Method and apparatus for data security analysis of data flows

US 10,693,903 B2
Filed: 12/26/2018
Issued: 06/23/2020
Est. Priority Date: 07/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing communication with a plurality of monitoring systems, wherein each of the monitoring systems is disparate from one another;

aggregating alerts from the plurality of monitoring systems, wherein the alerts relate to use, storage, transmission, deletion or processing of data from the plurality of monitoring systems;

determining one or more uniform data flow steps by standardizing the aggregated alerts; and

storing the one or more uniform data flow steps in a central database that is external to the plurality of monitoring systems.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus useful for data risk monitoring and management includes configuration and analysis of data flows to identify and assess risk and compliance to various regulatory standards and business practices. The evaluation of monitored data flows are then further used to identify potential security risks based on deviation from expected flows or compliant handling methods.

12 Citations

20 Claims

1. A method comprising:
- establishing communication with a plurality of monitoring systems, wherein each of the monitoring systems is disparate from one another;
  
  aggregating alerts from the plurality of monitoring systems, wherein the alerts relate to use, storage, transmission, deletion or processing of data from the plurality of monitoring systems;
  
  determining one or more uniform data flow steps by standardizing the aggregated alerts; and
  
  storing the one or more uniform data flow steps in a central database that is external to the plurality of monitoring systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving a new alert from one of the plurality of monitoring systems;
      
      determining whether the new alert matches a corresponding known data flow step stored with the central database;
      
      determining that the new alert is a potential security issue if there is no determined match; and
      
      selectively adding the new alert to the central database if there is no determined match.
  - 3. The method of claim 2, further comprising:
    - applying one or more criteria in the determination of the match, wherein the one or more criteria include a storage, transmission, deletion, or processing method.
  - 4. The method of claim 2, further comprising:
    - generating a prompt requesting permission to activate an approve/veto function to provide automated treatment or manual treatment of the new alert;
      
      initiating presentation of the prompt, via a graphical user interface; and
      
      selectively activating the approve/veto function based on user input in response to the prompt.
  - 5. The method of claim 1, further comprising:
    - generating one or more surveys based on the alerts, wherein the one or more surveys specify one or more questions relating to the alerts;
      
      distributing the one or more surveys to originators of the alerts;
      
      receiving responses to the one or more surveys; and
      
      determining whether the alerts are illegitimate or anomalous based on the received responses.
  - 6. The method of claim 5, further comprising:
    - determining a new data flow based on the received responses; and
      
      updating the central database based on the determination of the new data flow.
  - 7. The method of claim 1, wherein the standardization provides the one or more uniform data flow steps based on one or more parameters that include transmission, protection protocol, frequency, or comments.
  - 8. The method of claim 1, wherein the plurality of monitoring systems includes a data loss protection monitoring product, a data inventory scanner, or a user behavioral analytics system.

9. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,establish communication with a plurality of monitoring systems, wherein each of the monitoring systems is disparate from one another;
  
  aggregate alerts from the plurality of monitoring systems, wherein the alerts relate to use, storage, transmission, deletion or processing of data from the plurality of monitoring systems;
  
  determine one or more uniform data flow steps by standardizing the aggregated alerts; and
  
  store the one or more uniform data flow steps in a central database that is external to the plurality of monitoring systems.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the apparatus is further caused to:
    - receive a new alert from one of the plurality of monitoring systems;
      
      determine whether the new alert matches a corresponding known data flow step stored with the central database;
      
      determine that the new alert is a potential security issue if there is no determined match; and
      
      selectively add the new alert to the central database if there is no determined match.
  - 11. The apparatus of claim 10, wherein the apparatus is further caused to:
    - apply one or more criteria in the determination of the match, wherein the one or more criteria include a storage, transmission, deletion, or processing method.
  - 12. The apparatus of claim 10, wherein the apparatus is further caused to:
    - generate a prompt requesting permission to activate an approve/veto function to provide automated treatment or manual treatment of the new alert;
      
      initiate presentation of the prompt, via a graphical user interface; and
      
      selectively activate the approve/veto function based on user input in response to the prompt.
  - 13. The apparatus of claim 9, wherein the apparatus is further caused to:
    - generate one or more surveys based on the alerts, wherein the one or more surveys specify one or more questions relating to the alerts;
      
      distribute the one or more surveys to originators of the alerts;
      
      receive responses to the one or more surveys; and
      
      determine whether the alerts are illegitimate or anomalous based on the received responses.
  - 14. The apparatus of claim 13, wherein the apparatus is further caused to:
    - determine a new data flow based on the received responses; and
      
      update the central database based on the determination of the new data flow.
  - 15. The apparatus of claim 9, wherein the standardization provides the one or more uniform data flow steps based on one or more parameters that include transmission, protection protocol, frequency, or comments.
  - 16. The apparatus of claim 9, wherein the plurality of monitoring systems includes a data loss protection monitoring product, a data inventory scanner, or a user behavioral analytics system.

17. A method comprising:
- assigning a policy to a data element associated with a data flow, wherein the data flow includes one or more data flow steps specifying usage of the data element, the policy being associated with a classification level for the data element;
  
  determining a data flow configuration according to the classification level involving how the data element is processed by a plurality of processing nodes;
  
  determining an expected sequence of the processing nodes that will interact with the data element according to the data flow configuration;
  
  monitoring an observed sequence of the processing nodes based on detected processing of the data element; and
  
  comparing the observed sequence with the expected sequence to identify a potential security issue.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein each flow step specifies method of transport of the data element as part of the policy.
  - 19. The method of claim 17, further comprising:
    - verifying the observed sequence based on attestation by a user associated with one of the plurality of processing nodes; and
      
      selectively modifying the observed sequence based on the attestation.
  - 20. The method of claim 17, further comprising:
    - aggregating a plurality of alerts from the plurality of processing nodes; and
      
      standardizing the aggregated alerts to provide uniformity of the data flow steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ior Analytics, LLC
Original Assignee
Ior Analytics, LLC
Inventors
Linde, Matthew Michael, Kim, Daniel Jonghoon, Wells, Erik
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US16/232,816
Publication Number

US 20190132351A1
Time in Patent Office

545 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/30   Monitoring

G06F 12/00   Accessing, addressing or al...

G06F 16/2358   Change logging, detection, ...

G06F 16/2379   Updates performed during on...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/22   comprising specially adapte...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Method and apparatus for data security analysis of data flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for data security analysis of data flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links