Enterprise security assessment sharing for consumers using globally distributed infrastructure

US 8,910,268 B2
Filed: 08/14/2008
Issued: 12/09/2014
Est. Priority Date: 01/08/2008
Status: Active Grant

First Claim

Patent Images

1. An enterprise security assessment sharing (“

ESAS”

) architecture arranged to support an Secure Content Management (“

SCM”

) service to a user at a local client, comprising;

a plurality of points of presence (“

POPs”

), each POP in the plurality including at least a forward proxy server for forwarding traffic from the user to resource servers that are accessible over an Internet connection;

a hub operatively coupled to one or more POPs, the hub providing configuration management for forward proxy servers, and further providing identity management to authenticate and authorize the user for the SCM service;

a security assessment channel configured to transport security assessments within a POP or among the POPs, wherein each of the security assessments comprises a plurality of fields, at least one of which is a fidelity field that is arranged to express a degree of confidence a security endpoint has in the security assessment and at least one of which is a time-to-live field; and

one or more security endpoints, each of the security endpoints having a capability to publish and receive security assessments respectively into and from the security assessment channel, a security assessment being usable for describing a security incident pertaining to the user or an IT device associated with the user, the security assessment including a semantic abstraction of security-related information that is available to a security endpoint,wherein each of the security endpoints is configured for receiving security assessments published by other security endpoints and each of the security endpoints is further configured for generating a new security assessment, in response to a security assessment received from another security endpoint, using information that is locally-available to the security endpoint performing the generating in addition to the received security assessments published by other security endpoints.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Citations

20 Claims

1. An enterprise security assessment sharing (“
- ESAS”
  
  ) architecture arranged to support an Secure Content Management (“
  
  SCM”
  
  ) service to a user at a local client, comprising;
  
  a plurality of points of presence (“
  
  POPs”
  
  ), each POP in the plurality including at least a forward proxy server for forwarding traffic from the user to resource servers that are accessible over an Internet connection;
  
  a hub operatively coupled to one or more POPs, the hub providing configuration management for forward proxy servers, and further providing identity management to authenticate and authorize the user for the SCM service;
  
  a security assessment channel configured to transport security assessments within a POP or among the POPs, wherein each of the security assessments comprises a plurality of fields, at least one of which is a fidelity field that is arranged to express a degree of confidence a security endpoint has in the security assessment and at least one of which is a time-to-live field; and
  
  one or more security endpoints, each of the security endpoints having a capability to publish and receive security assessments respectively into and from the security assessment channel, a security assessment being usable for describing a security incident pertaining to the user or an IT device associated with the user, the security assessment including a semantic abstraction of security-related information that is available to a security endpoint,wherein each of the security endpoints is configured for receiving security assessments published by other security endpoints and each of the security endpoints is further configured for generating a new security assessment, in response to a security assessment received from another security endpoint, using information that is locally-available to the security endpoint performing the generating in addition to the received security assessments published by other security endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The ESAS architecture of claim 1 in which the semantic abstraction is being categorized by type, and utilizable by one or more of the security endpoints as a trigger to a response to the security incident.
  - 3. The ESAS architecture of claim 1 in which the user is a consumer user using a fixed IT device or a consumer user that is using a mobile IT device.
  - 4. The ESAS architecture of claim 1 in which the one or more security endpoints include at least one of edge firewall, host security gateway product, Network Intrusion Detection system (“
    - NIDs”
      
      ) security product, Network Access Protection (“
      
      NAP”
      
      ) security product, Security Event Management (“
      
      SEM”
      
      ) product, Security Incident Management (“
      
      SIM”
      
      ) product, Unified Threat Management (“
      
      UTM”
      
      ) product, operational health monitoring product, configuration management product, anti-virus product, anti-spyware product, anti-malware product, information leakage prevention product, or anti-spam product.
  - 5. The ESAS architecture of claim 1 in which a security assessment is arranged for providing an assignment of context by a security endpoint to the security-related information using a pre-defined taxonomy.
  - 6. The ESAS architecture of claim 5 in which the pre-defined taxonomy utilizes a schematized vocabulary comprising object types and assessment categories.
  - 7. The ESAS architecture of claim 6 in which the object types include at least one of host machine, user, service, data, or enterprise.
  - 8. The ESAS architecture of claim 6 in which the assessment categories include at least one of vulnerable, compromised, under attack, of interest, corrupted, or malicious.
  - 9. The ESAS architecture of claim 1 in which the new security assessment is sent to other security endpoints.
  - 10. The ESAS architecture of claim 1 further including response policies that are disposed in a database and which are distributable by the SCM service to the local client, the response policies describing an action to be taken by a security endpoint in response to a received security assessment.

11. A method for providing an SCM service to a user, the method comprising the steps of:
- generating a security assessment at a security endpoint to describe a security incident relating to the user or an IT device that is associated with the user, the generating being based at least in part on locally-available information at the security endpoint, the security assessment being arranged to provide contextual meaning to the security incident, including a plurality of fields, at least one of which is a fidelity field, and being defined with a time interval over which the security assessment is valid;
  
  receiving, at the security endpoint, a security assessment in accordance with a subscription to a subset of available security assessments generated by other security endpoints that are configured for monitoring one or more groups of IT devices or users, each user or IT device in a group accessing resources through an SCM service supported by an infrastructure including a hub and a plurality of POPs, each POP in the plurality including at least a forward proxy server for forwarding traffic to the resource servers over an Internet connection, the hub providing configuration management for forward proxy servers and identity management for the users,wherein the security endpoint is configured to generate a new security assessment, in response to a security assessment received from another security endpoint, using information that is locally-available to the security endpoint performing the generating in addition to the received security assessments published by other security endpoints; and
  
  performing a local action in accordance with one or more policies in response to the received security assessment.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 in which the security assessment is further defined by dimensions of severity or fidelity.
  - 13. The method of claim 11 including the further steps of monitoring user interaction with the resources to generate a user-profile and providing profile-specific content, processes, or experiences responsively to the user profile.
  - 14. The method of claim 11 including a further step of rolling back the local action once the received security assessment is no longer valid.
  - 15. The method of claim 11 in which the one or more policies pertain to at least one of security, demographics, user-profile, usage patterns, parental controls, personal preferences, favorites, user settings, or presets.
  - 16. The method of claim 11 in which the SCM service is bundled with a security product or service or is provided as a standalone service on a subscription basis.

17. A method for distributing security incident detection using a plurality of IT objects, the method comprising the steps of:
- utilizing an infrastructure that is accessible by the IT objects over an Internet connection, the infrastructure including a plurality of POPs coupled to a hub, each POP in the plurality including i) a forward proxy server for forwarding traffic from an IT object to resource servers that are accessible from the Internet, and ii) one or more security endpoints, each security endpoint comprising a security product or security service that is arranged to monitor one or more of the IT objects;
  
  at the one or more security endpoints, detecting security incidents affecting the IT objects; and
  
  providing a security assessment sharing channel in the infrastructure, the security assessment channel being configured for communicating a security assessment using a publish and subscribe model by which a publishing endpoint publishes the security assessment to which a subscribing endpoint subscribes according to a subscription, the security assessment using a pre-defined taxonomy to provide contextual meaning to a detected security incident, in which the security assessment is defined by at least a fidelity field that is arranged to express a degree of confidence a security endpoint has in the security assessment and a time-to-live field,wherein each security endpoint is configured to receive security assessments published by other security endpoints and each security endpoint is further configured to generate a new security assessment, in response to a security assessment received from another security endpoint, using information that is locally-available to the security endpoint performing the generating in addition to the received security assessments published by other security endpoints.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 in which the security assessment is further defined by security incident severity.
  - 19. The method of claim 17 in which the IT objects comprise one of consumer user or IT device associated with a consumer user.
  - 20. The method of claim 19 in which IT objects are associated with different consumer households.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Edery, Yigal, Ananiev, Oleg, Wohlfert, John, Nice, Nir
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US12/192,107
Publication Number

US 20090178132A1
Time in Patent Office

2,308 Days
Field of Search

726/1, 726 22- 25, 726/2, 726/12
US Class Current

726/12
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/629   to features or functions of...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

G06Q 30/0204   Market segmentation

G06Q 30/0215   Including financial accounts

H04L 63/0281   Proxies

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Enterprise security assessment sharing for consumers using globally distributed infrastructure

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise security assessment sharing for consumers using globally distributed infrastructure

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links