Enterprise security assessment sharing for off-premise users using globally distributed infrastructure

US 8,881,223 B2
Filed: 08/14/2008
Issued: 11/04/2014
Est. Priority Date: 01/08/2008
Status: Active Grant

First Claim

Patent Images

1. An ESAS (enterprise security assessment sharing) architecture arranged to support sharing of security assessments pertaining to an off-premise security object, comprising:

an SCM (Secure Content Management) security assessment channel that is implemented in a POP (Point-of-Presence) that is utilized with an SCM service, the SCM service a) implementing security monitoring of interactions between authenticated users and resources accessed over an Internet connection, the security monitoring including bidirectional content filtering between the authenticated users'"'"' IT devices and resource servers, the bidirectional content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions, the SCM security assessment channel being arranged to extend an enterprise network security assessment channel from an IT device network into the POP, the POP including at least a forward proxy server for forwarding traffic from the off-premise security object to a resource server over the Internet connection; and

a plurality of endpoints disposed in the POP, each of the endpoints having a capability to publish and receive security assessments respectively into and from the SCM security assessment channel, the security assessment being usable for describing a security incident pertaining to the off-premise security object using a semantic abstraction of security-related information that is available to an endpoint, the semantic abstraction i) being categorized by type, and ii) being utilizable by one or more of the endpoints to trigger a response to the security incident.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and off-premise or roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

91 Citations

View as Search Results

20 Claims

1. An ESAS (enterprise security assessment sharing) architecture arranged to support sharing of security assessments pertaining to an off-premise security object, comprising:
- an SCM (Secure Content Management) security assessment channel that is implemented in a POP (Point-of-Presence) that is utilized with an SCM service, the SCM service a) implementing security monitoring of interactions between authenticated users and resources accessed over an Internet connection, the security monitoring including bidirectional content filtering between the authenticated users'"'"' IT devices and resource servers, the bidirectional content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions, the SCM security assessment channel being arranged to extend an enterprise network security assessment channel from an IT device network into the POP, the POP including at least a forward proxy server for forwarding traffic from the off-premise security object to a resource server over the Internet connection; and
  
  a plurality of endpoints disposed in the POP, each of the endpoints having a capability to publish and receive security assessments respectively into and from the SCM security assessment channel, the security assessment being usable for describing a security incident pertaining to the off-premise security object using a semantic abstraction of security-related information that is available to an endpoint, the semantic abstraction i) being categorized by type, and ii) being utilizable by one or more of the endpoints to trigger a response to the security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The ESAS architecture of claim 1 further including a global security assessment channel arranged between multiple POPs associated with the SCM service, the global security assessment channel being configured to transport security assessments among the POPs.
  - 3. The ESAS architecture of claim 1 in which the IT device network is an enterprise network and the off-premise security object comprises an off-premise user or an off-premise IT device.
  - 4. The ESAS architecture of claim 1 in which the plurality of endpoints includes at least one of edge firewall, host security gateway product, NIDs (Network Intrusion Detection System) security product, NAP (Network Access Protection) security product, SEM product (Security Event Management), SIM product (Security Incident Management), UTM (Unified Threat Management) product, operational health monitoring product, configuration management product, anti-virus product, anti-spyware product, anti-malware product, information leakage prevention product, or anti-spam product.
  - 5. The ESAS architecture of claim 1 in which a security assessment is arranged for providing an assignment of context by an endpoint to the security-related information using a pre-defined taxonomy.
  - 6. The ESAS architecture of claim 5 in which the pre-defined taxonomy utilizes a schematized vocabulary comprising object types and assessment categories.
  - 7. The ESAS architecture of claim 6 in which the object types include at least one of host, user, service, data, or enterprise.
  - 8. The ESAS architecture of claim 6 in which the assessment categories include at least one of vulnerable, compromised, under attack, of interest, corrupted, or malicious.
  - 9. The ESAS architecture of claim 8 in which particular ones of assessment categories are mapped to particular ones of object types.
  - 10. The ESAS architecture of claim 1 in which the security assessment comprises a plurality of fields, at least one of which is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment.
  - 11. The ESAS architecture of claim 1 further including a hub operatively coupled to one or more POPs, the hub providing configuration management for forward proxy servers, and further providing identity management to authenticate and authorize a user of the IT device.
  - 12. The ESAS architecture of claim 11 further including response policies that are disposed in a database located in either a POP or the hub, the response policies describing an action to be taken by a security endpoint in response to a received security assessment.

13. A method for sharing security-related data about an off-premise object, the method comprising the steps of:
- generating a security assessment at a first endpoint, published to a security assessment channel, to describe a security incident relating to the off-premise object, the generating being based at least in part on locally-available information at the first endpoint, the security assessment being arranged to provide contextual meaning to the security incident and being defined with a time interval over which the security assessment is valid;
  
  receiving a current security assessment at the first endpoint, from the security assessment channel, in accordance with a subscription to a subset of available security assessments generated by other endpoints that are configured to monitor either one or more objects within a premise of an enterprise network or one or more off-premise objects that access resources through an SCM (Secure Content Management) service supported by an infrastructure including a plurality of POPs (Points-of-Presence), the SCM service a) implementing security monitoring of interactions between authenticated users and resources accessed over an Internet connection, the security monitoring including bidirectional content filtering between the authenticated users'"'"' IT devices and resource servers, the bidirectional content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions, each POP in the plurality including at least a forward proxy server for forwarding traffic to the resource servers over the Internet connection; and
  
  performing an action at the first endpoint in accordance with a response policy in response to the received security assessment.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 in which the off-premise object is one of a user or IT device.
  - 15. The method of claim 13 in which the locally-available information comprises one or more previously received security assessments from the subset so long as the previous security assessments are valid.
  - 16. The method of claim 13 in which the locally-available information further comprises one or more past local actions taken by the endpoint.
  - 17. The method of claim 13 including a further step of rolling back the local action once the received security assessment is no longer valid.

18. A method for providing an ESAS (enterprise security assessment sharing) service for an off-premise user or IT device, the method comprising the steps of:
- utilizing an infrastructure that is accessible by the off-premise user over an Internet connection, the infrastructure including a plurality of POPs (Points-of-Presence), each POP in the plurality including i) a forward proxy server for forwarding traffic from the off-premise user or IT device to resource servers that are accessible from the Internet, and ii) one or more endpoints, each endpoint being arranged to provide a security product or security service having applicability to the off-premise user or IT device, the infrastructure supporting a Secure Content Management (SCM) service, the SCM service a) implementing security monitoring of interactions between authenticated users and resources accessed over an Internet connection, the security monitoring including bidirectional content filtering between the authenticated users'"'"' IT devices and the resource servers, the bidirectional content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions;
  
  providing a security assessment channel in the infrastructure, the security assessment channel being configured for communicating a security assessment using a publish and subscribe model by which a publishing endpoint publishes the security assessment to which a subscribing endpoint subscribes according to a subscription, the security assessment using a pre-defined taxonomy to provide contextual meaning to a security incident involving the off-premise user or IT device; and
  
  directing the off-premise user or IT device to a co-located POP, a POP being co-located when a set of parameters is optimized including network latency compared with non-co-located POPs and localization of a user experience may be implemented.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 in which the security assessment is defined by at least one of security assessment fidelity, time-to-live, or security incident severity.
  - 20. The method of claim 18 including a further step of performing network optimization in a POP, the network optimization including one of caching, HTTP compression, or QoS enforcement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Edery, Yigal, Ananiev, Oleg, Wohlfert, John, Nice, Nir
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US12/192,111
Publication Number

US 20090178108A1
Time in Patent Office

2,273 Days
Field of Search

726/1, 726 22- 25, 709/225, 709/229
US Class Current

726/1
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/629   to features or functions of...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

G06Q 30/0204   Market segmentation

G06Q 30/0215   Including financial accounts

H04L 63/0281   Proxies

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Enterprise security assessment sharing for off-premise users using globally distributed infrastructure

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Enterprise security assessment sharing for off-premise users using globally distributed infrastructure

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others