least one of which is fidelity that is used to express a degree of confidence the endpoint has in the security assessment, and further being usable to trigger the generation of other security assessment by receiving endpoints; iterating the steps of performing cross-object mapping and generating a security assessment; and reducing the fidelity of a security assessment with each round of object cross-mapping. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method performed by a host security endpoint in an enterprise network, the method comprising the steps of:
-
associating objects in the environment across object types by tracking usage of host machines by users; determining a privilege level of users logged on to the enterprise network; receiving a security assessment published by a network endpoint describing a security incident involving an object in the network, the security assessment being arranged to provide contextual meaning to the security incident and being defined by attributes including severity of the security incident and fidelity which expresses a level of confidence of the publishing endpoint in the security assessment; cross-mapping the object described by the security assessment to identify potentially compromised objects of a different type; and generating a new security assessment about a cross-mapped object, the generating being performed in light of the privilege level. - View Dependent Claims (17, 18, 19, 20)
-
Specification