Endpoint enabled for enterprise security assessment sharing

US 8,955,105 B2
Filed: 03/14/2007
Issued: 02/10/2015
Est. Priority Date: 03/14/2007
Status: Active Grant

First Claim

Patent Images

1. An architecture implemented on a computer for a security product endpoint arranged for use in an enterprise security environment, the architecture comprising:

a communication channel that is commonly accessible by each security product endpoint in a plurality of security product endpoints that are deployed in the enterprise security environment;

a common assessment sharing agent that is arranged for implementing a publish and subscribe model for security assessments over the common communication channel, wherein both publishers and subscribers on the security channel are security product endpoints, each security assessment being categorized by type and being published to the common communication channel, and arranged to provide contextual meaning to an object in the environment; and

a common assessment generating engine that is operatively coupled as a client to the common assessment sharing agent, and arranged for generating a security assessment according to rules which take into account any combination ofa. locally-available information about the object or other objects being monitored by a security product endpoint,b. currently active security assessments received by the security product endpoint, andc. local actions taken by the security product endpoint in the past, in which sets of locally-available information for the security product endpoints are mutually exclusive,the common assessment generating engine being further arranged for generating the security assessment for transmission over the common communication channel by correlating the locally-available information data to a security assessment to which the security product endpoint subscribes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints utilize an architecture that comprises a common assessment sharing agent and a common assessment generating agent. The common assessment sharing agent is arranged for subscribing to security assessments, publishing security assessments onto a channel, maintaining an awareness of configuration changes on the channel (e.g., when a new endpoint is added or removed), and implementing security features like authorization, authentication and encryption. A common assessment generating engine handles endpoint behavior associated with a security assessment including assessment generation, cancellation, tracking, and rolling-back actions based on assessments that have expired. The common assessment generating engine generates and transmits messages that indicate which local actions are taken.

98 Citations

View as Search Results

17 Claims

1. An architecture implemented on a computer for a security product endpoint arranged for use in an enterprise security environment, the architecture comprising:
- a communication channel that is commonly accessible by each security product endpoint in a plurality of security product endpoints that are deployed in the enterprise security environment;
  
  a common assessment sharing agent that is arranged for implementing a publish and subscribe model for security assessments over the common communication channel, wherein both publishers and subscribers on the security channel are security product endpoints, each security assessment being categorized by type and being published to the common communication channel, and arranged to provide contextual meaning to an object in the environment; and
  
  a common assessment generating engine that is operatively coupled as a client to the common assessment sharing agent, and arranged for generating a security assessment according to rules which take into account any combination ofa. locally-available information about the object or other objects being monitored by a security product endpoint,b. currently active security assessments received by the security product endpoint, andc. local actions taken by the security product endpoint in the past, in which sets of locally-available information for the security product endpoints are mutually exclusive,the common assessment generating engine being further arranged for generating the security assessment for transmission over the common communication channel by correlating the locally-available information data to a security assessment to which the security product endpoint subscribes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The architecture of claim 1 in which the security assessment provides the contextual meaning using a pre-defined taxonomy.
  - 3. The architecture of claim 2 in which the pre-defined taxonomy utilizes a schematized vocabulary comprising object types and assessment categories.
  - 4. The architecture of claim 1 in which the common assessment generating engine is further arranged for invoking a response in accordance with a response policy.
  - 5. The architecture of claim 4 in which the response is one of taking a local action or taking no action.
  - 6. The architecture of claim 5 in which the common assessment generating engine is further arranged for managing all active security assessments received over the channel, an active security assessment having a time-to-live field value that is unexpired.
  - 7. The architecture of claim 6 in which the common assessment generating engine is further arranged for rolling-back the local action upon expiration of the time-to-live field value.
  - 8. The architecture of claim 4 in which the common assessment generating engine is further arranged for generating an action-taken message that describes the local action.
  - 9. The architecture of claim 8 in which the common assessment sharing agent is arranged for sending the action-taken message over the communication channel.
  - 10. The architecture of claim 1 in which the common assessment generating engine is further arranged for generating a cancellation message for marking a security assessment as cancelled.
  - 11. The architecture of claim 1 in which the common assessment sharing agent is arranged for performing at least one of authorization, authentication, or encryption.
  - 12. The architecture of claim 1 in which the common assessment sharing agent is arranged for maintaining an awareness of security assessment channel configuration changes and adaptively reconfiguring itself responsively to such configuration changes.

13. A method for extending an enterprise security topology to a new security product endpoint being added to the topology, the method comprising the steps of:
- configuring security product endpoints to share security assessments over a common communication channel;
  
  maintaining one or more tables for describing a publish and subscribe model by which a publishing security product endpoint publishes a security assessment over the common communication channel to which a subscribing security product endpoint subscribes according to a subscription, the publishing being performed according to rules which take into account any combination ofa. locally-available information about an object being monitored by a security product endpoint,b. currently active security assessments received by the security product endpoint, andc. local actions taken by the security product endpoint in the past, in which sets of locally-available information for the security product endpoints are mutually exclusive, the security assessment describing an object being monitored by a security product endpoint, and the description using a taxonomy that is commonly-understood by a plurality of security product endpoints, the security assessment being further categorized by type and describing an object being monitored by a security product endpoint, and the description using a taxonomy that is commonly-understood by the plurality of security product endpoints; and
  
  updating the one or more tables with a description of a security assessment type for which the new security product endpoint publishes, and a description of a security assessment type to which the new security product endpoint subscribes.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13 in which the maintaining and updating are performed using an abstraction layer on which the publish and subscribe model operates.
  - 15. The method of claim 14 in which the abstraction layer includes an API for reading security assessments to which an endpoint subscribes and an API for writing security assessments for which an endpoint publishes.

16. An enterprise security network, comprising:
- a common communication channel, operatively coupled to each of a plurality of security product endpoints, and arranged for providing a transport layer over which a published security assessment is received; and
  
  a plurality of security product endpoints, each of the security product endpoints being enabled with security assessment sharing functionality by which a publishing security product endpoint publishes a security assessment over the common communication channel to which a subscribing security product endpoint subscribes according to a subscription, the security assessment being categorized by type and describing an object being monitored by a security product endpoint, and the description using a taxonomy that is commonly-understood by each of the plurality of security product endpoints, the publishing security product endpoint generating a security assessment according to rules which take into account any combination ofa. locally-available information about the object or other objects being monitored by the security product endpoint,b. currently active security assessments received by the security product endpoint, andc. local actions taken by the security product endpoint in the past,in which sets of locally-available information for the security product endpoints are mutually exclusive.
- View Dependent Claims (17)
- - 17. The enterprise security network of claim 16 further including a central management server that is arranged for subscribing to all security assessments published by the plurality of endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Helman, Yair, Malka, Joseph, Barash, Uri
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US11/724,060
Publication Number

US 20080229414A1
Time in Patent Office

2,890 Days
Field of Search

726 22- 25
US Class Current

726/22
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/20 for managing network securi...

Endpoint enabled for enterprise security assessment sharing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint enabled for enterprise security assessment sharing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links