Controlling enterprise access by mobile devices

US 9,668,137 B2
Filed: 03/07/2012
Issued: 05/30/2017
Est. Priority Date: 03/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a component running on a device and configured to transfer device data of the device into at least one server;

at least one component running on a hardware processor of the at least one server and receiving vulnerability data of a national database comprising a plurality of vulnerabilities of a set of processing components hosted on the device and included in the device data, wherein each vulnerability is represented by a severity rating;

wherein the at least one component generates a mapping between the device data and the vulnerability data, and uses the mapping to identify in the device data a set of vulnerabilities that corresponds to the set of processing components hosted on the device;

wherein the at least one component generates a severity score for each vulnerability of each processing component using a formula D=(i²÷

6)−

((2·

i)÷

3), wherein variable D represents the severity score and variable i represents the severity rating of the vulnerability, and generates a trust score for the device by combining the severity score of each vulnerability and adjusting a base score using the combined severity scores of each vulnerability, wherein access by the device to an enterprise is granted based on the trust score.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score.

Citations

60 Claims

1. A system comprising:
- a component running on a device and configured to transfer device data of the device into at least one server;
  
  at least one component running on a hardware processor of the at least one server and receiving vulnerability data of a national database comprising a plurality of vulnerabilities of a set of processing components hosted on the device and included in the device data, wherein each vulnerability is represented by a severity rating;
  
  wherein the at least one component generates a mapping between the device data and the vulnerability data, and uses the mapping to identify in the device data a set of vulnerabilities that corresponds to the set of processing components hosted on the device;
  
  wherein the at least one component generates a severity score for each vulnerability of each processing component using a formula D=(i²÷
  
  6)−
  
  ((2·
  
  i)÷
  
  3), wherein variable D represents the severity score and variable i represents the severity rating of the vulnerability, and generates a trust score for the device by combining the severity score of each vulnerability and adjusting a base score using the combined severity scores of each vulnerability, wherein access by the device to an enterprise is granted based on the trust score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The system of claim 1, wherein the trust score comprises an indicator of a level of security applied to the device by an enterprise that corresponds to the device.
  - 3. The system of claim 1, wherein the trust score comprises a numerical value.
  - 4. The system of claim 3, wherein the numerical value is in a range between and including zero (0) and ten (10).
  - 5. The system of claim 3, wherein the generating of the trust score comprises selecting a base score that corresponds to a highest trust level.
  - 6. The system of claim 5, wherein the generating of the trust score comprises reducing the base score by an amount corresponding to a severity of each vulnerability of the set of vulnerability data.
  - 7. The system of claim 6, wherein the generating of the trust score comprises applying to the base score the severity score corresponding to each vulnerability of the set of vulnerability data.
  - 8. The system of claim 7, wherein the base score is represented by a value of approximately ten (10).
  - 9. The system of claim 1, wherein the at least one component updates and maintains the trust score.
  - 10. The system of claim 9, wherein the at least one component updates the trust score in response to receiving a new version of the vulnerability data.
  - 11. The system of claim 9, wherein the at least one component updates the trust score in response to receiving updated device data.
  - 12. The system of claim 9, wherein the at least one component updates the trust score in response to receiving device data corresponding to a new device.
  - 13. The system of claim 1, wherein the trust score comprises a color-coded indicator.
  - 14. The system of claim 1, wherein the at least one component receives device data of the device, wherein the device data represents the set of processing components.
  - 15. The system of claim 14, wherein the device data comprises data of at least one of device identification, configuration, operating system (OS) name, OS version, platform name, platform software components, device system image, device manufacturer, device brand, device model, device code name, user agent, central processor unit (CPU) type, and bootloader version.
  - 16. The system of claim 14, wherein the at least one component uses the device data to identify the set of vulnerabilities.
  - 17. The system of claim 14, wherein the at least one component generates the trust score using the set of vulnerabilities and the device data of the device.
  - 18. The system of claim 14, wherein the at least one component couples to a remote database and receives the vulnerability data from the remote database.
  - 19. The system of claim 18, wherein the at least one component periodically receives the vulnerability data.
  - 20. The system of claim 18, wherein the remote database comprises the National Vulnerabilities Database.
  - 21. The system of claim 14, wherein the at least one component generates a status list using at least one of the trust score and the device data, wherein the status list corresponds to an enterprise associated with the plurality of devices and includes a status corresponding to each device, wherein access of each device to the enterprise is controlled according to the status list.
  - 22. The system of claim 21, wherein control of the access comprises comparing the status list with data received from the device during a communication attempt and one of allowing and denying access to the device based on the results of the comparison.
  - 23. The system of claim 21, wherein the status is determined using at least one access policy of the enterprise.
  - 24. The system of claim 21, wherein the status is determined using at least one policy exception of the enterprise.
  - 25. The system of claim 21, wherein the status list includes the trust score.
  - 26. The system of claim 21, wherein the status comprises a first status that allows the device access to the enterprise.
  - 27. The system of claim 21, wherein the status comprises a second status that denies the device access to the enterprise.
  - 28. The system of claim 21, wherein the status comprises a third status that quarantines the device during an attempt to access the enterprise.
  - 29. The system of claim 21, wherein control of the access comprises separately controlling access to the enterprise by each software component of each device of the plurality of devices.
  - 30. The system of claim 21, wherein the status list includes type identification describing device type of the device.

31. A method comprising:
- transferring device data of a device into at least one server from a component running on the device;
  
  at least one application running on at least one hardware processor of a server, the at least one application,receiving vulnerability data of a national database comprising a plurality of vulnerabilities of a set of processing components hosted on the device and included in the device data, wherein each vulnerability is represented by a severity rating;
  
  generating a mapping between the device data and the vulnerability data and, using the mapping, identifying in the device data a set of vulnerabilities that corresponds to the set of processing components hosted on the device;
  
  selecting a base score corresponding to a highest trust level;
  
  generating a deduction for each vulnerability of each processing component using a formula D=(i²÷
  
  6)−
  
  ((2·
  
  i)÷
  
  3), wherein variable D represents the deduction and variable i represents the severity rating of the vulnerability;
  
  generating a trust score for the device by combining the deductions of each vulnerability and applying to the base score the combined deductions corresponding to the set of vulnerabilities; and
  
  controlling access by the device to an enterprise based on the trust score.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 32. The method of claim 31, wherein the trust score comprises an indicator of a level of security applied to the device by an enterprise that corresponds to the device.
  - 33. The method of claim 31, wherein the trust score comprises a numerical value.
  - 34. The method of claim 33, wherein the numerical value is in a range between and including zero (0) and ten (10).
  - 35. The method of claim 33, wherein the generating of the trust score comprises reducing the base score by an amount corresponding to a severity of each vulnerability of the set of vulnerability data.
  - 36. The method of claim 35, wherein the generating of the trust score comprises applying to the base score the severity score corresponding to each vulnerability of the set of vulnerability data.
  - 37. The method of claim 36, wherein the base score is represented by a value of approximately ten (10).
  - 38. The method of claim 31, comprising updating and maintaining the trust score.
  - 39. The method of claim 38, comprising updating the trust score in response to receiving a new version of the vulnerability data.
  - 40. The method of claim 38, comprising updating the trust score in response to receiving updated device data.
  - 41. The method of claim 38, comprising updating the trust score in response to receiving device data corresponding to a new device.
  - 42. The method of claim 31, wherein the trust score comprises a color-coded indicator.
  - 43. The method of claim 31, comprising receiving device data of the device, wherein the device data represents the set of processing components.
  - 44. The method of claim 43, wherein the device data comprises data of at least one of device identification, configuration, operating system (OS) name, OS version, platform name, platform software components, device system image, device manufacturer, device brand, device model, device code name, user agent, central processor unit (CPU) type, and bootloader version.
  - 45. The method of claim 43, comprising using the device data to identify the set of vulnerabilities.
  - 46. The method of claim 43, comprising generating the trust score using the set of vulnerabilities and the device data of the device.
  - 47. The method of claim 43, comprising receiving the vulnerability data from a remote database.
  - 48. The method of claim 47, comprising periodically receiving the vulnerability data.
  - 49. The method of claim 47, wherein the remote database comprises the National Vulnerabilities Database.
  - 50. The method of claim 43, comprising generating a status list using at least one of the trust score and the device data, wherein the status list corresponds to an enterprise associated with the plurality of devices and includes a status corresponding to each device.
  - 51. The method of claim 50, comprising controlling access of each device to the enterprise according to the status list.
  - 52. The method of claim 50, comprising controlling access of each device to the enterprise by comparing the status list with data received from the device during a communication attempt and one of allowing and denying access to the device based on the results of the comparison.
  - 53. The method of claim 50, comprising determining the status using at least one access policy of the enterprise.
  - 54. The method of claim 50, comprising determining the status using at least one policy exception of the enterprise.
  - 55. The method of claim 50, wherein the status list includes the trust score.
  - 56. The method of claim 50, wherein the status comprises a first status that allows the device access to the enterprise.
  - 57. The method of claim 50, wherein the status comprises a second status that denies the device access to the enterprise.
  - 58. The method of claim 50, wherein the status comprises a third status that quarantines the device during an attempt to access the enterprise.
  - 59. The method of claim 50, comprising controlling access of each device to the enterprise by separately controlling access to the enterprise by each software component of each device of the plurality of devices.
  - 60. The method of claim 50, wherein the status list includes type identification describing device type of the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Sigurdson, Derek, Sreenivas, Giridhar
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Harris, Christopher C

Application Number

US13/414,557
Publication Number

US 20130239177A1
Time in Patent Office

1,910 Days
Field of Search

713187-188, 726 25
US Class Current
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/37   Managing security policies ...

Controlling enterprise access by mobile devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling enterprise access by mobile devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links