Systems and methods for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization

US 9,832,221 B1
Filed: 11/08/2011
Issued: 11/28/2017
Est. Priority Date: 11/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization, the method comprising:

identifying one or more external IP addresses associated with the organization;

receiving, at a reputation service, a reputation request from a device for reputation information relevant to evaluating the trustworthiness of a computing resource encountered by the device, wherein the reputation service comprises at least one processor configured to service reputation requests for devices within the organization;

determining that the reputation request originated from at least one of the one or more external IP addresses associated with the organization by;

identifying an originating IP address of the reputation request received from the device;

comparing the originating IP address of the reputation request with the one or more external IP addresses associated with the organization;

determining that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization;

responding, via the reputation service, to the reputation request by providing the requested reputation information to the device;

in addition to responding to the reputation request, using data generated from servicing the reputation request to track, for the organization, the activity of the device, wherein using the data to track the activity of the device comprises;

generating, via the reputation service, at least one employee-activity report for the organization that identifies the activity of the device, wherein;

the reputation service generates the report based at least in part on an analysis of the reputation request without using a separate monitoring service to generate the report;

the report includes information that identifies the number of managed devices and unmanaged devices within the organization and information that contrasts the activity of managed devices within the organization with the activity of unmanaged devices within the organization;

providing, via the reputation service, the report to the organization to enable the organization to monitor and/or manage the activity of the device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization may include (1) identifying, at a reputation service configured to service reputation requests, at least one external IP address associated with an organization, (2) identifying, within the reputation requests serviced by the reputation service, a plurality of reputation requests that originated from the external IP address associated with the organization, (3) generating, based at least in part on an analysis of the reputation requests that originated from the external IP address associated with the organization, at least one report for the organization that identifies the activity of devices within the organization, and (4) providing the report to the organization to enable the organization to monitor the activity of the devices within the organization. Corresponding systems and encoded computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization, the method comprising:
- identifying one or more external IP addresses associated with the organization;
  
  receiving, at a reputation service, a reputation request from a device for reputation information relevant to evaluating the trustworthiness of a computing resource encountered by the device, wherein the reputation service comprises at least one processor configured to service reputation requests for devices within the organization;
  
  determining that the reputation request originated from at least one of the one or more external IP addresses associated with the organization by;
  
  identifying an originating IP address of the reputation request received from the device;
  
  comparing the originating IP address of the reputation request with the one or more external IP addresses associated with the organization;
  
  determining that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization;
  
  responding, via the reputation service, to the reputation request by providing the requested reputation information to the device;
  
  in addition to responding to the reputation request, using data generated from servicing the reputation request to track, for the organization, the activity of the device, wherein using the data to track the activity of the device comprises;
  
  generating, via the reputation service, at least one employee-activity report for the organization that identifies the activity of the device, wherein;
  
  the reputation service generates the report based at least in part on an analysis of the reputation request without using a separate monitoring service to generate the report;
  
  the report includes information that identifies the number of managed devices and unmanaged devices within the organization and information that contrasts the activity of managed devices within the organization with the activity of unmanaged devices within the organization;
  
  providing, via the reputation service, the report to the organization to enable the organization to monitor and/or manage the activity of the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
- - 2. The method of claim 1, wherein generating the report for the organization comprises including information within the report that identifies at least one conclusion drawn by analyzing the reputation request.
  - 3. The method of claim 1, wherein the reputation request comprises at least one of:
    - a unique identifier that uniquely identifies the device;
      
      information that uniquely identifies the computing resource for which the reputation information is requested;
      
      information indicating whether the device represents a managed device.
  - 4. The method of claim 1, wherein:
    - the report for the organization includes information that identifies activity of a plurality of devices within the organization, the plurality of devices comprising the device;
      
      the information that identifies the activity of the plurality of devices is generated based on an analysis of reputation requests received from the plurality of devices, the analysis of the reputation requests including the analysis of the reputation request originating from the device.
  - 5. The method of claim 4, wherein the reputation service determines that the plurality of devices are within the organization by:
    - identifying an originating IP address of each reputation request received from the plurality of devices;
      
      comparing the originating IP address of each of the received reputation requests with the one or more external IP addresses associated with the organization;
      
      determining that each of the originating IP addresses matches at least one of the one or more external IP address associated with the organization.
  - 6. The method of claim 4, wherein generating the report for the organization comprises including information within the report that identifies potential relationships between computing resources accessed by the plurality of devices within the organization.
  - 7. The method of claim 1, further comprising:
    - determining, based on the determination that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization, that the user of the device is an employee of the organization;
      
      including the activity of the device in the report based on the determination that the user of the device is an employee of the organization.
  - 8. The method of claim 1, wherein generating the report for the organization comprises generating the report by organizing information within the report by at least one of:
    - specific offices of the organization;
      
      specific geographic areas.
  - 19. The method of claim 1, wherein identifying the one or more external IP addresses associated with the organization comprises receiving the one or more external IP addresses from the organization during a registration process administered by the reputation service.
  - 20. The method of claim 1, wherein at least one of the one or more external IP addresses associated with the organization comprise at least one of:
    - a static IP address assigned to the organization;
      
      a dynamic IP address assigned to the organization.

9. A system for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization, the system comprising:
- an identification module, a report module, and a communication module operating as part of a reputation service that services reputation requests for devices within the organization, wherein the identification module, the report module, and the communication module are programmed to;
  
  identify one or more external IP addresses associated with the organization;
  
  receive a reputation request from a device for reputation information relevant to evaluating the trustworthiness of a computing resource encountered by the device;
  
  determine that the reputation request originated from at least one of the one or more external IP addresses associated with the organization by;
  
  identifying an originating IP address of the reputation request received from the device;
  
  comparing the originating IP address of the reputation request with the one or more external IP addresses associated with the organization;
  
  determining that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization;
  
  respond to the reputation request by providing the requested reputation information to the device;
  
  in addition to responding to the reputation request, use data generated from servicing the reputation request to track, for the organization, the activity of the device, wherein the identification module, the report module, and the communication module are programmed to use the data to track the activity of the devices by;
  
  generating, via the reputation service, at least one employee-activity report for the organization that identifies the activity of the device, wherein;
  
  the reputation service generates the report based at least in part on an analysis of the reputation request without using a separate monitoring service to generate the report;
  
  the report includes information that identifies the number of managed devices and unmanaged devices within the organization and information that contrasts the activity of managed devices within the organization with the activity of unmanaged devices within the organization;
  
  providing, via the reputation service, the report to the organization to enable the organization to monitor and/or manage the activity of the device;
  
  at least one processor configured to execute the identification module, the report module, and the communication module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the report module includes, within the report, information that identifies at least one conclusion drawn by analyzing the reputation request.
  - 11. The system of claim 9, wherein the reputation request comprises at least one of:
    - a unique identifier that uniquely identifies the device;
      
      information that uniquely identifies the computing resource for which the reputation information is requested;
      
      information indicating whether the device represents a managed device.
  - 12. The system of claim 9, wherein:
    - the report for the organization includes information that identifies activity of a plurality of devices within the organization, the plurality of devices comprising the device;
      
      the report module generates the information that identifies the activity of the plurality of devices based on an analysis of reputation requests received from the plurality of devices, the analysis of the reputation requests including the analysis of the reputation request originating from the device.
  - 13. The system of claim 12, wherein the report module is programmed to generate the report for the organization by including information within the report that identifies potential relationships between computing resources accessed by the plurality of devices within the organization.
  - 14. The system of claim 9, wherein the report module is further programmed to:
    - determine, based on the determination that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization, that the user of the device is an employee of the organization;
      
      include the activity of the device in the report based on the determination that the user of the device is an employee of the organization.
  - 15. The system of claim 12, wherein the report module is programmed to generate the report by organizing information within the report by at least one of:
    - specific offices of the organization;
      
      specific geographic areas.
  - 16. The system of claim 9, wherein the communication module is programmed to provide the report to the organization by at least one of:
    - providing the report on a periodic basis;
      
      providing the report in response to determining that a predetermined alert threshold has been satisfied.

17. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a reputation service, cause the reputation service to:
- identify one or more external IP addresses associated with an organization;
  
  receive, at a reputation service, a reputation request from a device for reputation information relevant to evaluating the trustworthiness of a computing resource encountered by the device, wherein the reputation service comprises at least one processor configured to service reputation requests for devices within the organization;
  
  determine that the reputation request originated from at least one of the one or more external IP addresses associated with the organization by;
  
  identifying an originating IP address of the reputation request received from the device;
  
  comparing the originating IP address of the reputation request with the one or more external IP addresses associated with the organization;
  
  determining that the originating IP address of the reputation request matches at least one of the one or more external IP addresses associated with the organization;
  
  respond, via the reputation service, to the reputation request by providing the requested reputation information to the device;
  
  in addition to responding to the reputation request, use data generated from servicing the reputation request to track, for the organization, the activity of the devices, wherein using the data to track the activity of the device comprises;
  
  generating, via the reputation service, at least one employee-activity report for the organization that identifies the activity of the device, wherein;
  
  the reputation service generates the report based at least in part on an analysis of the reputation request without using a separate monitoring service to generate the report;
  
  the report includes information that identifies the number of managed devices and unmanaged devices within the organization and information that contrasts the activity of managed devices within the organization with the activity of unmanaged devices within the organization;
  
  providing, via the reputation service, the report to the organization to enable the organization to monitor and/or manage the activity of the device.
- View Dependent Claims (18)
- - 18. The non-transitory computer-readable-storage medium of claim 17, wherein the one or more computer-executable instructions, when executed by the processor of the reputation service, further cause the reputation service to generate the report for the organization by including information within the report that identifies at least one conclusion drawn by analyzing the reputation request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Newstadt, Keith, Santoyo, Javier
Primary Examiner(s)
Dollinger, Tonia L
Assistant Examiner(s)
Cooney, Adam

Application Number

US13/291,773
Time in Patent Office

2,212 Days
Field of Search

709224
US Class Current
CPC Class Codes

G06F 15/173   using an interconnection ne...

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for monitoring the activity of devices within an organization by leveraging data generated by an existing security solution deployed within the organization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links