CONTROLLING ENTERPRISE ACCESS BY MOBILE DEVICES

US 20130239168A1
Filed: 03/07/2012
Published: 09/12/2013
Est. Priority Date: 03/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a catalog component running on at least one server and including vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the plurality of devices correspond to the enterprise, wherein for each device the catalog component identifies a set of vulnerability data corresponding to the device, wherein the catalog component generates a trust score of the device using the set of vulnerability data; and

a trust component running on the at least one server and coupled to the catalog component, wherein the trust component generates a status list using at least one of the trust scores and the device data of the plurality of devices, wherein the status list corresponds to the enterprise and includes a status corresponding to the device data of each device, wherein access of each device to the enterprise is controlled according to the status.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score.

71 Citations

View as Search Results

71 Claims

1. A system comprising:
- a catalog component running on at least one server and including vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the plurality of devices correspond to the enterprise, wherein for each device the catalog component identifies a set of vulnerability data corresponding to the device, wherein the catalog component generates a trust score of the device using the set of vulnerability data; and
  
  a trust component running on the at least one server and coupled to the catalog component, wherein the trust component generates a status list using at least one of the trust scores and the device data of the plurality of devices, wherein the status list corresponds to the enterprise and includes a status corresponding to the device data of each device, wherein access of each device to the enterprise is controlled according to the status.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 2. The system of claim 1, wherein the status is determined using at least one access policy of the enterprise.
  - 3. The system of claim 1, wherein the status is determined using at least one policy exception of the enterprise.
  - 4. The system of claim 1, wherein the status comprises a first status that allows a device corresponding to the first status access to the enterprise.
  - 5. The system of claim 1, wherein the status comprises a second status that denies a device corresponding to the second status access to the enterprise.
  - 6. The system of claim 1, wherein the status comprises a third status that quarantines a device corresponding to the third status during an attempt to access to the enterprise.
  - 7. The system of claim 1, wherein the status list includes the trust score for each device of the plurality of devices.
  - 8. The system of claim 1, wherein the status list includes type identification describing device type for at least one of a set of devices and at least one device of the plurality of devices.
  - 9. The system of claim 1, wherein the status list includes a status for each set of a plurality of sets of devices, wherein the plurality of devices comprise the plurality of sets of devices.
  - 10. The system of claim 9, where a set of devices comprises devices having at least one specified parameter of device data.
  - 11. The system of claim 9, where a set of devices comprises devices having at least one specified enterprise parameter.
  - 12. The system of claim 9, wherein the status comprises a first status that allows a set of devices corresponding to the first status access to the enterprise.
  - 13. The system of claim 9, wherein the status comprises a second status that denies a set of devices corresponding to the second status access to the enterprise.
  - 14. The system of claim 9, wherein the status comprises a third status that quarantines a set of devices corresponding to the third status during an attempt to access to the enterprise.
  - 15. The system of claim 1, wherein the trust score comprises an indicator of a level of security applied to a device by the enterprise.
  - 16. The system of claim 1, wherein the trust score comprises a color-coded indicator.
  - 17. The system of claim 1, wherein the trust score comprises a numerical value.
  - 18. The system of claim 17, wherein the numerical value is in a range between and including zero (0) and ten (10).
  - 19. The system of claim 17, wherein the generating of the trust score comprises selecting a base score, and reducing the base score by an amount corresponding to a severity of each vulnerability of the set of vulnerability data.
  - 20. The system of claim 17, wherein each vulnerability of the set of vulnerability data is represented by a severity rating.
  - 21. The system of claim 20, wherein the generating of the trust score comprises generating a score deduction for each vulnerability of the set of vulnerability data.
  - 22. The system of claim 21, wherein the generating of the trust score comprises applying to the base score the score deduction corresponding to each vulnerability of the set of vulnerability data.
  - 23. The system of claim 22, wherein the base score is represented by a value of approximately ten (10).
  - 24. The system of claim 23, wherein the generating of the score deduction comprises a formula
    D=(i²÷
    - 6)−
      
      ((2·
      
      i)÷
      
      3),wherein variable D represents the score deduction, and variable i represents the severity rating of the vulnerability.
  - 25. The system of claim 1, wherein the catalog component updates and maintains the trust score.
  - 26. The system of claim 25, wherein the catalog component updates the trust score in response to receiving a new version of the vulnerability data.
  - 27. The system of claim 25, wherein the catalog component updates the trust score in response to receiving updated device data.
  - 28. The system of claim 25, wherein the catalog component updates the trust score in response to receiving device data corresponding to a new device.
  - 29. The system of claim 1, wherein the device data comprises data of at least one of device identification, configuration, operating system (OS) name, OS version, platform name, platform software components, device system image, device manufacturer, device brand, device model, device code name, user agent, central processor unit (CPU) type, and bootloader version.
  - 30. The system of claim 1, comprising a traffic filter coupled to the trust component and running on an access server of an enterprise, wherein the traffic filter includes the status list, wherein the plurality of components couple to the traffic filter to access the enterprise, wherein the traffic filter controls the access using the status list.
  - 31. The system of claim 30, wherein the catalog component couples to a remote database and receives the vulnerability data from the remote database.
  - 32. The system of claim 31, wherein the catalog component periodically receives the vulnerability data.
  - 33. The system of claim 31, wherein the remote database comprises the National Vulnerabilities Database.
  - 34. The system of claim 30, wherein the catalog component generates a mapping between the device data and the vulnerability data.
  - 35. The system of claim 34, wherein the catalog component identifies the set of vulnerability data corresponding to the device using the mapping.
  - 36. The system of claim 30, wherein the catalog component automatically receives the device data from each of the plurality of devices.
  - 37. The system of claim 36, wherein the traffic filter receives the device data from a device connecting to the access server, wherein the device reports the device data via a user agent.
  - 38. The system of claim 36, wherein the traffic filter receives the device data from a device connecting to the access server, wherein the device receives an electronic mail and content of the electronic mail causes the device to report the device data via a user agent.
  - 39. The system of claim 30, wherein the device data is manually entered into the catalog.
  - 40. The system of claim 30, wherein the device data is received via semi-automatic entry into the catalog.
  - 41. The system of claim 40, wherein the device comprises an agent application, wherein the agent application collects the device data and transfers the device data to the catalog component.
  - 42. The system of claim 30, wherein the catalog component receives the device data from at least one remote source, wherein the at least one remote source is remote to the at least one server.
  - 43. The system of claim 30, wherein the catalog component receives supplemental device data from at least one remote source that is remote to the at least one server, wherein the catalog component supplements the device data using the supplemental device data.
  - 44. The system of claim 30, wherein the catalog component receives the device data via self-identification, wherein the self-identification includes sending an electronic query to a user of a device and receiving the device data in response to action on the device resulting from the electronic query.
  - 45. The system of claim 30, wherein, when the device data is deficient, the access server places in a hold status a connection with a device attempting to access the enterprise.
  - 46. The system of claim 45, wherein, while the connection is in the hold status, the access server attempts to couple to at least one additional device data source and complete the device data using the at least one additional device data source.
  - 47. The system of claim 30, wherein the traffic filter includes the status list.
  - 48. The system of claim 30, wherein the traffic filter receives the status list from the trust component.
  - 49. The system of claim 30, wherein the access server comprises a client access server (CAS)/internet information server (IIS).
  - 50. The system of claim 30, wherein the traffic filter comprises an Internet Server Application Programming Interface (ISAPI) filter.
  - 51. The system of claim 30, wherein the traffic filter comprises a plurality of filter instances, where each filter instance corresponds to a process running on the access server.
  - 52. The system of claim 30, wherein control of the access by the traffic filter comprises comparing the status list with data received during communication a device attempting to access the enterprise, and at least one of allows and denies access to the device based on the results of the comparison.
  - 53. The system of claim 30, wherein the traffic filter comprises at least one set of instructions executing under the traffic filter, wherein the at least one set of instructions is received from the at least one server.
  - 54. The system of claim 30, wherein the trust component comprises at least one set of instructions executing under the trust component, wherein the at least one set of instructions is received from the at least one server.
  - 55. The system of claim 30, wherein the access server separately controls access to the enterprise by each software component of each device of the plurality of devices.
  - 56. The system of claim 1, wherein the at least one server generates at least one risk mitigation message corresponding to at least one device of the plurality of devices, wherein the risk mitigation message includes at least one suggested action for a user of the at least one device, wherein the at least one suggested action when taken reduces a risk associated with access to the enterprise by the at least one device.
  - 57. The system of claim 1, wherein the at least one server prioritizes the device data based on at least one of a type of the device data, a source of the device data, and consistency among parameters of the device data.
  - 58. The system of claim 1, wherein the catalog component maintains the device data of at least one device of the plurality of devices attempting to access the enterprise.
  - 59. The system of claim 1, comprising an interface coupled to the at least one server, wherein a user accesses and controls at least one of the catalog component and the trust component via the interface.
  - 60. The system of claim 59, wherein the interface includes controls to establish a plurality of risk thresholds according to at least one of the trust scores and a plurality of ranges of trust scores.
  - 61. The system of claim 59, wherein the interface presents effectiveness data of a plurality of enterprise access policies enforced by at least one of the catalog component and the trust component.
  - 62. The system of claim 61, wherein the plurality of enterprise access policies are based on at least one parameter, wherein the at least one parameter includes the trust score, a range of trust scores, device type, operating system data, at least one device capability, and device configuration.
  - 63. The system of claim 61, wherein the interface includes controls to generate the plurality of enterprise access policies, wherein the controls include a control to specify a policy type and a control to specify at least one parameter that is a basis for the policy.
  - 64. The system of claim 61, wherein at least one of the catalog component and the trust component generate the plurality of enterprise access policies based on at least one of the vulnerability data, the device data, and the trust scores of the plurality of devices.
  - 65. The system of claim 64, wherein the interface includes controls to edit the plurality of enterprise access policies.
  - 66. The system of claim 64, wherein the interface includes controls to apply at least one of the plurality of enterprise access policies.
  - 67. The system of claim 61, wherein the interface includes controls to generate and apply a plurality of policy exceptions.
  - 68. The system of claim 61, wherein the interface presents predicted effectiveness data of at least one of a change to the plurality of enterprise access policies and at least one new enterprise access policy.
  - 69. The system of claim 68, wherein the predicted effectiveness data includes at least one of a type of device affected and a number of devices affected.

70. A system comprising:
- a catalog component running on at least one server and including vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the plurality of devices correspond to the enterprise, wherein for each device the catalog component identifies a set of vulnerability data corresponding to the device, wherein the catalog component generates a trust score of the device using the set of vulnerability data;
  
  a trust component running on the at least one server and coupled to the catalog component, wherein the trust component generates a status list using at least one of the trust scores and the device data of the plurality of devices, wherein the status list corresponds to the enterprise and includes a status corresponding to the device data of each device; and
  
  a traffic filter coupled to the trust component and running on an access server of an enterprise, wherein the plurality of components couple to the traffic filter to access the enterprise, wherein the traffic filter controls the access using the status list.

71. A method comprising:
- executing a catalog component on at least one server, the catalog component including vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the plurality of devices correspond to the enterprise, wherein for each device the catalog component identifies a set of vulnerability data corresponding to the device, wherein the catalog component generates a trust score of the device using the set of vulnerability data; and
  
  executing a trust component on the at least one server, wherein the trust component is coupled to the catalog component, wherein the trust component generates a status list using at least one of the trust scores and the device data of the plurality of devices, wherein the status list corresponds to the enterprise and includes a status corresponding to the device data of each device, wherein access of each device to the enterprise is controlled according to the status.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Giridhar Sreenivas, Kurt Berglund
Inventors
SREENIVAS, Giridhar, SIGURDSON, Derek, BERGLUND, Kurt, PARKER, Jordan

Granted Patent

US 10,198,581 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

CONTROLLING ENTERPRISE ACCESS BY MOBILE DEVICES

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

71 Claims

Specification

Use Cases

Quick Links

Others

CONTROLLING ENTERPRISE ACCESS BY MOBILE DEVICES

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

71 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others