Threat Management System
Drawings
illustrates an environment for threat management.
Figure 1 illustrates an environment for threat management. Specifically, Figure 1 depicts a block diagram of a threat management facility 168 providing protection to one or more enterprises, networks, locations, users, businesses, etc. against a variety of threats–a context in which the techniques disclosed herein may usefully be deployed. The threat management facility 168 may be used to protect devices and assets (e.g., IoT devices or other devices) from computer-generated and human-generated threats. For example, a corporation, school, web site, homeowner, network administrator, or other entity may institute and enforce one or more policies that control or prevents certain network users (e.g. employees, residents, users, guests, etc.) from accessing certain types of applications, devices, resources generally or in a particular manner. Policies may be created, deployed and managed, for example, through the threat management facility 168, which may update and monitor network devices, users, and assets accordingly.
The threat of malware or other compromise may be present at various points within a network 170 such as laptops, desktops, servers, gateways, communication ports, handheld or mobile devices, IoT devices, firewalls. In addition to controlling or stopping malicious code, a threat management facility 168 may provide policy management to controldevices, applications, or users that might otherwise undermine productivity and network performance within the network 170.
The threat management facility 168 may provide protection to network 170 from computer-based malware, including viruses, spyware, adware, trojans, intrusion, spam, policy abuse, advanced persistent threats, uncontrolled access, and the like. In general, the network 170 may be any networked computer-based infrastructure or the like managed by the threat management facility 168, such as an organization, association, institution, or the like, or a cloud-based facility that is available for subscription by individuals. For example, the network 170 may be a corporate, commercial, educational, governmental, or other network 170, and may include multiple networks, computing resources, and other facilities, may be distributed among more than one geographical locations, and may include an administration facility 108, a firewall 110, an appliance 144, a server 136, network devices 132-B, clients 114-D, such as IoT devices or other devices. It will be understood that any reference herein to a client or client facilities may include the clients 114-D shown in Figure 1 and vice-versa. Further, the recitation of an element number ending with a letter should be understood to refer to a particular instance of the element, and the recitation of an element number without a letter should be understood to refer to any one or more instances of the element. Thus, for example, the recitation of the client 114 should be understood to refer only to the specific instance of the client labeled 114 in Figure 1, while the recitation of the clients 144 should be understood to refer to any one or more instances of the client labeled 114, 116, 118, 128, 126, 130, 120 in Figure 1, unless otherwise specified or made clear from the context.
The threat management facility 168 may include computers, software, or other computing facilities supporting a plurality of functions, such as one or more of a security management facility 102, a policy management facility 146, an update facility 150, a definitions management facility 156, a network access rules facility 106, a remedial action facility 152, a detection techniques facility 148, a testing facility 164, a threat research facility 104, and the like. In embodiments, the threat protection provided by the threat management facility 400 may extend beyond the network boundaries of the network 170 to include clients 128 (or client facilities) that have moved into network connectivity not directly associated with or controlled by the network 170. Threats to client facilities may come from a variety of sources, such as from network threats 154, physical proximity threats 158, a secondary location threat network 162, and the like. Clients 114-D may be protected from threats even when the client 114-D is not directly connected to or in association with the network 170, such as when a client 126-F moves in and out of the network 170, for example when interfacing with an unprotected server 138 through the internet 160, when a client 130 is moving into the secondary location threat network 162 such as interfacing with components that are not protected (e.g., the appliance 166, the server 142, the network devices 122, 124, and the like).
The threat management facility 168 may use or may be included in an integrated system approach to provide the network 170 with protection from a plurality of threats to device resources in a plurality of locations and network configurations. The threat management facility 168 may also or instead be deployed as a stand-alone solution. For example, some or all of the threat management facility 168components may be integrated into a server or servers at a remote location, for example in a cloud computing facility. For example, some or all of the threat management facility 168components may be integrated into a firewall, gateway, or access point within or at the border of the network 170. In some embodiments, the threat management facility 168 may be integrated into a product, such as a third-party product (e.g., through an application programming interface), which may be deployed on endpoints, on remote servers, on internal servers or gateways for a network, or some combination of these.
The security management facility 102 may include a plurality of elements that provide protection from malware to device resources of the network 170 in a variety of ways, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like. The security management facility 102 may include a local software application that provides protection to one or more device resources of the network 402. The security management facility 102 may have the ability to scan client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. This may include scanning some or all of the files stored on the client facility or accessed by the client facility on a periodic basis, scanning an application when the application is executed, scanning data (e.g., files or other communication) in transit to or from a device, etc. The scanning of applications and files may be performed to detect known or unknown malicious code or unwanted applications.
The security management facility 102 may provide email security and control. The security management facility 102 may also or instead provide for web security and control, such as by helping to detect or block viruses, spyware, malware, unwanted applications, and the like, or by helping to controlweb browsing activity originating from client devices. In certain embodiments, the security management facility 102 may provide for network access control, which may provide control over network connections. In addition, network access control may controlaccess to virtual private networks (VPN) that provide communications networks tunneled through other networks. The security management facility 102 may provide host intrusion prevention through behavioral based analysis of code, which may guard against known or unknown threats by analyzing behavior before or while code executes. Further, or instead, the security management facility 102 may provide reputation filtering, which may target or identify sources of code.
In embodiments, the security management facility 102 may use wireless characteristics to identify a device on the network 170. For example, the security management facility 102 may determine a reliability index value of any one or more devices (e.g., the servers 142, the clients 144, and combinations thereof) connected via a wireless link to the network 170, for example, an IoT device. Through one or more access points (e.g., the firewall 110) or other sensor (e.g., the appliance 144) in the network 170, the security management facility 102 may monitor RF characteristics of the IoT device to obtain current RF characteristics. The security management facility 102 may compare the current RF characteristics to baseline RF characteristics, and when there is a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjust the reliability index value to indicate greater reliability, and when there is not a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjusting the reliability index value to indicate lesser reliability, and when the reliability index value exceeds a threshold value, performing an action to reduce a potential threat of the IoT device to the network. This aspect of the security management facility 102 may also take place on the firewall 110 (e.g., an access point) or appliance 144.
In general, the security management facility 102 may support overall security of the network 170 using the various techniques described above, optionally as supplemented by updates of malicious code information and so forth for distribution across the network 170.
The administration facility 108 may provide control over the security management facility 102 when updates are performed. Information from the security management facility 102 may also be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 168.
The policy management facility 146 of the threat management facility 168 may be configured to take actions, such as to block applications, users, communications, devices, and so on based on determinations made. The policy management facility 146 may employ a set of rules or policies that determine network 170access permissions for one or more of the clients 144. In some embodiments, a policy database may include a block list, a black list, an allowed list, a white list, or the like, or combinations of the foregoing, that may provide a list of resources internal or external to the network 170 that may or may not be accessed by the clients 144. The policy management facility 146 may also or instead include rule-based filtering of access requests or resource requests, or other suitable techniques for controlling access to resources consistent with a corresponding policy.
In embodiments, the policy management facility 146 may include reliability index thresholds for devices, such as IoT devices. The policy management facility 146 may include policies to permit or deny access, to take remedial action, to issue alerts, and so on based on particular reliability index determinations.
The policy management facility 146 may also or instead provide configuration policies to be used to compare and control the configuration of applications, operating systems, hardware, devices, and the like associated with the network 170. An evolving threat environment may dictate timely updates, and thus the update management facility 150 may also be provided by the threat management facility 168. In addition, the policy management facility 146 may require update management (e.g., as provided by the update facility 150 herein described). In embodiments, the update management facility 150 may provide for patch management or other software updating, version control, and so forth.
The security facility 102 and policy management facility 146 may push information to the network 170 and/or to a given one or more of the clients 144. The network 170 and/or one or more of the clients 114-F may also or instead request information from the security facility 102 and/or from the policy management facility 146, the servers 136-C, or there may be a combination of pushing and pulling of information. In some embodiments, the policy management facility 146 and the security facility 102 management update modules may work in concert to provide information to the network 170 and/or to one or more of the clients 114 facility for control of applications, devices, users, and so on.
As threats are identified and characterized, the threat management facility 168 may create updates that may be used to allow the threat management facility 168 to detect and remediate malicious software, unwanted applications, configuration and policy changes, and the like. The definitions management facility 156 may contain threat identification updates, also referred to as definition files. A definition file may be a virus identity file that may include definitions of known or potential malicious code. The virus identity definition files may provide information that may identify malicious code within files, applications, or the like. The definition files may be accessed by the security management facility 102 when scanningfiles or applications within the client facility for the determination of malicious code that may be within the file or application. The definitions management facility 156 may include a definition for a neural network or other recognition engine. The definitions management facility 156 may provide timely updates of definition files information to the network, client facilities, and the like.
In embodiments, the definitions management facility 156 may include default values or baseline values for RF characteristics of devices, such as IoT devices. For example, the definitions management facility 156 may include a baseline value for particular RF characteristics of a particular IoT device.
The security management facility 102 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per rules and policies of the network 170. By checking outgoing files, the security management facility 102 may be able to discover malicious code infected files that were not detected as incoming files.
The threat management facility 168 may provide controlled access to the network 170. For example, the network access rules facility 106 may be responsible for determining if an application running on a given one or more of the clients 144 should be granted access to a requested network resource. In some embodiments, the network access rules facility 106 may verify access rights for one or more of the client facilities to or from the network 170 or may verify access rights of computer facilities to or from external networks. When network access for a client facility is denied, the network access rules facility 106 may send an information file to the client facility (e.g., a command or command file that the remedial action facility 428 may access and take action upon). The network access rules facility 106 may include one or more databases including one or more of a block list, a black list, an allowed list, a white list, a reputation list, an unacceptable network resource database, an acceptable network resource database, a network resource reputation database, or the like. The network access rules facility 106 may incorporate rule evaluation. Rule evaluation may, for example, parse network access requests and apply the parsed information to network accessrules. The network access rule facility 106 may also or instead provide updated rules and policies to the network 170.
When a threat or policy violation is detected by the threat management facility 168, the threat management facility 168 may perform or initiate remedial action through the remedial action facility 152. Remedial action may take a variety of forms, such as terminating or modifying an ongoing process or interaction, issuing an alert, sending a warning (e.g., to a client or to the administration facility 108) of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, record interactions for subsequent evaluation, and so forth. The remedial action may include one or more of blocking some or all requests to a network location or resource, performing a malicious code scan on a device or application, performing a malicious code scan on one or more of the clients 144, quarantining a related application (or files, processes or the like), terminating the application or device, isolating the application or device, moving a process or application code to a sandbox for evaluation, isolating one or more of the clients 144 to a location or status within the network that restricts network access, blocking a network access port from one or more of the clients 144, reporting the application to the administration facility 108, or the like, as well as any combination of the foregoing.
In embodiments, remedial action may be taken based on a reliability index determination based on RF characteristics of a wireless device.
Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 148 may include tools for monitoring the network 170 or managed devices within the network 170. The detection techniques facility 148 may provide functions such as monitoring activity and stored files on computing facilities. Detection techniques, such as scanning a computer’sstored files, may provide the capability of checking files for stored threats, either in the active or passive state. Detection techniques such as streaming file management may be used to check files received at the network 170, a gateway facility, a client facility, and the like.
Verifying that the threat management facility 168 detects threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 164 may allow the administration facility 108 to coordinate the testing of the security configurations of computing facilities of the clients 144 on the network 170. For example, the administration facility 108 may be able to send test files to a set of computing facilities of the clients 144 to test the ability of a given client facility to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by one or more of the clients 144 in reaction to the test file. The recording facility may aggregate the testing information from the clients 144 and report the testing information to the administration facility 108. The administration facility 108 may be able to determine the level of preparedness of the respective clients 144 based on the reported information. Remedial action may be taken for any of the clients 144 as determined by the administration facility 108.
The threat management facility 168 may provide threat protection across the network 170 to devices such as the clients 144, the servers 142, the administration facility 108, the firewall 138, a gateway, one or more of the network devices 148 (e.g., hubs and routers), one or more of the appliances 140 (e.g., a threat management appliance), any number of desktop or mobile users, and the like. As used herein, the term endpoint may refer to any compute instance running on a device that can source data, receive data, evaluate data, buffer data, process data or the like (such as a user’sdesktop computer, laptop, IoT device, server, etc.). This may, for example, include any client devices as well as other network devices and the like within the network 170, such as a firewall or gateway (as a data evaluation endpoint computer system), a laptop (as a mobile endpoint computer), a tablet (as a hand-held endpoint computer), a mobile phone, or the like. The term endpoint may also or instead refer to any final or intermediate source or destination for data within a network 170. An endpoint computer security facility 112 may be an application locally loaded onto any corresponding computer platform or computer support component, either for local security functions or for management by the threat management facility 168 or other remote resource, or any combination of these.
The network 170 may include a plurality of client facility computing platforms (e.g., the clients 144) on which the endpoint computer security facility 112 is installed. A client facility computing platform may be a computer system that is able to access a service on another computer, such as one or more of the servers 142, via a network. The endpoint computer security facility 112 may, in corresponding fashion, provide security in any suitable context such as among a plurality of networked applications, for a client facility connecting to an application server facility, for a web browser client facility connecting to a web server facility, for an e-mail client facility retrieving e-mail from an internet 160service provider’smail storage servers or web site, and the like, as well as any variations or combinations of the foregoing. As used herein, any one or more of the application server facility, the web server facility, and the mail storage servers should be understood to include one or more of the servers 142.
The network 170 may include one or more of the servers 142, such as application servers, communications servers, file servers, database servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. The servers 142, which may also be referred to as server facilities 142, server facility 142 applications, server facility 142 operating systems, server facility 142 computers, or the like, may be any device(s), application program(s), operating system(s), or combination of the foregoing that accepts client facility connections to service requests from the clients 144. In embodiments, the threat management facility 168 may provide threat protection to server facilities 142 within the network 170 as load conditions and application changes are made.
The server facilities 142 may include an appliance facility 140, where the appliance facility 140 provides specific services to other devices on the network 170. The server facilities may also include simple appliances utilized across the network 170infrastructure, such as switches, routers, hubs, gateways, print servers, modems, and the like. These appliances may provide interconnection services within the network 170, and therefore may advance the spread of a threat if not properly protected.
The clients 144 may be protected from threats from within the network 170 using a local or personal firewall, which may be a hardware firewall, software firewall, or a combination thereof, that controlsnetwork traffic to and from a client. The local firewall may permit or deny communications based on a security policy. The endpoint computer security facility 112 may additionally protect the firewall 110, which may include hardware or software, in a standalone device or integrated with another network component, that may be configured to permit, deny, or proxy data through the network 170.
The interface between the threat management facility 168 and the network 170, and through the appliance 140 to embedded endpoint computer security facilities, may include a set of tools that may be the same or different for various implementations, and may allow each network administrator to implement custom controls. In embodiments, these controls may include both automatic actions and managed actions. The administration facility 108 may configure policy rules that determine interactions. The administration facility 108 may also establish license management, which in turn may further determine interactions associated with licensed applications. In embodiments, interactions between the threat management facility 168 and the network 170 may provide threat protection to the network 170 by managing the flow of network data into and out of the network 170 through automatic actions that may be configured by the threat management facility 168 for example by action or configuration of the administration facility 108.
The clients 144 within the network 170 may be connected to the network 170 by way of the network devices 132-B, which may be wired devices or wireless facilities. The clients 144 may be mobile wireless facilities and, because of their ability to connect to a wireless network access point, may connect to the internet 160 outside the physical boundary of the network 170, and therefore outside the threat-protected environment of the network 170. Such mobile wireless facilities, if not for the presence of a locally-installed endpoint computer security facility 112, may be exposed to a malware attack or perform actions counter to policies of the network 170. Thus, the endpoint computer security facility 112 may provide local protection against various threats and policy violations. The threat management facility 168 may also or instead be configured to protect the out-of-enterprise facility mobile client facility (e.g., the clients 144) through interactions over the internet 160 (or other network) with the locally-installed endpoint computer security facility 112. Thus, mobile client facilities that are components of the network 170 but temporarily outside connectivity with the network 170 may be provided with the same or similar threat protection and policy control provided to the clients 144 inside the network 170. In addition, mobile client facilities (e.g., the clients 444) may receive the same interactions to and from the threat management facility 168 as client facilities 144 inside the enterprise facility 102, such as by receiving the same or equivalent services via an embedded endpoint computer security facility 112.
Interactions between the threat management facility 168 and the components of the network 170, including mobile client facility extensions of the network 170, may ultimately be connected through the internet 160 or any other network or combination of networks. Security-related or policy-related downloads and upgrades to the network 170 may be passed from the threat management facility 168 through to components of the network 170 equipped with the endpoint computer security facility 112. In turn, the endpoint computer security facilities 112 of the enterprise facility 102 may upload policy and access requests back across the internet 160 and through to the threat management facility 168. The internet 160, however, is also the path through which threats may be transmitted from their source, and one or more of the endpoint computer security facilities 112 may be configured to protect a device outside the network 170 through locally-deployed protective measures and through suitable interactions with the threat management facility 168.
Thus, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at the secondary location threat network 162 that is not a part of the network 170, the mobile client facility, such as one or more of the clients 144, may be required to request network interactions through the threat management facility 168, where contacting the threat management facility 168 may be performed prior to any other network action. In embodiments, the endpoint computer security facility 112 of the client 144 may manage actions in unprotected network environments such as when the client facility (e.g., the client 130) is in a secondary location 162, where the endpoint computer security facility 112 may dictate which applications, actions, resources, users, etc. are allowed, blocked, modified, or the like.
The secondary location threat network 162 may have no endpoint computer security facilities 112 as a part of its components, such as the firewall 140, the server 142, the client 120, the network devices 448C-D (e.g., hubs and routers), and the like. As a result, the components of the secondary location threat network 162 may be open to threat attacks, and may become potential sources of threats, as well as any mobile enterprise facility clients (e.g., the clients 116-F) that may be connected to the secondary location threat network 162. In such instances, these components may now unknowingly spread a threat to other devices connected to the network 170.
Some threats do not come directly from the internet 160. For example, one or more physical proximity threats 158 may be deployed on a client device while that device is connected to an unprotected network connection outside the network 170 and, when the client device is subsequently connected to one or more of the clients 144 on the network 402, the device can deploy malware or otherwise pose a threat. In embodiments, the endpoint computer security facility 112 may protect the network 170 against these types of physical proximity threats 158, for instance, through scanning any device prior to allowing data transfers, through security validation certificates, through establishing a safe zone within the network 170 to receive data for evaluation, and the like.
illustrates a computer system 200 in accordance with one embodiment.
Figure 2 illustrates a computer system. In general, the computer system 200 may include a computing device 206 connected to a network 202, for example, through an external device 204. The computing device 206 may be or may include any type of network endpoint or endpoints as described herein such as, for example, the network endpoints described above with reference to Figure 1. For example, the computing device 206 may include a desktop computer workstation. The computing device 206 may also or instead be any suitable device that has processes and communicates over the network 202 including, without limitation, a laptop computer, a desktop computer, a personal digital assistant, a tablet, a mobile phone, a television, a set top box, a wearable computer (e.g., watch, jewelry, or clothing), a home device (e.g., a thermostat or a home appliance controller), just as some examples. The computing device 206 may also or instead include a server, or it may be disposed on a server.
The computing device 206 may be used for any of the entities described in the threat management environment described above with reference to Figure 1. For example, the computing device 206 may be a server, a client an enterprise facility, a threat management facility, or any of the other facilities or computing devices described therein. In certain aspects, the computing device 206 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), or a combination of software and hardware, and the computing device 206 may be a standalone device, a device integrated into another entity or device, a platform distributed across multiple entities, or a virtualized device executing in a virtualization environment.
The network 202 may include any network described above, e.g., data network(s) or internetwork(s) suitable for communicating data and control information among participants in the computer system 200. This may include public networks such as the internet, private networks, and telecommunications networks such as the Public Switched Telephone Network or cellular networks using third generation cellular technology (e.g., 3G or IMT-2000), fourth generation cellular technology (e.g., 4G, LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/or other technologies, as well as any of a variety of corporate area, metropolitan area, campus or other local area networks or enterprise networks, along with any switches, routers, hubs, gateways, and the like that might be used to carry data among participants in the computer system 200. The network 202 may also include a combination of data networks, and need not be limited to a strictly public or private network.
The external device 204 may be any computer or other remote resource that connects to the computing device 206 through the network 202. This may include threat management resources such as any of those contemplated above, gateways or other network devices, remote servers or the like containing content requested by the computing device 206, a network storage device or resource, a device hostingmalicious content, or any other resource or device that might connect to the computing device 206 through the network 202.
The computing device 206 may include a processor 208, a memory 210, a network interface 212, a data store 214, and one or more input/output interface 216. The computing device 206 may further include or be in communication with peripherals 218 and other external input/output interface 216.
The processor 208 may be any as described herein, and in general may be capable of processing instructions for execution within the computing device 206or computer systemcomputer system 200. The processor 208 may include a single-threaded processor or a multi-threaded processor. The processor 208 may be capable of processing instructions stored in the memory 210 or on the data store 214.
The memory 210 may store information within the computing device 206or computer systemcomputer system 200. The memory 210 may include any volatile or non-volatile memory or other computer-readable medium, including without limitation a Random-Access Memory (RAM), a flash memory, a read Only memory (ROM), a Programmable Read-only Memory (PROM), an Erasable PROM (EPROM), registers, and so forth. The memory 210 may store program instructions, program data, executables, and other software and data useful for controlling operation of the computing device 200 and configuring the computing device 200 to perform functions for a user. The memory 210 may include a number of different stages and types for different aspects of operation of the computing device 206. For example, a processor (e.g., the processor 208) may include on-board memory and/or cache for faster access to certain data or instructions, and a separate, main memory or the like may be included to expand memory capacity as desired.
The memory 210 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 200 creates an execution environment for a computer program in question (e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of the foregoing, and/or code that performs some or all of the steps set forth in the various flow charts and other algorithmic descriptions set forth herein). While the memory 210 is depicted as a single memory, it will be understood that any number of memories may be usefully incorporated into the computing device 206. For example, a first memory may provide non-volatile storage such as a disk drive for permanent or long-term storage of files and code even when the computing device 206 is powered down. A second memory such as a Random-Access Memory may provide volatile (but higher speed) memory for storing instructions and data for executing processes. A third memory may be used to improve performance by providing even higher speed memory physically adjacent to the processor 208 for registers, caching and so forth.
The network interface 212 may include any hardware and/or software for connecting the computing device 206 in a communicating relationship with other resources through the network 202. This may include remote resources accessible through the internet, as well as local resources available using short range communicationsprotocols using, e.g., physical connections (e.g., ethernet), radio frequency communications (e.g., WiFi), optical communications, (e.g., fiber optics, infrared, or the like), ultrasonic communications, or any combination of these or other media that might be used to carry data between the computing device 206 and other devices. The network interface 212 may, for example, include a router, a modem, a network card, an infrared transceiver, a radio frequency (RF) transceiver, a near field communications interface, a radio-frequency identification (RFID) tag reader, or any other data reading or writing resource or the like.
More generally, the network interface 212 may include any combination of hardware and software suitable for coupling the components of the computing device 206 to other computing or communications resources and, thus, may typically include one or more communication channels 222 and be connected to one or more networks (e.g., the network 202). By way of example and not limitation, this may include electronics for wired or wireless transmission of information over the network 202 either wirelessly or through a physical connection, depending on the needs of a specific implementation. As an example, the communication may be via an ethernet connection operating according to the IEEE 802.11 standard (or any variation thereof), or any other short or long range wireless networking components or the like. This may include hardware for short range data communications such as bluetooth or an infrared transceiver, which may be used to couple to other local devices, or to connect to a local area network or the like that is in turn coupled to a data network 202 such as the internet. This may also or instead include hardware/software for a WiMax connection or a cellular network connection (using, e.g., CDMA, GSM, LTE, or any other suitable protocol or combination of protocols). The network interface 212 may be included as part of the input/output interface 216 or vice-versa.
The data store 214 may be any internal memory store providing a computer-readable medium such as a disk drive, an optical drive, a magnetic drive, a flash drive, or other device capable of providing mass storage for the computing device 206. The data store 214 may store computer readable instructions, data structures, program modules, and other data for the computing device 206or computer systemcomputer system 200 in a non-volatile form for subsequent retrieval and use. For example, the data store 214 may store without limitation one or more of the operating system, application programs, program data, databases, files, and other program modules or other software objects and the like.
The input/output interface 216 may support input from and output to other devices that might couple to the computing device 206. This may, for example, include serial ports (e.g., RS-226 ports), universal serial bus (USB) ports, optical ports, ethernet ports, telephone ports, audio jacks, component audio/video inputs, HDMI ports, and so forth, any of which might be used to form wired connections to other local devices. This may also or instead include an infrared interface, RF interface, magnetic card reader, or other input/output system for coupling in a communicating relationship with other local devices. It will be understood that, while the network interface 212 for network communications is described separately from the input/output interface 216 for local device communications, these two interfaces may be the same, or may share functionality, such as where a USB port is used to attach to a WiFi accessory, or where an ethernet connection is used to couple to a local network attached storage.
A peripheral 218 may include any device used to provide information to or receive information from the computing device 200. This may include human input/output (I/O) devices such as a keyboard, a mouse, a mouse pad, a track ball, a joystick, a microphone, a foot pedal, a camera, a touch screen, a scanner, or other device that might be employed by the user 224 to provide input to the computing device 206. This may also or instead include a display, a speaker, a printer, a projector, a headset or any other audiovisual device for presenting information to a user. The peripheral 218 may also or instead include a digital signal processing device, an actuator, or other device to support control or communication to other devices or components. Other I/O devices suitable for use as a peripheral 218 include haptic devices, three-dimensional rendering systems, augmented-reality displays, magnetic card readers, and so forth. In one aspect, the peripheral 218 may serve as the network interface 212, such as with a USB device configured to provide communications via short range (e.g., bluetooth, WiFi, infrared, RF, or the like) or long range (e.g., cellular data or WiMax) communicationsprotocols. In another aspect, the peripheral 218 may provide a device to augment operation of the computing device 206, such as a global positioning system (GPS) device, a security dongle, or the like. In another aspect, the peripheral may be a storage device such as a flash card, USB drive, or other solid-state device, or an optical drive, a magnetic drive, a disk drive, or other device or combination of devices suitable for bulk storage. More generally, any device or combination of devices suitable for use with the computing device 200 may be used as the peripheral 218 as contemplated herein.
Other hardware 220 may be incorporated into the computing device 200. Examples of the other hardware 220 include a co-processor, a digital signal processing system, a math co-processor, a graphics engine, a video driver, and so forth. The other hardware 220 may also or instead include expanded input/output ports, extra memory, additional drives (e.g., a DVD drive or other accessory), and so forth.
A bus 226 or combination of busses may serve as an electromechanical platform for interconnecting components of the computing device 200, such as the processor 208, the memory 210, the network interface 212, the other hardware 220, the data store 214, and an input/output interface. As shown in the figure, each of the components of the computing device 206 may be interconnected using the bus 226 or other communication mechanism for communicating information.
Methods and systems described herein can be realized using the processor 208 of the computer system 200 to execute one or more sequences of instructions contained in the memory 210 to perform predetermined tasks. In embodiments, the computing device 200 may be deployed as a number of parallel processors synchronized to execute code together for improved performance, or the computing device 200 may be realized in a virtualized environment where software on a hypervisor or other virtualization management facility emulates components of the computing device 200 as appropriate to reproduce some or all of the functions of a hardware instantiation of the computing device 200.
illustrates a threat management system 300 in accordance with one embodiment.
Figure 3 illustrates an exemplary threat management system 300 as contemplated herein. In general, the threat management system may include an endpoint 302 for example, a laptop, or a device such as an IoT device, an access point 304, a server 306 and a threat management facility 308 in communication with one another directly or indirectly through a data network 316, for example, as generally described above. Each of the entities depicted in Figure 3, may, for example, be implemented on one or more computing devices such as the computing device described above with reference to Figure 2.
A number of systems may be distributed across these various components to support threat management, for example, including a coloring system 310, a key management system 312 and a heartbeat system 314, each of which may include software components executing on any of the foregoing system components, and each of which may communicate with the threat management facility 308 or an endpoint threat protection agent 318 executing on an endpoint 302, on an access point or a firewall 304, or on a server 306 to support improved threat detection and remediation.
The coloring system 310 may be used to label or `color` software objects for improved tracking and detection of potentially harmful activity. The coloring system 310 may, for example, label files, executables, processes, network communications, data sources and so forth with any suitable label. A variety of techniques may be used to select static and/or dynamic labels for any of these various objects, and to manage the mechanics of applying and propagatingcoloring information as appropriate. For example, a process may inherit a color from an application that launches the process. Similarly, a file may inherit a color from a device when it is created or opened by a device, and/or a process may inherit a color from a file that the process has opened. More generally, any type of labeling, as well as rules for propagating, inheriting, changing, or otherwise manipulating such labels, may be used by the coloring system 310 as contemplated herein. A color may be or may be based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. A color of a device may be used in a security policy. A color of a process, a file, a network request, and so on may be based on a color of a device, and that color may be used in a security policy.
The key management system 312 may support management of keys for the endpoint 302 in order to selectively permit or prevent access to content on the endpoint 302 on a file-specific basis, a process-specific basis, an application-specific basis, a user-specific basis, or any other suitable basis in order to prevent data leakage, and in order to support more fine-grained and immediate control over access to content on the endpoint 302 when a security compromise is detected. Thus, for example, if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, for example, data leakage or other malicious activity. In embodiments, keys on device may be revoked based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc.
The heartbeat system 314 may be used to provide periodic or aperiodic information from an endpoint about system health, security, status, etc. A heartbeat may be encrypted or plaintext, or some combination of these, and may be communicated unidirectionally (e.g., from the endpoint 302 to the threat management facility 308) or bidirectionally (e.g., between the endpoint 302 and the server 306, or any other pair of system components) on a useful schedule.
In implementations, the access point or firewall 304 may use the heartbeat 314 to report a potential or actual compromise of a device based, for example, on a color of the device, or based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. The heartbeat 314 from the access point 304 may be communicated to the server 306, for example, and administrative server or directly or indirectly to a threat management facility 308. If the endpoint device 302 has an endpoint threat protection facility 318, the endpoint threat protection facility 318 may be used to investigate further the status, or to take remedial measures, again by communication using the secure heartbeat 314.
In general, these various monitoring and management systems may cooperate to provide improved threat detection and response. For example, the coloring system 310 may be used to evaluate when a particular device is potentially compromised, and a potential threat may be confirmed based on an interrupted heartbeat from the heartbeat system 314 or by information communicated in a heartbeat. The key management system 312 may then be used to revoke keys to a process so that no further files can be opened, deleted or otherwise modified. More generally, the cooperation of these systems enables a wide variety of reactive measures that can improve detection and remediation of potential threats to an endpoint.
Parts List
102
security management facility
104
threat research facility
106
network access rules facility
108
administration facility
110
firewall
112
security facility
114
clients
116
clients
118
clients
120
clients
122
network devices
124
network devices
126
clients
128
clients
130
clients
132
network devices
134
network devices
136
server
138
server
140
firewall
142
server
144
appliance
146
policy management
148
detection techniques
150
updates
152
remedial actions
154
network threats
156
definitions
158
physical proximity threats
160
internet
162
secondary location threat network
164
testing
166
appliance
168
threat management facility
170
network
200
computer system
202
network
204
external device
206
computing device
208
processor
210
memory
212
network interface
214
data store
216
input/output interface
218
peripherals
220
other hardware
222
224
user
226
bus
300
threat management system
302
endpoint
304
access point or firewall
306
server
308
threat management facility
310
coloring system
312
key management system
314
heartbeat system
316
data network
318
endpoint threat protection facility
Terms/Definitions
various points
local security functions
list
wireless characteristics
application code
network connectivity
hardware instantiation
interfacing
peripheral
volatile or non-volatile memory
threat research facility
incoming files
security dongle
perform actions
malicious content
heartbeat
E-UTRA
reaction
unprotected network environments
other suitable basis
other local area networks
hand-held endpoint computer
data networks
letter
testing facility
load conditions and application changes
stored threats
remote servers
types
local area network
policy management facility
service
allowed list
memory
remedial action
server a
protocol stack
suspicion
computer program
unauthorized users
stand-alone solution
access point
actuator
FIG. 1 and vice-versa
single-threaded processor
update management
remote resources
particular device
virtual machine
potential threats
network
network component
threshold value
guest
strictly public
long range
laptop
application servers, communications servers
applications
permanent or long-term storage
resources
RS-232 ports
data store
definitions
administration facility
black list
magnetic card reader
one or more databases
virus identity file
EPROM
transit
unprotected server
reputation list
embodiments
devices and assets
interactions
information file
mouse
memories
proxy data
particular computing component
software objects
rule evaluation
foregoing
techniques
known or potential malicious code
information
e.g. employees
related application (or files
suitable label
other software updating, version control
functionality
RF characteristics
or other media
executables
threat identification updates
local device communications
path
coupling
policies
camera
hubs and routers
detection techniques facility
connectivity
specific implementation
actual compromise
internal servers or gateways
execution
touch screen
electromechanical platform
ethernet
users
data sources
clients
devices
communication
cloud-based facility
security
checking files
propagating
sources
server
coloring system
appliance
endpoint security and control
network access rule facility
software firewall
transmitted per rules
mouse pad
alerts
mobile wireless facilities
unprotected connection point
hubs
action or configuration
databases
universal serial bus
device
couple
buffer data
element
institution
ways
short range data communications
guests
remedial actions
various monitoring
servers
ethernet connection operating
third generation cellular technology
application-specific basis
definitions management facility
addition
magnetic drive
communications networks
scanning
one or more enterprises
graphics engine
forms
behavioral based analysis
execution environment
virus identity definition files
update management facility
detection and remediation
optical drive
testing information
security policy
switches
operating systems
interconnecting components
network administrator
math co-processor
aperiodic information
improved threat detection and remediation
threats
multiple networks
detection
enterprise networks
other software and data
network resource reputation database
other suitable techniques
overall security
predetermined tasks
aspect
USB drive
respective clients
service requests
endpoint device
RF interface
input
endpoint threat protection agent
particular reliability index determinations
web site
patch management
computer facilities
desktops
particular instance
security validation certificates
digital signal processing device
test files
policy control
reputation filtering
data structures
second memory
malicious code
hardware and/or software
Other I/O devices
file-specific basis
certain embodiments
other communication
ethernet connection
neural network
wide variety
even higher speed memory
definition
block list
label files
license management
terminating
behavior
modems
storage device
improved tracking and detection
network connections
mobile users
home appliance controller
gateways
infrared
track ball
persistent threats
flash memory
reference
client facility connections
threat management environment
mass storage
management update modules
Erasable PROM
policy violations
data
non-compliant computers
near field communications interface
wireless device
user
USB port
file servers
input/output interface
other devices
other solid-state device
secondary location
passive state
bus
appliance 140B
hypervisor
uncontrolled access
level
appliances
secondary location threat network
part
configuration and policy changes
process data
instance
security-related or policy-related downloads
telecommunications networks
locally-deployed protective measures
potential threat
laptop computer
router
scanning data
client facility
network data
improved performance
functions
bluetooth
certain actions
preparedness
comparison
faster access
fourth generation cellular technology
hardware and software
e-mail client facility
unknown malicious code
potentially harmful activity
computing facilities
other communication mechanism
two interfaces
sandbox
fiber optics
limitation
code
one or more instances
other technologies
disk drive
expanded input/output ports
management systems
one or more reliability index thresholds
desktop computer
storage
outgoing files
spread
endpoint computer security facility
computer’s
other computing
network boundaries
locally-installed endpoint computer security facility
similar threat protection
television
wearable computer
viruses
exemplary threat management system
application program(s)
foot pedal
suitable device
computing resources
one or more networks
radio frequency (RF) transceiver
hardware/software
system
non-volatile form
appliance 140A
outgoing file
local resources
monitoring activity
program instructions
service provider’s
communicating relationship
malware
facilities
remote location
application programming interface
non-volatile storage
other pair
various flow charts
policy and access requests
file
various implementations
fashion
process-specific basis
one or more policies
evaluation
peripherals
color
determination
client labeled
trojans
heartbeat system
other malicious activity
single memory
serial ports
other network or combination
greater reliability
steps set
exemplary computer system
intermediate source
web browser client facility
virtualized device
program modules
computer-readable medium
WiFi accessory
controls
database servers
security facility
radio-frequency identification
virtual private networks
given client facility
parallel processors
security configurations
product
ability
key management system
client facility computing platform
spam
out-of-enterprise facility mobile client facility
Public Switched Telephone Network
haptic devices
endpoint computer security facilities
MT-Advanced
rules or policies
threats and violations
networking components
distribution
other compromise
rules
data leakage
threat or policy violation
client device
malicious software
other sensor
update facility
software
network communications
general
plurality
access permissions
malicious code scan
certain applications and files
infrared interface
ports
reported information
configuration policies
optical communications
place
server facility
network interface
malware attack
certain data or instructions
combinations
cooperation
input/output devices
Random-Access Memory
mail servers
handheld or mobile devices
application
network traffic
remedial action facility
recording facility
processes and communicates
unacceptable network resource database
headset
operating system(s)
IoT devices
policy rules
cloud computing facility
mobile client facilities
threat
subsequent retrieval and use
tablet
its components
subscription
digital signal processing system
client facilities
cellular data
change
files or applications
files
definition file
augmented-reality displays
fax servers
plaintext
reliability index value
IoT device
IEEE 802.16m
internal memory store
external networks
various threats
particular manner
client
custom controls
components
WiMax connection
user’s
other local devices
third memory
data transfers
device resources
one or more devices
location or status
rate
detection techniques
data evaluation endpoint computer system
improved threat detection and response
hardware or software
computing device
bulk storage
microphone
magnetic card readers
constitutes processor firmware
simple appliances
physical proximity threats
communication ports
test file
other audiovisual device
computer code
one or more computing devices
network access
their source
flash card
caching
controlled access
multi-threaded processor
standalone device
local software application
resource requests
network endpoints
evolving threat environment
electronics
modem
more fine-grained and immediate control
computing devices
device hosting
private network
thermostat
presence
appropriate
component audio/video inputs
lesser reliability
further the status
other data reading
email security and control
different stages and types
contemplated herein
networked computer-based infrastructure
CDMA
automatic actions
web security and control
border
locations and network configurations
system components
wired or wireless transmission
threat management appliance
physical boundary
third party
warning
entity or device
threat or violation
application or device
other recognition engine
type
enterprise
radio frequency communications
joystick
physical connection
rule-based filtering
read
ultrasonic communications
local network
intrusion
other resource or device
other remote resource
more than one geographical locations
useful schedule
management
access rights
memory capacity
specific instance
keyboard
user-specific basis
instructions
unprotected network connection
network request
baseline RF characteristics
additional drives
platforms
short range
subsequent evaluation
busses
RFID
locations
USB device
human input/output
writing resource
dynamic labels
network endpoint or endpoints
file or application
ongoing process
metropolitan area
scanner
executables, processes, network communications
such labels
firewall
parsed information
higher speed
corporate area
physical connections
video driver
wireless facilities
result
particular IoT device
acceptable network resource database
other input/output system
various objects
ethernet ports
threat management system
white list
mobile client facility
one aspect
destination
malicious code information
endpoint threat protection facility
network devices
network access rules facility
integrated system approach
third-party product
number
other computer-readable medium
figure
output
context
entities
personal digital assistant
systems
other device
device or combination
record interactions
WiMax
mechanics
such mobile wireless facilities
combination
interaction
block diagram
recitation
interface
external device
like, or combinations
foregoing, and/or code
other accessory
other network action
laptops
firewalls
computer system
command or command file
watch
display
policy database
other hardware
testing
remedial measures
device or application
such instances
control
access
variations or combinations
other program modules
determinations
suitable context
periodic basis
device(s)
mobile enterprise facility clients
timely updates
acceptability
infrastructure
gateway facility
licensed applications
mobile phone
limitation one or more
print servers
desktop computer workstation
registers
vice-versa
other facilities
mail storage servers
processes
particular RF characteristics
or computer system
processor
computer-generated and human-generated threats
web servers
other external input/output devices
IEEE 802.11 standard
instructions and data
policy abuse
client or client facilities
turn
computer-based malware
corporation
local protection
audio jacks
on-board memory
potential sources
jewelry
safe zone
process
reliability index determination
server or servers
certain network users
first memory
content
action
parse network access requests
public networks
endpoint
streaming file management
variation
other security measures
specific services
unwanted applications
telephone ports
threat management facility
other device or combination
element number
organization
WiMax-Advanced
businesses
term endpoint
status
other resources
protection
updates
reliability index thresholds
other data
hardware
interconnection services
other software objects
various techniques
computer
actions
virtualization environment
host intrusion prevention
security compromise
variety
clothing
labeling
participants
network storage device or resource
network devices, users
embedded endpoint computer security facility
one or more sequences
implementations
database management system
requested network resource
wireless network access point
infrared transceiver
optical ports
client devices
definition files information
platform
network card
endpoints
operation
environment
suitable interactions
network location or resource
default values
extra memory
facility
PROM
reputation-based filtering
baseline value
mobile endpoint computer
local firewall
private networks
software and hardware
server facilities
homeowner
one or more input/output devices
printer
other network
computers
baseline values
threat attacks
web browsing activity
networks
tools
non-volatile computer
access point or firewall
network interactions
certain aspects
one or more device resources
needs
interrupted heartbeat
operating system
concert
like
spyware
elements
data and control information
example
match
software components
projector
web server facility
equivalent services
other networks
foregoing system components
coloring information
threat-protected environment
program data
processing instructions
flash drive
program
stored files
assets
cellular network connection
upgrades
data network(s) or internetwork(s)
threat management
performs
flow
same interactions
adware
policy management
communications resources
internet
managed actions
multiple entities
certain types
school
cellular networks
access rules
co-processor
threat protection
residents
data network
access requests
virtualized environment
applications, devices, users
Programmable Read-only Memory
system health
WiFi
vendor
enterprise facility
productivity and network performance
speaker
global positioning system
mobile client facility extensions
further files
individuals
personal firewall
hardware firewall
particular process
different aspects
protocols
appliance facility
reactive measures
security management facility
examples
network access control
three-dimensional rendering systems
game servers
home device
compute instance
routers
like containing content
DVD drive
system level
updated rules
files and code
current RF characteristics
other suitable protocol or combination
definition files
short range communications
corresponding policy
association
administrative server
capability
client facility files
gateway
unknown threats
connections
communications
question
other entity
wireless link
other devices or components
other algorithmic descriptions
one or more physical proximity threats
keys
medium
various components
performance
application programs
other network devices
application server facility
configuration
other virtualization management facility
networked applications
other computing facilities
meeting
campus
network access port
applications and files
firewall or gateway
threat management resources
proxy servers
one or more reliability index values
corresponding computer platform or computer support component
separate, main memory
established policy
network threats