Real-time mitigation of data access insider intrusions
First Claim
1. A method of protecting an enterprise information asset against insider attack, comprising:
- specifying a policy filter that defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given risk mitigation response that is to be taken upon detection of the given action;
monitoring a trusted user'"'"'s given data access with respect to the given enterprise data server;
analyzing the given data access against the policy filter;
determining whether the trusted user'"'"'s given data access is indicative of the given action as specified by the policy filter;
if the trusted user'"'"'s given data access is indicative of the given action as specified in the policy filter, taking the given mitigation response as specified in the policy filter.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of “anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, network re-routing, or the like) is then implemented.
81 Citations
18 Claims
-
1. A method of protecting an enterprise information asset against insider attack, comprising:
-
specifying a policy filter that defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given risk mitigation response that is to be taken upon detection of the given action;
monitoring a trusted user'"'"'s given data access with respect to the given enterprise data server;
analyzing the given data access against the policy filter;
determining whether the trusted user'"'"'s given data access is indicative of the given action as specified by the policy filter;
if the trusted user'"'"'s given data access is indicative of the given action as specified in the policy filter, taking the given mitigation response as specified in the policy filter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12)
-
-
8. The method as described in claim 8 wherein the given enterprise resource is a directory.
-
13. A system for protecting an enterprise information asset against insider attack, comprising:
-
at least one or more processors;
code executing on a given processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack;
code executing on a given processor that determines whether a trusted user'"'"'s given data access to an enterprise resource is indicative of the insider attack; and
code executing on a given processor and responsive to the insider attack for taking a given mitigation action. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification