System and method for determining and using local reputations of users and hosts to protect information in a network environment
First Claim
1. At least one non-transitory computer readable medium having instructions stored therein that, when executed by one or more processors cause the one or more processors to:
- correlate, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events;
determine, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data;
determine a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and
provide the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score.
11 Assignments
0 Petitions
Accused Products
Abstract
A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.
106 Citations
18 Claims
-
1. At least one non-transitory computer readable medium having instructions stored therein that, when executed by one or more processors cause the one or more processors to:
-
correlate, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events; determine, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data; determine a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and provide the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
a memory element configured to store data; a processor operable to execute instructions associated with the data; and a risk correlation module configured to interface with the memory element and the processor, wherein the apparatus is configured for; correlating a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access to sensitive data in the private network, wherein the access is indicated by the host events; determining a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data; determining a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and providing the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method comprising:
-
correlating, by a reputation server, a first set of event data from a private network, wherein the first set of event data corresponds to one or more host events associated with a network address of a host in the private network, wherein correlating the first set of event data includes evaluating access by the host to sensitive data in the private network, wherein the access is indicated by the host events; determining, by the reputation server, a local host reputation score of the host in the private network based, at least in part, on the correlating the first set of event data; determining a local user reputation score of a user identifier associated with a user, the determination of the local user reputation score based on correlating a second set of event data associated with the user identifier; and providing the local host reputation score and the local user reputation score to the host in the private network, wherein the host is to apply a policy to affect a process running on the host and corresponding to the user identifier, and wherein the policy is dynamically selected based, at least in part, on the local host reputation score and the local user reputation score. - View Dependent Claims (16, 17, 18)
-
Specification