Data access verification for enterprise resources

US 9,591,008 B2
Filed: 04/16/2015
Issued: 03/07/2017
Est. Priority Date: 03/06/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor of a computing device, cause the computing device to perform operations responsive to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations is to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination that the verification with the user is desired was based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, the operations comprising:

determining whether a number of detections of activity indicative of the possible insider threat caused by a rule exceeds a predetermined threshold within a predetermined period of time;

when the number of detections of activity indicative of the possible insider threat caused by the rule exceeds the predetermined threshold within the predetermined period of time, notifying an administrator and forgoing the verification;

otherwise, performing the following,selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying the rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies roles within the enterprise and the users in those roles, the selecting including;

selecting the target role from a plurality of target roles based on the activity context, wherein the plurality of target roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise;

selecting the target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat, wherein the selected target user is a different individual than the owner of the user account and the administrator;

determining whether a number of verifications with the target user exceeds another predetermined threshold within another predetermined period of time;

when the number of verifications with the target user exceeds the another predetermined threshold within the another predetermined period of time, notifying the administrator and forgoing the verification;

otherwise, performing the following,causing a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and

generating an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository and selecting a target user in the selected target role based on the enterprise context repository. The method further includes causing a verification request to be sent to the selected target user; and generating an alert when a verification result indicates that the activity is indicative of the possible insider threat.

9 Citations

View as Search Results

30 Claims

1. A non-transitory computer-readable storage medium having instructions stored therein, wherein the instructions, when executed by a processor of a computing device, cause the computing device to perform operations responsive to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations is to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination that the verification with the user is desired was based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, the operations comprising:
- determining whether a number of detections of activity indicative of the possible insider threat caused by a rule exceeds a predetermined threshold within a predetermined period of time;
  
  when the number of detections of activity indicative of the possible insider threat caused by the rule exceeds the predetermined threshold within the predetermined period of time, notifying an administrator and forgoing the verification;
  
  otherwise, performing the following,selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying the rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies roles within the enterprise and the users in those roles, the selecting including;
  
  selecting the target role from a plurality of target roles based on the activity context, wherein the plurality of target roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise;
  
  selecting the target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat, wherein the selected target user is a different individual than the owner of the user account and the administrator;
  
  determining whether a number of verifications with the target user exceeds another predetermined threshold within another predetermined period of time;
  
  when the number of verifications with the target user exceeds the another predetermined threshold within the another predetermined period of time, notifying the administrator and forgoing the verification;
  
  otherwise, performing the following,causing a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and
  
  generating an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is a manager of the owner of the user account or the owner of the client end station.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is the owner of the particular part of the enterprise data that is the subject of the activity.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein the selected target role is the owner of the client end station.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein the alert comprises notifying the administrator of the enterprise about the activity.
  - 6. The non-transitory computer-readable storage medium of claim 1, wherein the alert comprises causing the TCAM to block network traffic from a source.
  - 7. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - selecting a channel of communication for the verification request based on two or more of a set of one or more available channels of communication, time of day for the target user, and urgency that stems from the activity, wherein the verification request is sent via the selected channel of communication.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - receiving a verification response from the target user identifying a new target user and indicating that the verification should be performed with the new target user; and
      
      causing a second verification request to be sent to the new target user.
  - 9. The non-transitory computer-readable storage medium of claim 8, wherein the operations further comprise:
    - recording in the enterprise context repository that similar future verifications should be with the new target user instead.
  - 10. The non-transitory computer-readable storage medium of claim 1, wherein the operations further comprise:
    - selecting a type for the verification request from a plurality of types based on one or more of the activity and configuration data, wherein the plurality of types include a positive type and a negative type.
  - 11. The non-transitory computer-readable storage medium of claim 1, wherein the selected target user is a manager of the user as part of an escalation plan.
  - 12. The non-transitory computer-readable storage medium of claim 1, wherein the verification request is caused to be sent out-of band relative to the network traffic.
  - 13. The non-transitory computer-readable storage medium of claim 1, wherein the insider threat is one of a compromised insider threat, a malicious insider threat, and a negligent insider threat.
  - 14. The non-transitory computer-readable storage medium of claim 1, wherein the stored historical data reflects one or more of a set of prior verification requests sent to users and any corresponding verification responses from those users and a set of prior event data that describes accesses to one of the enterprise resources that was detected and reported on by the TCAM.
  - 15. The non-transitory computer-readable storage medium of claim 1, wherein the verification request, instead of directly asking whether or not the activity is indicative of the possible insider threat, poses one or more questions that are expected to be more understandable to the selected target user.

16. A computing device configured to respond to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat, wherein the computing device is to be communicatively coupled to a traffic capture and analysis module (TCAM), wherein the TCAM is to be coupled between a set of one or more client end stations and a set of one or more server end stations to analyze network traffic being sent between them, wherein the set of server end stations to store enterprise resources including an enterprise application and enterprise data, wherein the possible insider threat comprises the use of one or more of a user account and a client end station to access the enterprise resources, and wherein the determination that the verification with the user is desired is based on one or more of the network traffic, current event data, and stored historical data, wherein the current event data describes an access to one of the enterprise resources that was detected and reported on by the TCAM, the computing device comprising:
- a processor and a memory, said memory containing instructions which when executed by the processor cause the computing device to;
  
  determine whether a number of detections of activity indicative of the possible insider threat caused by a rule exceeds a predetermined threshold within a predetermined period of time;
  
  when the number of detections of activity indicative of the possible insider threat caused by the rule exceeds the predetermined threshold within the predetermined period of time, notify an administrator and forgo the subsequent verification;
  
  otherwise, perform the following,select a target role and a target user for the verification based on an activity context and an enterprise context repository, wherein the activity context describes the activity by identifying the rule used to make the determination and by identifying one or more of the current event data and relevant historical data, wherein the enterprise context repository identifies roles within the enterprise and the users in those roles, the selection including to;
  
  select the target role from a plurality of target roles based on the activity context, wherein the plurality of target roles includes two or more of an owner of the client end station, an owner of the user account, an owner of a particular part of the enterprise data, and a position at the enterprise; and
  
  select the target user in the selected target role based on the enterprise context repository, wherein the selected target role and the selected target user in that selected target role is intended to be the user of the enterprise having the requisite knowledge to confirm whether or not the activity is indicative of the possible insider threat, wherein the selected target user is a different individual than the owner of the user account and the administrator;
  
  determine whether a number of verifications with the target user exceeds another predetermined threshold within another predetermined period of time;
  
  when the number of verifications with the target user exceeds the another predetermined threshold within the another predetermined period of time, notify the administrator and forging the verification; and
  
  otherwise, perform the following,cause a verification request to be sent to the selected target user, wherein the verification request describes the activity and allows the selected target user to effectively confirm whether or not the activity is indicative of the possible insider threat; and
  
  generate an alert when a verification result, which is based on the verification request and any verification response, indicates that the activity is indicative of the possible insider threat.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computing device of claim 16, wherein the selected target role is a manager of the owner of the user account or the owner of the client end station.
  - 18. The computing device of claim 16, wherein the selected target role is the owner of the particular part of the enterprise data that is the subject of the activity.
  - 19. The computing device of claim 16, wherein the selected target role is the owner of the client end station.
  - 20. The computing device of claim 16, wherein the alert is to notify the administrator of the enterprise about the activity.
  - 21. The computing device of claim 16, wherein the alert is to cause the TCAM to block network traffic from a source.
  - 22. The computing device of claim 16, wherein the instructions when executed by the processor also cause the computing device to:
    - select a channel of communication for the verification request based on two or more of a set of one or more available channels of communication, time of day for the target user,and urgency that stems from the activity, wherein the verification request is sent via the selected channel of communication.
  - 23. The computing device of claim 16, wherein the instructions when executed by the processor also cause the computing device to:
    - receive a verification response from the target user identifying a new target user and indicating that the verification should be performed with the new target user; and
      
      cause a second verification request to be sent to the new target user.
  - 24. The computing device of claim 23, wherein the instructions when executed by the processor also cause the computing device to:
    - record in the enterprise context repository that similar future verifications should be with the new target user instead.
  - 25. The computing device of claim 16, wherein the instructions when executed by the processor also cause the computing device to:
    - select a type for the verification request from a plurality of types based on one or more of the activity and configuration data, wherein the plurality of types include a positive type and a negative type.
  - 26. The computing device of claim 16, wherein the selected target user is a manager of the user as part of an escalation plan.
  - 27. The computing device of claim 16, wherein the verification request is caused to be sent out-of band relative to the network traffic.
  - 28. The computing device of claim 16, wherein the insider threat is one of a compromised insider threat, a malicious insider threat, and a negligent insider threat.
  - 29. The computing device of claim 16, wherein the stored historical data reflects one or more of a set of prior verification requests sent to users and any corresponding verification responses from those users and a set of prior event data that describes accesses to one of the enterprise resources that was detected and reported on by the TCAM.
  - 30. The computing device of claim 16, wherein the verification request, instead of directly asking whether or not the activity is indicative of the possible insider threat, poses one or more questions that are expected to be more understandable to the selected target user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Dulce, Sagie
Primary Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/688,914
Publication Number

US 20160261616A1
Time in Patent Office

691 Days
Field of Search

726/4, 726/22, 726/23, 726/25, 713/182
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/18   using different networks or...

Data access verification for enterprise resources

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Data access verification for enterprise resources

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links