Techniques for cloud security monitoring and threat intelligence

US 9,692,789 B2
Filed: 10/24/2014
Issued: 06/27/2017
Est. Priority Date: 12/13/2013
Status: Active Grant

First Claim

Patent Images

1. A cloud security system for monitoring and controlling security of accounts for cloud applications, the cloud security system comprising:

memory storing;

an analytics application;

a seeder application; and

an analytics repository database; and

a processor;

wherein the processor is configured by the analytics application to;

generate a threat model using at least a first portion of stored activity data in the analytics repository database, wherein the stored activity data is associated with a tenant account of a service provider system, and wherein the threat model correlates one or more activities for a plurality of cloud applications based on profile information of a user, the user being associated with the tenant account for each of the plurality of cloud applications; and

identify, based on the threat model, a threat using a second portion of the stored activity data in the analytics repository database; and

wherein the processor is further configured by the seeder application to;

select a security policy to implement in response to the identified threat;

identify one or more cloud security controls in at least one remotely hosted cloud application server system of the service provider system to modify in accordance with the selected security policy, wherein the one or more cloud security controls configure access to a cloud application provided by the service provider system to the tenant account;

establish a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with the tenant account for accessing the cloud application; and

send one or more instructions to the at least one remotely hosted cloud application server system, the one or more instructions causing the at least one remotely hosted cloud application server system to set the identified one or more cloud security controls with respect to the tenant account in accordance with the selected security policy, wherein the access to the cloud application by the tenant account is modified based on the identified one or more cloud security controls that are set in accordance with the selected security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

64 Citations

View as Search Results

41 Claims

1. A cloud security system for monitoring and controlling security of accounts for cloud applications, the cloud security system comprising:
- memory storing;
  
  an analytics application;
  
  a seeder application; and
  
  an analytics repository database; and
  
  a processor;
  
  wherein the processor is configured by the analytics application to;
  
  generate a threat model using at least a first portion of stored activity data in the analytics repository database, wherein the stored activity data is associated with a tenant account of a service provider system, and wherein the threat model correlates one or more activities for a plurality of cloud applications based on profile information of a user, the user being associated with the tenant account for each of the plurality of cloud applications; and
  
  identify, based on the threat model, a threat using a second portion of the stored activity data in the analytics repository database; and
  
  wherein the processor is further configured by the seeder application to;
  
  select a security policy to implement in response to the identified threat;
  
  identify one or more cloud security controls in at least one remotely hosted cloud application server system of the service provider system to modify in accordance with the selected security policy, wherein the one or more cloud security controls configure access to a cloud application provided by the service provider system to the tenant account;
  
  establish a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with the tenant account for accessing the cloud application; and
  
  send one or more instructions to the at least one remotely hosted cloud application server system, the one or more instructions causing the at least one remotely hosted cloud application server system to set the identified one or more cloud security controls with respect to the tenant account in accordance with the selected security policy, wherein the access to the cloud application by the tenant account is modified based on the identified one or more cloud security controls that are set in accordance with the selected security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The cloud security system of claim 1 wherein the secure connection is a first secure connection, and wherein the memory further stores a data loader application, and wherein the processor is configured by the data loader application to:
    - establish a second secure connection to the at least one remotely hosted cloud application server system using the login credentials associated with the tenant account for accessing the cloud application;
      
      retrieve activity data associated with the tenant account from the at least one remotely hosted cloud application server system; and
      
      store the retrieved activity data in the analytics repository database.
  - 3. The cloud security system of claim 2 wherein the activity data is retrieved at predetermined intervals.
  - 4. The cloud security system of claim 1 wherein the stored activity data includes information concerning login and logout statistics, Internet protocol (IP) addresses, and devices used to access a cloud service.
  - 5. The cloud security system of claim 1 wherein the stored activity data comprises one or more values that are set for cloud security controls associated with the tenant account.
  - 6. The cloud security system of claim 2 wherein the processor is further configured by the data loader application to normalize the retrieved activity data into a common format.
  - 7. The cloud security system of claim 1 wherein the threat model models user behavior.
  - 8. The cloud security system of claim 1 wherein the profile information of the user associates one or more accounts of the user across the plurality of cloud applications, and wherein the one or more accounts of the user are associated with the tenant account for each of the plurality of cloud applications.
  - 9. The cloud security system of claim 8 wherein the profile information of the user associating the one or more accounts of the user across the plurality of cloud applications is retrieved from a user identity repository.
  - 10. The cloud security system of claim 2, wherein the processor is further configured by the data loader application to determine whether a portion of the stored activity data matches one or more predefined policy alerts.
  - 11. The cloud security system of claim 1 wherein the processor is further configured by the analytics application to send an alert including alert information and one or more recommended remediation actions.
  - 12. The cloud security system of claim 11 wherein the one or more recommended remediation actions includes a recommended remediation action to prescribe a task to be performed outside of the cloud security system, and wherein a result of the task is provided to the cloud security system.
  - 13. The cloud security system of claim 11 wherein the one or more recommended remediation actions includes a recommended remediation action is to disable an account of the user.
  - 14. The cloud security system of claim 11 wherein the memory further stores an incident remediation application, and wherein the one or more recommended remediation actions includes a recommended remediation action to prescribe a task to be performed by the cloud security system, and wherein the processor is further configured by the incident remediation application to perform the task, and store a result of the task into the memory.
  - 15. The cloud security system of claim 1 wherein the processor is further configured by the seeder application to collect registration information from a tenant.
  - 16. The cloud security system of claim 15 wherein the registration information includes an authorization token secured by encryption.
  - 17. The cloud security system of claim 1 wherein the identified one or more cloud security controls include password requirements.
  - 18. The cloud security system of claim 1, wherein the memory further comprises a cloud crawler application, wherein the processor is further configured by the cloud crawler application to collect software defined security configuration data from a cloud service provider, wherein the software defined security configuration data comprises information describing a configuration of the identified one or more cloud security controls in the cloud application with respect to the tenant account.
  - 19. The cloud security system of claim 18, wherein the processor is further configured by the cloud crawler application to normalize the software defined security configuration data and to enter the normalized software defined security configuration data into an application catalog database.
  - 20. The cloud security system of claim 1 wherein the threat model is generated using a machine learning algorithm.

21. A method for monitoring and remediation of security threats to cloud applications, the method comprising:
- generating a threat model using at least a first portion of stored activity data in an analytics repository database using a cloud security system, wherein the stored activity data is associated with a tenant account of a service provider system, and wherein the threat model correlates one or more activities for a plurality of cloud applications based on profile information of a user, the user being associated with the tenant account for each of the plurality of cloud applications;
  
  identifying, based on the threat model, a threat using a second portion of the stored activity data in the analytics repository database using the cloud security system;
  
  selecting a security policy to implement in response to the identified threat using the cloud security system;
  
  identifying one or more cloud security controls in at least one remotely hosted cloud application server system of the service provider system to modify in accordance with the selected security policy using the cloud security system, wherein the one or more cloud security controls configure access to a cloud application provided by the service provider system to the tenant account;
  
  establishing, using the cloud security system, a secure connection to the at least one remotely hosted cloud application server system using login credentials associated with the tenant account for accessing the cloud application; and
  
  sending, using the cloud security system, one or more instructions to the at least one remotely hosted cloud application server system, the one or more instructions causing the at least one remotely hosted cloud application server system to set the identified one or more cloud security controls with respect to the tenant account in accordance with the selected security policy, wherein the access to the cloud application by the tenant account is modified based on the identified one or more cloud security controls that are set in accordance with the selected security policy.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21 wherein the secure connection is a first secure connection, and wherein the method further comprises:
    - establishing, using the cloud security system, a second secure connection to the cloud application hosted by the service provider system using the login credentials associated with the tenant account for accessing the cloud application;
      
      retrieving, using the cloud security system, activity data associated with the tenant account; and
      
      storing the retrieved activity data in the analytics repository database using the cloud security system.
  - 23. The method of claim 22 wherein the activity data is retrieved at predetermined intervals.
  - 24. The method of claim 21 wherein the stored activity data includes information concerning login and logout statistics, Internet protocol (IP) addresses, and devices used to access a cloud service.
  - 25. The method of claim 21 wherein the stored activity data comprises one or more values that are set for cloud security controls associated with the tenant account.
  - 26. The method of claim 22 further comprising:
    - normalizing the retrieved activity data into a common format using the cloud security system.
  - 27. The method of claim 21 wherein the threat model models user behavior.
  - 28. The method of claim 21 wherein the profile information of the user associates one or more accounts of the user across the plurality of cloud applications.
  - 29. The method of claim 28 wherein the profile information of the user associating the one or more accounts of the user across the plurality of cloud applications is retrieved from a user identity repository.
  - 30. The method of claim 21, further comprising:
    - determining whether a portion of the stored activity data matches one or more predefined policy alerts using the cloud security system.
  - 31. The method of claim 21 further comprising:
    - sending an alert including alert information and one or more recommended remediation actions.
  - 32. The method of claim 31 wherein the one or more recommended remediation actions includes a recommended remediation action to prescribe a task to be performed outside of the cloud security system, and wherein a result of the task is provided to the cloud security system.
  - 33. The method of claim 31 wherein the one or more recommended remediation actions includes a recommended remediation action is to disable an account of the user.
  - 34. The method of claim 31 wherein the one or more recommended remediation actions includes a recommended remediation action to prescribe a task to be performed by the cloud security system, and the method further comprises:
    - performing the task; and
      
      storing a result of the task into memory using the cloud security system.
  - 35. The method of claim 21 further comprising:
    - collecting registration information from a tenant using the cloud security system.
  - 36. The method of claim 35 wherein the registration information includes an authorization token secured by encryption.
  - 37. The method of claim 21 wherein the identified one or more cloud security controls include password requirements.
  - 38. The method of claim 21, further comprising:
    - collecting software defined security configuration data from the service provider system using the cloud security system, wherein the software defined security configuration data comprises information describing a configuration of the identified one or more cloud security controls in the cloud application with respect to the tenant account.
  - 39. The method of claim 38, further comprising:
    - normalizing the software defined security configuration data; and
      
      storing the normalized software defined security configuration data into an application catalog database using the cloud security system.
  - 40. The method of claim 21 the threat model is generated using a machine learning algorithm.

41. A method for monitoring and remediation of security threats to cloud applications, the method comprising:
- collecting registration information from a tenant using a cloud security system, where the registration information includes an authorization token secured by encryption;
  
  establishing, using the cloud security system, a first secure connection to a cloud application hosted by a service provider system using login credentials associated with a tenant account for accessing the cloud application;
  
  collecting software defined security configuration data from the service provider system using the cloud security system, where the software defined security configuration data comprises information describing a configuration of plurality of security controls in the cloud application with respect to the tenant account;
  
  retrieving, using the cloud security system, activity data associated with the tenant account, wherein the activity data is associated with a tenant account of a service provider system;
  
  storing the retrieved activity data in an analytics repository database using the cloud security system;
  
  generating a threat model using at least a first portion of stored activity data in the analytics repository database using the cloud security system, and wherein the threat model correlates one or more activities for a plurality of cloud applications based on profile information of a user, the user being associated with the tenant account for each of the plurality of cloud applications;
  
  identifying, based on the threat model, a threat using a second portion of stored activity data in the analytics repository database using the cloud security system;
  
  sending an alert including alert information and one or more recommended remediation actions;
  
  selecting a security policy to implement in response to the identified threat using the cloud security system;
  
  identifying one or more cloud security controls in at least one remotely hosted cloud application server system of the service provider system to modify in accordance with the selected security policy using the cloud security system, wherein the one or more cloud security controls configure access to the cloud application provided by the service provider system to the tenant account;
  
  establishing, using the cloud security system, a second secure connection to the at least one remotely hosted cloud application server system using the login credentials associated with the tenant account for accessing the cloud application; and
  
  sending, using the cloud security system, one or more instructions to the at least one remotely hosted cloud application server system, the one or more instructions causing the at least one remotely hosted cloud application server system to set the identified one or more cloud security controls with respect to the tenant account in accordance with the selected security policy, wherein the access to the cloud application by the tenant account is modified based on the identified one or more cloud security controls that are set in accordance with the selected security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kirti, Ganesh, Gupta, Rohit, Turlapati, Ramana Rao Satyasai, Biswas, Kamalendu
Primary Examiner(s)
KIM, TAE K

Application Number

US14/523,804
Publication Number

US 20150172321A1
Time in Patent Office

977 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Techniques for cloud security monitoring and threat intelligence

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for cloud security monitoring and threat intelligence

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links