DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION
First Claim
1. A system comprising:
- one or more processors and non-transitory machine readable storage medium;
program instructions to monitor a live information flow, wherein the live information flow includes a flow of data from a source to a destination;
program instructions to provide a user interface that includes the source and the destination connected via a line;
program instructions to determine an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and
program instructions to update the user interface to reflect the occurrence of the security event by;
(i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.
3 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure relates generally to threat detection, and more particularly, to techniques for analyzing security events using dynamic policies and displaying a consolidated view of active threats and user activity including the dynamic policies being triggered by the active threats and user activity. Some aspects are directed to the concept of a policy bus for injecting and communicating the dynamic policies to multiple enforcement entities and the ability of the entities to respond to the policies dynamically. Other aspects are directed providing a consolidated view of active threat categories, a count of policies being triggered for each threat category, and associated trends. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the access policies, if any, implicated by the such accesses.
-
Citations
20 Claims
-
1. A system comprising:
-
one or more processors and non-transitory machine readable storage medium; program instructions to monitor a live information flow, wherein the live information flow includes a flow of data from a source to a destination; program instructions to provide a user interface that includes the source and the destination connected via a line; program instructions to determine an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and program instructions to update the user interface to reflect the occurrence of the security event by;
(i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory machine readable storage medium having instructions stored thereon that when executed by one or more processors cause the one or more processors to perform a method comprising:
-
monitoring a live information flow, wherein the live information flows includes a flow of data from a source to a destination; providing a user interface that includes the source and the destination connected via a line; determining an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and updating the user interface to reflect the occurrence of the security event by;
(i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
monitoring, by a computing system, a live information flow, wherein the live information flows includes a flow of data from a source to a destination; providing, by the computing system, a user interface that includes the source and the destination connected via a line; determining, by the computing system, an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and updating, by the computing system, the user interface to reflect the occurrence of the security event by;
(i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification