Controlling enterprise access by mobile devices

US 9,706,410 B2
Filed: 03/07/2012
Issued: 07/11/2017
Est. Priority Date: 03/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one component running on at least one server, the at least one component receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the vulnerability data comprises a set of vulnerability data identified as corresponding to each device of the plurality of devices based on the at least one device component of each device, wherein the device data is received using a first agent of an enterprise when the device data is unique to the device and is otherwise received using a second agent of the at least one server;

a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device, wherein the trust score is generated by calculating for each vulnerability of each device component of each device a vulnerability trust score that is proportional to a severity rating of each vulnerability, and calculating the trust score of each device by combining the vulnerability trust score of each vulnerability of that device; and

an access control component coupled to the at least one component and controlling access of each device of the plurality of devices to the enterprise using the trust score.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score.

Citations

77 Claims

1. A system comprising:
- at least one component running on at least one server, the at least one component receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component, wherein the vulnerability data comprises a set of vulnerability data identified as corresponding to each device of the plurality of devices based on the at least one device component of each device, wherein the device data is received using a first agent of an enterprise when the device data is unique to the device and is otherwise received using a second agent of the at least one server;
  
  a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device, wherein the trust score is generated by calculating for each vulnerability of each device component of each device a vulnerability trust score that is proportional to a severity rating of each vulnerability, and calculating the trust score of each device by combining the vulnerability trust score of each vulnerability of that device; and
  
  an access control component coupled to the at least one component and controlling access of each device of the plurality of devices to the enterprise using the trust score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 2. The system of claim 1, wherein the device data comprises data of at least one of device identification, configuration, operating system (OS) name, OS version, platform name, platform software components, device system image, device manufacturer, device brand, device model, device code name, user agent, central processor unit (CPU) type, and bootloader version.
  - 3. The system of claim 1, wherein the at least one component comprise a catalog component, wherein for each device the catalog component identifies a set of vulnerability data corresponding to the device.
  - 4. The system of claim 3, wherein the catalog component generates the trust score of the device using the set of vulnerability data.
  - 5. The system of claim 3, wherein the catalog component couples to a remote database and receives the vulnerability data from the remote database.
  - 6. The system of claim 5, wherein the catalog component periodically receives the vulnerability data.
  - 7. The system of claim 5, wherein the remote database comprises the National Vulnerabilities Database.
  - 8. The system of claim 3, wherein the catalog component generates a mapping between the device data and the vulnerability data.
  - 9. The system of claim 8, wherein the catalog component identifies the set of vulnerability data corresponding to the device using the mapping.
  - 10. The system of claim 3, wherein the catalog component automatically receives the device data from each of the plurality of devices.
  - 11. The system of claim 3, wherein the catalog component receives the device data through manual entry into the catalog.
  - 12. The system of claim 3, wherein the catalog component receives the device data through semi-automatic entry into the catalog.
  - 13. The system of claim 12, wherein the device comprises an agent application, wherein the agent application collects the device data and transfers the device data to the catalog component.
  - 14. The system of claim 3, wherein the catalog component receives the device data from at least one remote source, wherein the at least one remote source is remote to the at least one server and the access control component.
  - 15. The system of claim 3, wherein the catalog component receives supplemental device data from at least one remote source that is remote to the at least one server and the access control component, wherein the catalog component supplements the device data using the supplemental device data.
  - 16. The system of claim 3, wherein the catalog component receives the device data via self-identification, wherein the self-identification includes sending an electronic query to a user of a device and receiving the device data in response to action on the device resulting from the electronic query.
  - 17. The system of claim 3, wherein, when the device data is deficient, the access control component places in a hold status a connection with a device attempting to access the enterprise.
  - 18. The system of claim 17, wherein, while the connection is in the hold status, the access control component attempts to couple to at least one additional device data source and complete the device data using the at least one additional device data source, wherein the at least one additional device data source is remote to the at least one of the at least one server and the access control component.
  - 19. The system of claim 3, wherein the catalog component updates and maintains the trust score.
  - 20. The system of claim 19, wherein the catalog component updates the trust score in response to receiving a new version of the vulnerability data.
  - 21. The system of claim 19, wherein the catalog component updates the trust score in response to receiving updated device data.
  - 22. The system of claim 19, wherein the catalog component updates the trust score in response to receiving device data corresponding to a new device.
  - 23. The system of claim 1, wherein the access control component separately controls access to the enterprise by each software component of each device of the plurality of devices.
  - 24. The system of claim 1, comprising a status list formed using at least one of a plurality of trust scores and the device data of the plurality of devices.
  - 25. The system of claim 24, wherein the status list includes the trust score for each device of the plurality of devices.
  - 26. The system of claim 24, wherein the status list includes type identification describing device type for at least one of a set of devices and at least one device of the plurality of devices.
  - 27. The system of claim 24, wherein the status list includes a status for each set of a plurality of sets of devices, wherein the plurality of devices comprise the plurality of sets of devices.
  - 28. The system of claim 27, where a set of devices comprises devices having at least one specified parameter of device data.
  - 29. The system of claim 27, where a set of devices comprises devices having at least one specified enterprise parameter.
  - 30. The system of claim 27, wherein the status comprises a first status that allows a set of devices corresponding to the first status access to the enterprise.
  - 31. The system of claim 27, wherein the status comprises a second status that denies a set of devices corresponding to the second status access to the enterprise.
  - 32. The system of claim 27, wherein the status comprises a third status that quarantines a set of devices corresponding to the third status during an attempt to access to the enterprise.
  - 33. The system of claim 1, wherein the access control component includes a traffic filter, wherein the plurality of devices couple to the traffic filter to access the enterprise.
  - 34. The system of claim 33, wherein the traffic filter is executing on an access server of an enterprise.
  - 35. The system of claim 34, wherein the traffic filter comprises a plurality of filter instances, where each filter instance corresponds to a process running on the access server.
  - 36. The system of claim 34, wherein the access server comprises a client access server (CAS)/internet information server (IIS).
  - 37. The system of claim 33, wherein the traffic filter receives the device data from a device connecting to the enterprise, wherein the device reports the device data via a user agent.
  - 38. The system of claim 33, wherein the traffic filter receives the device data from a device connecting to the enterprise, wherein the device receives an electronic mail and content of the electronic mail causes the device to report the device data via a user agent.
  - 39. The system of claim 33, wherein the traffic filter includes the trust score.
  - 40. The system of claim 39, wherein the traffic filter receives the trust score from the at least one component.
  - 41. The system of claim 33, wherein control of the access by the traffic filter comprises comparing the trust score with data received during communication a device attempting to access the enterprise, and at least one of allows and denies access to the device based on the results of the comparison.
  - 42. The system of claim 33, wherein the at least one component comprises a trust component coupled to the catalog component, wherein the trust component generates a status list using at least one of the trust scores and the device data of the plurality of devices.
  - 43. The system of claim 42, wherein the status list corresponds to the enterprise and includes a status corresponding to each device.
  - 44. The system of claim 43, wherein the traffic filter includes the status list.
  - 45. The system of claim 43, wherein the traffic filter receives the status list from the trust component.
  - 46. The system of claim 43, wherein control of the access by the traffic filter comprises comparing the status list with data received during communication a device attempting to access the enterprise, and at least one of allows and denies access to the device based on the results of the comparison.
  - 47. The system of claim 43, wherein the status is determined using at least one access policy of the enterprise.
  - 48. The system of claim 47, wherein the status is determined using at least one policy exception of the enterprise.
  - 49. The system of claim 43, wherein the status comprises a first status that allows a device corresponding to the first status access to the enterprise.
  - 50. The system of claim 49, wherein the status comprises a second status that denies a device corresponding to the second status access to the enterprise.
  - 51. The system of claim 50, wherein the status comprises a third status that quarantines a device corresponding to the third status during an attempt to access to the enterprise.
  - 52. The system of claim 33, wherein the traffic filter comprises at least one set of instructions executing under the traffic filter, wherein the at least one set of instructions is received from the at least one server.
  - 53. The system of claim 1, wherein the trust score comprises an indicator of a level of security applied to a device by the enterprise.
  - 54. The system of claim 1, wherein the trust score comprises a color-coded indicator.
  - 55. The system of claim 1, wherein the trust score comprises a numerical value.
  - 56. The system of claim 55, wherein the numerical value is in a range between and including zero (0) and ten (10).
  - 57. The system of claim 55, wherein the trust score is generated by selecting a base score, and reducing the base score by an amount corresponding to a severity of each vulnerability of the set of vulnerability data.
  - 58. The system of claim 55, wherein each vulnerability of the set of vulnerability data is represented by a severity rating.
  - 59. The system of claim 58, wherein the trust score is generated by generating a score deduction for each vulnerability of the set of vulnerability data.
  - 60. The system of claim 59, wherein the trust score is generated by applying to the base score the score deduction corresponding to each vulnerability of the set of vulnerability data.
  - 61. The system of claim 60, wherein the base score is represented by a value of approximately ten (10).
  - 62. The system of claim 61, wherein score deduction is generated with use of a formula
    D=(i²÷
    - 6)−
      
      ((2·
      
      i)÷
      
      3),wherein variable D represents the score deduction, and variable i represents the severity rating of the vulnerability.
  - 63. The system of claim 1, wherein the at least one component generates at least one risk mitigation message corresponding to at least one device of the plurality of devices, wherein the risk mitigation message includes at least one suggested action for a user of the at least one device, wherein the at least one suggested action when taken reduces a risk associated with access to the enterprise by the at least one device.
  - 64. The system of claim 1, wherein the at least one component prioritizes the device data based on at least one of a type of the device data, a source of the device data, and consistency among parameters of the device data.
  - 65. The system of claim 1, wherein the access control component maintains the device data of at least one device of the plurality of devices attempting to access the enterprise.
  - 66. The system of claim 1, comprising an interface coupled to the at least one component, wherein a user accesses and controls the at least one component via the interface.
  - 67. The system of claim 66, wherein the interface includes controls to establish a plurality of risk thresholds according to at least one of the trust scores and a plurality of ranges of trust scores.
  - 68. The system of claim 66, wherein the interface presents effectiveness data of a plurality of enterprise access policies enforced by the at least one component.
  - 69. The system of claim 68, wherein the plurality of enterprise access policies are based on at least one parameter, wherein the at least one parameter includes the trust score, a range of trust scores, device type, operating system data, at least one device capability, and device configuration.
  - 70. The system of claim 68, wherein the interface includes controls to generate the plurality of enterprise access policies, wherein the controls include a control to specify a policy type and a control to specify at least one parameter that is a basis for the policy.
  - 71. The system of claim 68, wherein the at least one component generates the plurality of enterprise access policies based on at least one of the vulnerability data, the device data, and the trust scores of the plurality of devices.
  - 72. The system of claim 71, wherein the interface includes controls to edit the plurality of enterprise access policies.
  - 73. The system of claim 71, wherein the interface includes controls to apply at least one of the plurality of enterprise access policies.
  - 74. The system of claim 68, wherein the interface includes controls to generate and apply a plurality of policy exceptions.
  - 75. The system of claim 68, wherein the interface presents predicted effectiveness data of at least one of a change to the plurality of enterprise access policies and at least one new enterprise access policy.
  - 76. The system of claim 75, wherein the predicted effectiveness data includes at least one of a type of device affected and a number of devices affected.

77. A method comprising:
- receiving vulnerability data and, for each device of a plurality of devices, device data by at least one component running on at least one server, wherein the device data includes data of at least one device component, wherein the vulnerability data comprises a set of vulnerability data identified as corresponding to each device of the plurality of devices based on the at least one device component of each device, wherein the device data is received using a first agent of an enterprise when the device data is unique to the device and is otherwise received using a second agent of the at least one server;
  
  generating a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device, wherein the generating of the trust score includes calculating for each vulnerability of each device component of each device a vulnerability trust score that is proportional to a severity rating of each vulnerability, and calculating the trust score of each device by combining the vulnerability trust score of each vulnerability of that device; and
  
  controlling access of the plurality of devices to the enterprise using the trust score hosted at an access control component coupled to the at least one component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid 7 Incorporated
Inventors
Sigurdson, Derek, Sreenivas, Giridhar
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/414,531
Publication Number

US 20130239167A1
Time in Patent Office

1,952 Days
Field of Search

726 1, 726 22, 726 25
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04W 12/12   Detection or prevention of ...

H04W 12/67   Risk-dependent, e.g. select...

Controlling enterprise access by mobile devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

77 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling enterprise access by mobile devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

77 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links