Systems and Methods for Cloud Security Monitoring and Threat Intelligence

US 20150172321A1
Filed: 10/24/2014
Published: 06/18/2015
Est. Priority Date: 12/13/2013
Status: Active Grant

First Claim

Patent Images

1. A cloud security system for monitoring and controlling the security of cloud application accounts comprising:

memory containing;

an analytics application;

a seeder application; and

an analytics repository database; and

a processor;

wherein the processor is configured by the analytics application to;

generate a threat model using at least a first portion of stored activity data in the analytics repository database; and

identify, based upon the threat model, a threat using a second portion of stored activity data in the analytics repository database;

wherein the processor is further configured by the seeder application to;

select a security policy to implement in response to the identified threat;

identify cloud security controls in at least one remotely hosted cloud application server system to modify in accordance with the selected security policy;

establish a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application; and

send instructions to the at least one remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Citations

41 Claims

1. A cloud security system for monitoring and controlling the security of cloud application accounts comprising:
- memory containing;
  
  an analytics application;
  
  a seeder application; and
  
  an analytics repository database; and
  
  a processor;
  
  wherein the processor is configured by the analytics application to;
  
  generate a threat model using at least a first portion of stored activity data in the analytics repository database; and
  
  identify, based upon the threat model, a threat using a second portion of stored activity data in the analytics repository database;
  
  wherein the processor is further configured by the seeder application to;
  
  select a security policy to implement in response to the identified threat;
  
  identify cloud security controls in at least one remotely hosted cloud application server system to modify in accordance with the selected security policy;
  
  establish a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application; and
  
  send instructions to the at least one remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1 where the memory further contains a data loader application and the processor is configured by the data loader application to:
    - establish a secure connection to one of the at least one remotely hosted cloud application server system using the login credentials associated with the tenant account with the cloud application;
      
      retrieve activity data associated with the tenant account from the remotely hosted cloud application server system; and
      
      store the retrieved activity data in the analytics repository database.
  - 3. The system of claim 1 wherein the activity data is retrieved at predetermined intervals.
  - 4. The system of claim 1 wherein the activity data includes information concerning login and logout statistics, IP addresses and devices used to access the cloud service.
  - 5. The system of claim 1 wherein the activity data comprises values that are set for security controls associated with the tenant account.
  - 6. The system of claim 1 wherein the processor is further configured by the data loader application to normalize the retrieved activity data into a common format.
  - 7. The system of claim 1 wherein the threat model models user behavior.
  - 8. The system of claim 1 wherein the threat model correlates activities across a plurality of cloud applications using user profile information associating a particular user'"'"'s accounts across the plurality of cloud applications and the user'"'"'s accounts are associated with the tenant account at each of the cloud applications.
  - 9. The system of claim 8 wherein the user profile information associating a particular user'"'"'s accounts across the plurality of cloud applications is retrieved from a user identity repository.
  - 10. The system of claim 1, wherein the processor is further configured by the data loader application to determine whether a portion of the activity data matches predefined policy alerts.
  - 11. The system of claim 1 wherein the processor is further configured by the analytics application to send an alert containing information concerning the identified alert and recommended remediation actions.
  - 12. The system of claim 11 wherein a recommended remediation action prescribes a task to be performed outside of the system and the result of the task is entered into the system.
  - 13. The system of claim 11 wherein a recommended remediation action is to disable a user'"'"'s account.
  - 14. The system of claim 11 wherein:
    - the memory further contains an incident remediation application;
      
      a recommended remediation action prescribes a task to be performed by the cloud security system; and
      
      the processor is further configured by the incident remediation application to perform the task and save the result of the task into memory.
  - 15. The system of claim 1 wherein the processor is further configured by the seeder application to collect registration information from a tenant.
  - 16. The system of claim 15 wherein the registration information includes an authorization token secured by encryption.
  - 17. The system of claim 1 wherein the identified cloud security controls include password requirements.
  - 18. The system of claim 1, wherein the memory further comprises a cloud crawler application and the processor is further configured by the cloud crawler application to collect software defined security configuration data from the cloud service provider, wherein the software defined security configuration data comprises information describing the configuration of security controls in the cloud application with respect to the tenant account.
  - 19. The system of claim 18, wherein the processor is further configured by the cloud crawler application to normalize the software defined security configuration data and enter the normalized data into an application catalog database.
  - 20. The system of claim 1 wherein the processor being configured to generate a threat model using at least a first portion of stored activity data in the analytics repository database comprises the processor being configured to generate a threat model using a machine learning algorithm over the first portion of stored activity data.

21. A method for monitoring and remediation of security threats to cloud applications, the method comprising:
- generating a threat model using at least a first portion of stored activity data in an analytics repository database using a cloud security system;
  
  identifying, based upon the threat model, a threat using a second portion of stored activity data in the analytics repository database using the cloud security system;
  
  selecting a security policy to implement in response to the identified threat using the cloud security system;
  
  identifying cloud security controls in at least one remotely hosted cloud application server system to modify in accordance with the selected security policy using the cloud security system;
  
  establishing, using the cloud security system, a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application; and
  
  sending instructions to the at least one remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy using the cloud security system.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21 further comprising:
    - establishing, using the cloud security system, a secure connection to a cloud application hosted by a cloud service provider using login credentials associated with a tenant account with the cloud application;
      
      retrieving, using the cloud security system, activity data associated with the tenant account; and
      
      storing the retrieved activity data in the analytics repository database using the cloud security system.
  - 23. The method of claim 21 wherein the activity data is retrieved at predetermined intervals.
  - 24. The method of claim 21 wherein the activity data includes information concerning login and logout statistics, IP addresses and devices used to access the cloud service.
  - 25. The method of claim 21 wherein the activity data comprises values that are set for security controls associated with the tenant account.
  - 26. The method of claim 21 further comprising normalizing the retrieved activity data into a common format using the cloud security system.
  - 27. The method of claim 21 wherein the threat model models user behavior.
  - 28. The method of claim 21 wherein the threat model correlates activities across a plurality of cloud applications using user profile information associating a particular user'"'"'s accounts across the plurality of cloud applications.
  - 29. The method of claim 28 wherein the user profile information associating a particular user'"'"'s accounts across the plurality of cloud applications is retrieved from a user identity repository.
  - 30. The method of claim 21, further comprising determining whether a portion of the activity data matches predefined policy alerts using the cloud security system.
  - 31. The method of claim 21 further comprising sending an alert containing information concerning the identified alert and recommended remediation actions.
  - 32. The method of claim 31 wherein a recommended remediation action prescribes a task to be performed outside of the system and the result of the task is entered into the system.
  - 33. The method of claim 31 wherein a recommended remediation action is to disable a user'"'"'s account.
  - 34. The method of claim 31 wherein:
    - a recommended remediation action prescribes a task to be performed by the cloud security system; and
      
      the method further comprises performing the task and saving the result of the task into memory using the cloud security system.
  - 35. The method of claim 21 further comprising collecting registration information from a tenant using the cloud security system.
  - 36. The method of claim 35 wherein the registration information includes an authorization token secured by encryption.
  - 37. The method of claim 21 wherein the identified cloud security controls include password requirements.
  - 38. The method of claim 21, further comprising collecting software defined security configuration data from the cloud service provider using the cloud security system, wherein the software defined security configuration data comprises information describing the configuration of security controls in the cloud application with respect to the tenant account.
  - 39. The method of claim 38, further comprising normalizing the software defined security configuration data and enter the normalized data into an application catalog database using the cloud security system.
  - 40. The method of claim 21 wherein generating a threat model using at least a first portion of stored activity data in the analytics repository database comprises generating a threat model using a machine learning algorithm over the first portion of stored activity data.

41. A method for monitoring and remediation of security threats to cloud applications, the method comprising:
- collecting registration information from a tenant using a cloud security system, where the registration information includes an authorization token secured by encryption;
  
  establishing, using the cloud security system, a secure connection to a cloud application hosted by a cloud service provider using login credentials associated with a tenant account with the cloud application;
  
  collecting software defined security configuration data from the cloud service provider using the cloud security system, where the software defined security configuration data comprises information describing the configuration of security controls in the cloud application with respect to the tenant account;
  
  retrieving, using the cloud security system, activity data associated with the tenant account;
  
  storing the retrieved activity data in an analytics repository database using the cloud security system;
  
  generating a threat model using at least a first portion of stored activity data in the analytics repository database using the cloud security system;
  
  identifying, based upon the threat model, a threat using a second portion of stored activity data in the analytics repository database using the cloud security system;
  
  sending an alert containing information concerning the identified alert and recommended remediation actions;
  
  selecting a security policy to implement in response to the identified threat using the cloud security system;
  
  identifying cloud security controls in at least one remotely hosted cloud application server system to modify in accordance with the selected security policy using the cloud security system;
  
  establishing, using the cloud security system, a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application; and
  
  sending instructions to the at least one remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy using the cloud security system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Palerra, Inc. (Oracle Corporation)
Inventors
Biswas, Kamalendu, Kirti, Ganesh, Gupta, Rohit, Turlapati, Ramana Rao Satyasai

Granted Patent

US 9,692,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Systems and Methods for Cloud Security Monitoring and Threat Intelligence

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Cloud Security Monitoring and Threat Intelligence

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links