DYNAMIC POLICY BASED ON USER EXPERIENCE
First Claim
Patent Images
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space;
instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance;
receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance;
calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and
adjusting a policy for the compute instance based on the risk score, the policy including one or more security settings for the compute instance.
4 Assignments
0 Petitions
Accused Products
Abstract
Entity models are used to evaluate potential risk of entities, either individually or in groups, in order to evaluate suspiciousness within an enterprise network. These individual or aggregated risk assessments can be used to adjust the security policy for compute instances within the enterprise network. A security policy may specify security settings such as network speed, filtering levels, network isolation, levels of privilege, and the like.
9 Citations
21 Claims
-
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space; instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance; receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance; calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and adjusting a policy for the compute instance based on the risk score, the policy including one or more security settings for the compute instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
storing an entity model at a threat management facility for an enterprise network, the entity model characterizing expected events for an entity; instrumenting a compute instance in the enterprise network to detect one or more events and report a number of event vectors including the one or more events to the threat management facility; receiving an event stream of the number of event vectors from the compute instance at the threat management facility; calculating a risk score for the compute instance based on a comparison of one or more of the event vectors in the event stream with the entity model for the entity; and adjusting a policy for the compute instance based on the risk score. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a compute instance in an enterprise network, the compute instance configured to detect one or more events associated with the compute instance and to report an event vector including the one or more events to a remote resource; and a threat management facility, the threat management facility including a memory storing an entity model characterizing expected events for an entity, and the threat management facility configured to receive an event stream including the event vector, to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust a policy for the compute instance based on the risk score.
-
Specification