DATA ACCESS VERIFICATION FOR ENTERPRISE RESOURCES

US 20160261616A1
Filed: 04/16/2015
Published: 09/08/2016
Est. Priority Date: 03/06/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor a computing device, cause the computing device to perform operations responsive to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations is to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination was based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, and the operations comprising:

selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying a rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies the roles within the enterprise and the users in those roles, the selecting including;

selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository, wherein the plurality of roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise;

selecting a target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat;

causing a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and

generating an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository and selecting a target user in the selected target role based on the enterprise context repository. The method further includes causing a verification request to be sent to the selected target user; and generating an alert when a verification result indicates that the activity is indicative of the possible insider threat.

30 Citations

View as Search Results

36 Claims

1. A non-transitory computer-readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor a computing device, cause the computing device to perform operations responsive to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations is to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination was based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, and the operations comprising:
- selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying a rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies the roles within the enterprise and the users in those roles, the selecting including;
  
  selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository, wherein the plurality of roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise;
  
  selecting a target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat;
  
  causing a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and
  
  generating an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the selected target user is a different individual than a user assigned the user account and an administrator.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is a manager of a user assigned the user account or assigned as owner of the client end station.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is the owner of the particular part of the enterprise data that is the subject of the activity.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is a user assigned as owner of the client end station.
  - 6. The non-transitory computer-readable storage medium of claim 1, wherein the alert comprises notifying an administrator of the enterprise about the activity.
  - 7. The non-transitory computer-readable storage medium of claim 1, wherein the alert comprises causing the TCAM to block network traffic from a source.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - selecting a channel of communication for the verification request based on two or more of a set of one or more available channels of communication, time of day for the target user, and urgency that stems from the activity, wherein the verification request is sent via the selected channel of communication.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - determining, responsive to a subsequent determination that a subsequent verification with a user is desired responsive to a subsequent detection of activity indicative of a possible insider threat, that a number of detections of activity indicative of a possible insider threat caused by the rule exceeds a predetermined threshold within a predetermined period of time; and
      
      notifying an administrator and forgoing the subsequent verification responsive to the determining.
  - 10. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - selecting the target user for a subsequent verification responsive to a subsequent determination that the subsequent verification with a user is desired responsive to a subsequent detection of activity indicative of a possible insider threat;
      
      determining that a number of verifications with the target user exceeds a predetermined threshold within a predetermined period of time; and
      
      notifying an administrator and forgoing a verification responsive to the determining.
  - 11. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - receiving a verification response from the target user identifying a new target user and indicating that the verification should be performed with the new target user; and
      
      causing a second verification request to be sent to the new target user.
  - 12. The non-transitory computer-readable storage medium of claim 11, wherein the operations further comprise:
    - recording in the enterprise context repository that similar future verifications should be with the new target user instead.
  - 13. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - selecting a type for the verification request from a plurality of types based on one or more of the activity and configuration data, wherein the plurality of types include a positive and a negative type.
  - 14. The non-transitory computer-readable storage medium of claim 1, wherein the determination that a verification with a user is desired is based on a threshold number of verifications within a threshold period of time with a user and the selection is of a manger of the user as part of an escalation plan.
  - 15. The non-transitory computer-readable storage medium of claim 1, wherein the verification request is caused to be sent out-of band relative to the network traffic.
  - 16. The non-transitory computer-readable storage medium of claim 1, wherein the insider threat is one of a compromised insider threat, a malicious insider threat, and a negligent insider threat.
  - 17. The non-transitory computer-readable storage medium of claim 1, wherein the stored historical data reflects one or more of a set of prior verification requests sent to users and any corresponding verification responses from those users and a set of prior event data that describes accesses to one of the enterprise resources that was detected and reported on by the TCAM.
  - 18. The non-transitory computer-readable storage medium of claim 1, wherein the verification request, instead of directly asking whether or not the activity is indicative of the possible insider threat, poses one or more questions that are expected to be more understandable to the selected target user.

19. A computing device configured to respond to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination is based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, the computing device comprising:
- a processor and a memory, said memory containing instructions which when executed by the processor cause the computing device to;
  
  select a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying a rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies the roles within the enterprise and the users in those roles, the selection including to;
  
  select the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository, wherein the plurality of roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise;
  
  select a target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat;
  
  cause a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and
  
  generate an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The computing device of claim 19, wherein the selected target user is a different individual than a user assigned the user account and an administrator.
  - 21. The computing device of claim 19, wherein the selected target role is a manager of a user assigned the user account or assigned as owner of the client end station.
  - 22. The computing device of claim 19, wherein the selected target role is the owner of the particular part of the enterprise data that is the subject of the activity.
  - 23. The computing device of claim 19, wherein the selected target role is a user assigned as owner of the client end station.
  - 24. The computing device of claim 19, wherein the alert is to notify an administrator of the enterprise about the activity.
  - 25. The computing device of claim 19, wherein the alert is to cause the TCAM to block network traffic from a source.
  - 26. The computing device of claim 19, wherein the instructions when executed by the processor also cause the computing device to:
    - select a channel of communication for the verification request based on two or more of a set of one or more available channels of communication, time of day for the target user, and urgency that stems from the activity, wherein the verification request is sent via the selected channel of communication.
  - 27. The computing device of claim 19, wherein the instructions when executed by the processor also cause the computing device to:
    - determine, responsive to a subsequent determination that a subsequent verification with a user is desired responsive to a subsequent detection of activity indicative of a possible insider threat, that a number of detections of activity indicative of a possible insider threat caused by the rule exceeds a predetermined threshold within a predetermined period of time; and
      
      notify an administrator and forgo the subsequent verification responsive to the determination.
  - 28. The computing device of claim 19, wherein the instructions when executed by the processor also cause the computing device to:
    - select the target user for a subsequent verification responsive to a subsequent determination that the subsequent verification with a user is desired responsive to a subsequent detection of activity indicative of a possible insider threat;
      
      determine that a number of verifications with the target user exceeds a predetermined threshold within a predetermined period of time; and
      
      notify an administrator and forgo a verification responsive to the determination.
  - 29. The computing device of claim 19, wherein the instructions when executed by the processor also cause the computing device to:
    - receive a verification response from the target user identifying a new target user and indicating that the verification should be performed with the new target user; and
      
      cause a second verification request to be sent to the new target user.
  - 30. The computing device of claim 29, wherein the instructions when executed by the processor also cause the computing device to:
    - record in the enterprise context repository that similar future verifications should be with the new target user instead.
  - 31. The computing device of claim 19, wherein the instructions when executed by the processor also cause the computing device to:
    - select a type for the verification request from a plurality of types based on one or more of the activity and configuration data, wherein the plurality of types include a positive and a negative type.
  - 32. The computing device of claim 19, wherein the determination that a verification with a user is desired is based on a threshold number of verifications within a threshold period of time with a user and the selection is of a manger of the user as part of an escalation plan.
  - 33. The computing device of claim 19, wherein the verification request is caused to be sent out-of band relative to the network traffic.
  - 34. The computing device of claim 19, wherein the insider threat is one of a compromised insider threat, a malicious insider threat, and a negligent insider threat.
  - 35. The computing device of claim 19, wherein the stored historical data reflects one or more of a set of prior verification requests sent to users and any corresponding verification responses from those users and a set of prior event data that describes accesses to one of the enterprise resources that was detected and reported on by the TCAM.
  - 36. The computing device of claim 19, wherein the verification request, instead of directly asking whether or not the activity is indicative of the possible insider threat, poses one or more questions that are expected to be more understandable to the selected target user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
DULCE, Sagie, SHULMAN, Amichai

Granted Patent

US 9,591,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/18   using different networks or...

DATA ACCESS VERIFICATION FOR ENTERPRISE RESOURCES

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

DATA ACCESS VERIFICATION FOR ENTERPRISE RESOURCES

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others