Computer system with risk-based assessment and protection against harmful user activity
First Claim
1. A method of protecting a computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer system are not authorized to perform, the method comprising:
- deploying a risk agent in the computer system, the risk agent being communicatively coupled to a risk engine, the risk engine being operative in response to queries from the risk agent to perform rules-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; and
operating the risk agent in the computer system to;
(a) identify a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform;
(b) when the user is identified as the non-privileged user, refrain from performing a monitoring action that includes monitoring computer system activity of the user;
(c) when the user is identified as the privileged user, then (i) perform the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identify the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system;
(d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allow the computer system operation to proceed and refrain from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness;
(e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then perform the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allow the sensitive computer system operation to proceed and (ii) refrain from performing an additional security related processing; and
(f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then perform the additional security related processing by;
(1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation,(2) receiving a response to the query from the risk engine, and(3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.
9 Assignments
0 Petitions
Accused Products
Abstract
A computer system is protected against harmful activity of a privileged user. A risk agent is deployed which is communicatively coupled to a risk engine, the risk engine being operative in response to queries to perform model-based risk assessments of activities and to provide responses conveying risk assessment results. The risk agent monitors computer system activity of the privileged user to detect initiation of a sensitive operation, and formulates and sends a query to the risk engine requesting risk assessment. The risk agent takes an appropriate control action based on a risk assessment result in a response to a query. The control action may be one of allowing the sensitive operation to proceed; preventing the sensitive operation from proceeding; issuing a notification that the sensitive computer operation is proceeding; and obtaining further confirmation as a condition to allowing the sensitive operation to proceed. By this method, security of the computer system is enhanced, especially against inadvertent or intentional harmful activity of a privileged user.
33 Citations
20 Claims
-
1. A method of protecting a computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer system are not authorized to perform, the method comprising:
-
deploying a risk agent in the computer system, the risk agent being communicatively coupled to a risk engine, the risk engine being operative in response to queries from the risk agent to perform rules-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; and operating the risk agent in the computer system to; (a) identify a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform; (b) when the user is identified as the non-privileged user, refrain from performing a monitoring action that includes monitoring computer system activity of the user; (c) when the user is identified as the privileged user, then (i) perform the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identify the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system; (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allow the computer system operation to proceed and refrain from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness; (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then perform the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allow the sensitive computer system operation to proceed and (ii) refrain from performing an additional security related processing; and (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then perform the additional security related processing by; (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation, (2) receiving a response to the query from the risk engine, and (3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer for use in a computer system, comprising:
-
memory; one or more processors; input/output circuitry for connecting the computer to a risk engine, the risk engine being operative in response to queries from a risk agent of the computer to perform model-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; one or more data buses coupling the memory, processors and input/output circuitry together; and computer instructions stored in the memory and executable by the processors to cause the computer to perform a method of protecting the computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer are not authorized to perform, the method including; (a) identifying a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform; (b) when the user is identified as the non-privileged user, refraining from performing a monitoring action that includes monitoring computer system activity of the user; (c) when the user is identified as the privileged user, then (i) performing the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identifying the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system; (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allowing the computer system operation to proceed and refraining from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness; (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then performing the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allowing the sensitive computer system operation to proceed and (ii) refraining from performing an additional security related processing; and (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then performing the additional security related processing by; (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation; (2) receiving a response to the query from the risk engine; and (3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification