Key management for compromised enterprise endpoints
First Claim
1. A method comprising:
- labeling objects on an endpoint with a labeling scheme in which the objects are either in, wherein the objects conform to a compliance policy administered for the endpoint from a remote threat management facility, or the objects are out, wherein the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects, the objects including at least one of processes, files, and data;
for in objects of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system using a key ring that is remotely managed;
detecting a compromise of the endpoint; and
in response to detecting the compromise, deleting key material cached on the endpoint from the key ring, thereby revoking access to the encrypted files by the endpoint.
5 Assignments
0 Petitions
Accused Products
Abstract
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
-
Citations
20 Claims
-
1. A method comprising:
-
labeling objects on an endpoint with a labeling scheme in which the objects are either in, wherein the objects conform to a compliance policy administered for the endpoint from a remote threat management facility, or the objects are out, wherein the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects, the objects including at least one of processes, files, and data; for in objects of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system using a key ring that is remotely managed; detecting a compromise of the endpoint; and in response to detecting the compromise, deleting key material cached on the endpoint from the key ring, thereby revoking access to the encrypted files by the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
labeling objects on an endpoint with a labeling scheme in which the objects are either in, wherein the objects conform to a compliance policy administered for the endpoint from a remote threat management facility, or the objects are out, wherein the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects, the objects including at least one of processes, files, and data; for in objects of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system using a key ring that is remotely managed; detecting a compromise of the endpoint; and in response to detecting the compromise, deleting key material cached on the endpoint from the key ring, thereby revoking access to the encrypted files by the endpoint. - View Dependent Claims (18, 19)
-
-
20. A system comprising:
-
a threat management facility configured to manage threats to an enterprise, the threat management facility maintaining a compliance policy for endpoints in the enterprise; a key management system to remotely manage a key ring for cryptographic processing in the enterprise; and an endpoint associated with the enterprise having a memory and a processor, the memory storing key material from the key ring and a plurality of objects including at least one of processes, files, and data, and the processor configured to label the objects with a labeling scheme in which the objects are either in, wherein the objects conform to the compliance policy, or the objects are out, wherein the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects, to provide in objects of the endpoint access to encrypted files through a file system, with access to the encrypted files controlled by the file system using the key material from the key ring, to detect a compromise of the endpoint, and in response to detecting the compromise, to delete the key material from the key ring cached in the memory on the endpoint, thereby revoking access to the encrypted files by the endpoint.
-
Specification