System and method for data loss prevention in a virtualized environment

US 9,230,096 B2
Filed: 07/02/2012
Issued: 01/05/2016
Est. Priority Date: 07/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a data loss prevention (DLP) manager, a startup event of a guest virtual machine, wherein the DLP manager is in a security virtual machine;

installing, by the DLP manager, a DLP component in the guest virtual machine, the DLP component to communicate with the DLP manager;

receiving, by the DLP manager, a file system event that is intercepted by the DLP component and that is initiated within the guest virtual machine, wherein the file system event comprises a file in at least one of a write event, a copy event, a paste event, a move event, or a deletion event, and wherein the file is not stored in the security virtual machine;

retrieving, by the DLP manager, a DLP profile associated with the guest virtual machine from a profile repository, the DLP profile comprising a DLP policy and a response rule;

identifying, by the DLP manager, a device associated with the file system event;

determining, by the DLP manager, that the DLP profile requires monitoring of the identified device;

monitoring, by the DLP manager, data associated with the file system event that is to be stored on the identified device; and

enforcing, by the DLP manager, the response rule associated with the file system event initiated within the guest virtual machine when the file system event violates the DLP policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a startup event of a guest virtual machine, and installs a DLP component in the guest virtual machine. The DLP component communicates with the DLP manager operating within the security virtual machine. The DLP manager also receives file system events from the DLP component, and enforces a response rule associated with the guest virtual machine if the file system event violates a DLP policy.

Citations

17 Claims

1. A method comprising:
- identifying, by a data loss prevention (DLP) manager, a startup event of a guest virtual machine, wherein the DLP manager is in a security virtual machine;
  
  installing, by the DLP manager, a DLP component in the guest virtual machine, the DLP component to communicate with the DLP manager;
  
  receiving, by the DLP manager, a file system event that is intercepted by the DLP component and that is initiated within the guest virtual machine, wherein the file system event comprises a file in at least one of a write event, a copy event, a paste event, a move event, or a deletion event, and wherein the file is not stored in the security virtual machine;
  
  retrieving, by the DLP manager, a DLP profile associated with the guest virtual machine from a profile repository, the DLP profile comprising a DLP policy and a response rule;
  
  identifying, by the DLP manager, a device associated with the file system event;
  
  determining, by the DLP manager, that the DLP profile requires monitoring of the identified device;
  
  monitoring, by the DLP manager, data associated with the file system event that is to be stored on the identified device; and
  
  enforcing, by the DLP manager, the response rule associated with the file system event initiated within the guest virtual machine when the file system event violates the DLP policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising installing a DLP user interface in the guest virtual machine to notify a user of DLP violations.
  - 3. The method of claim 1, further comprising:
    - identifying a file close event;
      
      identifying a storage target associated with the file close event;
      
      determining when the DLP policy requires monitoring of the storage target;
      
      analyzing data associated with the file close event to determine whether the data violates the DLP policy; and
      
      executing the response rule associated with the DLP policy when the data violates the DLP policy.
  - 4. The method of claim 3, further comprising logging a DLP policy violation when the data violates the DLP policy.
  - 5. The method of claim 1, further comprising:
    - identifying a file open event;
      
      identifying a source device associated with the file open event;
      
      determining when the DLP policy requires monitoring of the source device;
      
      storing a copy of the file; and
      
      restoring the copy of the file in the open event when the data violates the DLP policy.
  - 6. The method of claim 5, further comprising logging a DLP policy violation when the data violates the DLP policy.

7. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform a operations comprising:
- identifying, by a data loss prevention (DLP) manager, a startup event of a guest virtual machine, wherein the DLP manager is in a security virtual machine;
  
  installing, by the DLP manager, a DLP component in the guest virtual machine, the DLP component to communicate with the DLP manager;
  
  receiving, by the DLP manger, a file system event that is intercepted by the DLP component and that is initiated within the guest virtual machine, wherein the file system event comprises a file in at least one of a write event, a copy event, a paste event, a move event, or a deletion event, and wherein the file is not stored in the security virtual machine;
  
  retrieving, by the DLP manager, a DLP profile associated with the guest virtual machine from a profile repository, the DLP profile comprising a DLP policy and a response rule;
  
  identifying, by the DLP manager, a device associated with the file system event;
  
  determining, by the DLP manager, that the DLP profile requires monitoring of the identified device;
  
  monitoring, by the DLP manager, data associated with the file system event that is to be stored on the identified device; and
  
  enforcing, by the DLP manager, the response rule associated with the file system event initiated within the guest virtual machine when the file system event violates the DLP policy.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer readable storage medium of claim 7, wherein the operations further comprise installing a DLP user interface in the guest virtual machine to notify a user of DLP violations.
  - 9. The computer readable storage medium of claim 7, wherein the operations further comprise:
    - identifying a file close event;
      
      identifying a storage target associated with the file close event;
      
      determining when the DLP policy requires monitoring of the storage target;
      
      analyzing data associated with the file close event to determine whether the data violates the DLP policy; and
      
      executing the response rule associated with the DLP policy when the data violates the DLP policy.
  - 10. The computer readable storage medium of claim 9, wherein the operations further comprise logging the DLP policy violation.
  - 11. The computer readable storage medium of claim 7, wherein the operations further comprise:
    - identifying a file open event;
      
      identifying a source device associated with the file open event;
      
      determining when the DLP policy requires monitoring of the source device;
      
      storing a copy of the file; and
      
      restoring the copy in the open event when the data violates the DLP policy.
  - 12. The computer readable storage medium of claim 11, wherein the operations further comprise logging a DLP policy violation when the data violates the DLP policy.

13. An apparatus comprising:
- a memory to store instructions for a data loss prevention (DLP) manager, wherein the DLP manager is in a security virtual machine; and
  
  a computing device, coupled to the memory, wherein the computing device is to execute the DLP manager;
  
  identify a startup event of a guest virtual machine;
  
  install a DLP component in the guest virtual machine, the DLP component to communicate with the DLP manager;
  
  receive, by the DLP manager, a file system event that is intercepted by the DLP component and that is initiated within the guest virtual machine, wherein the file system event comprises a file in at least one of a write event, a copy event, a paste event, a move event, or a deletion event, and wherein the file is not stored in the security virtual machine;
  
  retrieve a DLP profile associated with the guest virtual machine from a profile repository, the DLP profile comprising a DLP policy and a response rule;
  
  identify a device associated with the file system event;
  
  determining that the DLP profile requires monitoring of the identified device;
  
  monitoring data associated with the file system event that is to be stored on the identified device; and
  
  enforce the response rule associated with the file system event initiated within the guest virtual machine when the file system event violates the DLP policy.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein the DLP manager is further to install a DLP user interface in the guest virtual machine to notify a user of DLP violations.
  - 15. The apparatus of claim 13, wherein the DLP manager is further to:
    - identify a file close event;
      
      identify a storage target associated with the file close event;
      
      determine when the DLP policy requires monitoring of the storage target;
      
      analyze data associated with the file close event to determine whether the data violates the DLP policy; and
      
      execute the response rule associated with the DLP policy when the data violates the DLP policy.
  - 16. The apparatus of claim 13, wherein the DLP manager is further to log a DLP policy violation when the data violates the DLP policy.
  - 17. The apparatus of claim 13, wherein the DLP manager is further to:
    - identify a file open event;
      
      identify a source device associated with the file open event;
      
      determine when the DLP policy requires monitoring of the source device;
      
      store a copy of the file; and
      
      restore the copy of the file in the open event when the data violates the DLP policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sarin, Sumit, Jaiswal, Sumesh
Primary Examiner(s)
Brishamkar, Kaveh A
Assistant Examiner(s)
Wilcox, James J

Application Number

US13/539,848
Publication Number

US 20140007181A1
Time in Patent Office

1,282 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/556   involving covert channels, ...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2149   Restricted operating enviro...

System and method for data loss prevention in a virtualized environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for data loss prevention in a virtualized environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links