CLOUD BASED SYSTEMS AND METHODS FOR DETERMINING AND VISUALIZING SECURITY RISKS OF COMPANIES, USERS, AND GROUPS

US 20170359220A1
Filed: 08/08/2017
Published: 12/14/2017
Est. Priority Date: 06/02/2016
Status: Active Grant

First Claim

Patent Images

1. A method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies, the method comprising:

obtaining log data from the distributed security system;

analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior;

performing one or more remedial actions for the entity; and

subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies include obtaining log data from the distributed security system; analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior; performing one or more remedial actions for the entity; and subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.

Citations

20 Claims

1. A method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies, the method comprising:
- obtaining log data from the distributed security system;
  
  analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  performing one or more remedial actions for the entity; and
  
  subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the analyzing to obtain the risk score comprises:
    - performing a plurality of levels of aggregation on the log data to determine threats for the entity and to categorize the threats; and
      
      determining the risk score for the entity based on a weighted formula of the categorized threats and a length of infection of each.
  - 3. The method of claim 2, wherein the plurality of levels of aggregation are each a form of a Structured Query Language (SQL) query on the log data.
  - 4. The method of claim 2, wherein the categorized threats are segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior.
  - 5. The method of claim 4, wherein the post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior.
  - 6. The method of claim 1, wherein the entity comprises a company, group, or location and the risk score comprises a combination of risk scores associated with users of the company, group, or location.
  - 7. The method of claim 6, further comprising:
    - comparing the risk score to a plurality of risk scores for other entities; and
      
      performing the one or more remedial actions based on the comparing.
  - 8. The method of claim 1, further comprising:
    - performing one or more additional remedial actions based on the determined efficacy.
  - 9. The method of claim 1, wherein the one or more remedial actions comprise adding or changing services for the entity from the distributed security system.

10. A distributed security system configured to determine and address risk of users, groups of users, locations, and/or companies, the distributed security system comprising:
- one or more cloud nodes configured to monitor for security threats and maintain logs of transactions; and
  
  one or more servers each comprising memory storing instructions that, when executed, cause a processor toobtain log data from the distributed security system;
  
  analyze the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  perform one or more remedial actions for the entity; and
  
  subsequently obtain updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The distributed security system of claim 10, wherein the analysis to obtain the risk score comprises:
    - performance of a plurality of levels of aggregation on the log data to determine threats for the entity and to categorize the threats; and
      
      determination of the risk score for the entity based on a weighted formula of the categorized threats and a length of infection of each.
  - 12. The distributed security system of claim 11, wherein the plurality of levels of aggregation are each a form of a Structured Query Language (SQL) query on the log data.
  - 13. The distributed security system of claim 11, wherein the categorized threats are segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior.
  - 14. The distributed security system of claim 13, wherein the post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior.
  - 15. The distributed security system of claim 11, wherein the entity comprises a company, group, or location and the risk score comprises a combination of risk scores associated with users of the company, group, or location.
  - 16. The distributed security system of claim 15, wherein the instructions that, when executed, further cause a processor tocompare the risk score to a plurality of risk scores for other entities;
    - andperform the one or more remedial actions based on the comparing.
  - 17. The distributed security system of claim 11, wherein the instructions that, when executed, further cause a processor toperform one or more additional remedial actions based on the determined efficacy.
  - 18. The distributed security system of claim 11, wherein the one or more remedial actions comprise adding or changing services for the entity from the distributed security system.

19. A log node in a distributed system configured to determine and address risk of users, groups of users, locations, and/or companies, the log node comprising:
- a network interface, a data store, and a processor communicatively coupled to one another; and
  
  memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor toobtain log data from the distributed security system;
  
  analyze the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior, post-infection behavior, and suspicious behavior;
  
  cause or suggest performance one or more remedial actions for the entity; and
  
  subsequently obtain updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions.
- View Dependent Claims (20)
- - 20. The log node of claim 19, wherein the analysis to obtain the risk score comprises:
    - performance of a plurality of levels of aggregation on the log data to determine threats for the entity and to categorize the threats; and
      
      determination of the risk score for the entity based on a weighted formula of the categorized threats and a length of infection of each.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Weith, Loren, Desai, Deepen, Sinha, Amit

Granted Patent

US 10,498,605 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/25   Integrating or interfacing ...

G06F 16/285   Clustering or classification

H04L 41/0893   Assignment of logical group...

H04L 63/0227   Filtering policies mail mes...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

CLOUD BASED SYSTEMS AND METHODS FOR DETERMINING AND VISUALIZING SECURITY RISKS OF COMPANIES, USERS, AND GROUPS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CLOUD BASED SYSTEMS AND METHODS FOR DETERMINING AND VISUALIZING SECURITY RISKS OF COMPANIES, USERS, AND GROUPS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links