Correlation based security risk identification
First Claim
Patent Images
1. A computer-implemented method for identifying security risks, comprising:
- using at least one computer system having a processor and connected to a computer network to perform the following actions;
retrieving a plurality of account credentials of a plurality of accounts from a storage of each member of a first group of machines in said computer network, said storage comprising at least one member of a group consisting of a registry, a Security Account Manager (SAM), a Local Security Authority Subsystem Service (LSASS), a memory, a persistent storage and a non-persistent storage;
collecting a plurality of account access rights, each one of said plurality of account access rights grants to one of said plurality of accounts an access to at least one member of a second group of machines in said computer network;
identifying correlated account credentials from said plurality of account credentials, wherein said correlated account credentials are for an account of said plurality of accounts that is granted access to a certain machine of said second group of machines according to at least one account access right of said collected plurality of account access rightsusing said correlated account credentials to request access to said certain machine, andidentifying automatically at least one security risk according to an outcome of said request;
wherein said certain machine is from said second group of machines, said correlated account credentials is from said plurality of retrieved account credentials, said certain account is from said plurality of accounts, and said correlated account access rights is from said plurality of account access rights.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.
-
Citations
25 Claims
-
1. A computer-implemented method for identifying security risks, comprising:
-
using at least one computer system having a processor and connected to a computer network to perform the following actions; retrieving a plurality of account credentials of a plurality of accounts from a storage of each member of a first group of machines in said computer network, said storage comprising at least one member of a group consisting of a registry, a Security Account Manager (SAM), a Local Security Authority Subsystem Service (LSASS), a memory, a persistent storage and a non-persistent storage; collecting a plurality of account access rights, each one of said plurality of account access rights grants to one of said plurality of accounts an access to at least one member of a second group of machines in said computer network; identifying correlated account credentials from said plurality of account credentials, wherein said correlated account credentials are for an account of said plurality of accounts that is granted access to a certain machine of said second group of machines according to at least one account access right of said collected plurality of account access rights using said correlated account credentials to request access to said certain machine, and identifying automatically at least one security risk according to an outcome of said request; wherein said certain machine is from said second group of machines, said correlated account credentials is from said plurality of retrieved account credentials, said certain account is from said plurality of accounts, and said correlated account access rights is from said plurality of account access rights. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform security risk identification operations in a network, comprising:
-
retrieving a plurality of account credentials of a plurality of accounts from a storage of each member of a first group of machines in said computer network, said storage comprising at least one member of a group consisting of a registry, a Security Account Manager (SAM), a Local Security Authority Subsystem Service (LSASS), a memory, a persistent storage and a non-persistent storage; collecting a plurality of account access rights, each one of said plurality of account access rights grants to one of said plurality of accounts an access to at least one member of a second group of machines in said computer network; identifying correlated account credentials from said plurality of account credentials, wherein said correlated account credentials are for an account of said plurality of accounts that is granted access to a certain machine of said second group of machines according to at least one account access right of said collected plurality of account access rights using said correlated account credentials to request access to said certain machine, and identifying automatically at least one security risk according to an outcome of said request; wherein said certain machine is from said second group of machines, said correlated account credentials is from said plurality of retrieved account credentials, said certain account is from said plurality of accounts, and said correlated account access rights is from said plurality of account access rights. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system of identifying at least one security risk, comprising:
-
at least one hardware processor; a program store storing code wherein said at least one hardware processor is coupled to the program store for executing the stored code, the code comprising; code to retrieve a plurality of account credentials of a plurality of accounts from a storage of each member of a first group of machines in a computer network, said storage comprising at least one member of a group consisting of a registry, a Security Account Manager (SAM), a Local Security Authority Subsystem Service (LSASS), a memory, a persistent storage and a non-persistent storage; code to collect a plurality of account access rights, each one of said plurality of account access rights grants to one of said plurality of accounts an access to at least one member of a second group of machines in said computer network; code to identify correlated account credentials from said plurality of account credentials, wherein said correlated account credentials are for an account of said plurality of accounts that is granted access to a certain machine of said second group of machines according to at least one account access right of said collected plurality of account access rights; code to use said correlated account credentials to request access to said certain machine; code to identify automatically at least one security risk according to an outcome of said request; wherein said certain machine is from said second group of machines, said correlated account credentials is from said plurality of retrieved account credentials, said certain account is from said plurality of accounts, and said correlated account access rights is from said plurality of account access rights. - View Dependent Claims (22, 23, 24, 25)
-
Specification