Figure 1 illustrates an environment for threat management. Specifically, Figure 1 depicts a block diagram of a threat management facility 168 providing protection to one or more enterprises, networks, locations, users, businesses, etc. against a variety of threats–a context in which the techniques disclosed herein may usefully be deployed. The threat management facility 168 may be used to protect devices and assets (e.g., IoT devices or other devices) from computer-generated and human-generated threats. For example, a corporation, school, web site, homeowner, network administrator, or other entity may institute and enforce one or more policies that control or prevents certain network users (e.g. employees, residents, users, guests, etc.) from accessing certain types of applications, devices, resources generally or in a particular manner. Policies may be created, deployed and managed, for example, through the threat management facility 168, which may update and monitor network devices, users, and assets accordingly.
The threat of malware or other compromise may be present at various points within a network 170 such as laptops, desktops, servers, gateways, communication ports, handheld or mobile devices, IoT devices, firewalls. In addition to controlling or stopping malicious code, a threat management facility 168 may provide policy management to controldevices, applications, or users that might otherwise undermine productivity and network performance within the network 170.
The threat management facility 168 may provide protection to network 170 from computer-based malware, including viruses, spyware, adware, trojans, intrusion, spam, policy abuse, advanced persistent threats, uncontrolled access, and the like. In general, the network 170 may be any networked computer-based infrastructure or the like managed by the threat management facility 168, such as an organization, association, institution, or the like, or a cloud-based facility that is available for subscription by individuals. For example, the network 170 may be a corporate, commercial, educational, governmental, or other network 170, and may include multiple networks, computing resources, and other facilities, may be distributed among more than one geographical locations, and may include an administration facility 108, a firewall 110, an appliance 144, a server 136, network devices 132-B, clients 114-D, such as IoT devices or other devices. It will be understood that any reference herein to a client or client facilities may include the clients 114-D shown in Figure 1 and vice-versa. Further, the recitation of an element number ending with a letter should be understood to refer to a particular instance of the element, and the recitation of an element number without a letter should be understood to refer to any one or more instances of the element. Thus, for example, the recitation of the client 114 should be understood to refer only to the specific instance of the client labeled 114 in Figure 1, while the recitation of the clients 144 should be understood to refer to any one or more instances of the client labeled 114, 116, 118, 128, 126, 130, 120 in Figure 1, unless otherwise specified or made clear from the context.
The threat management facility 168 may include computers, software, or other computing facilities supporting a plurality of functions, such as one or more of a security management facility 102, a policy management facility 146, an update facility 150, a definitions management facility 156, a network access rules facility 106, a remedial action facility 152, a detection techniques facility 148, a testing facility 164, a threat research facility 104, and the like. In embodiments, the threat protection provided by the threat management facility 400 may extend beyond the network boundaries of the network 170 to include clients 128 (or client facilities) that have moved into network connectivity not directly associated with or controlled by the network 170. Threats to client facilities may come from a variety of sources, such as from network threats 154, physical proximity threats 158, a secondary location threat network 162, and the like. Clients 114-D may be protected from threats even when the client 114-D is not directly connected to or in association with the network 170, such as when a client 126-F moves in and out of the network 170, for example when interfacing with an unprotected server 138 through the internet 160, when a client 130 is moving into the secondary location threat network 162 such as interfacing with components that are not protected (e.g., the appliance 166, the server 142, the network devices 122, 124, and the like).
The threat management facility 168 may use or may be included in an integrated system approach to provide the network 170 with protection from a plurality of threats to device resources in a plurality of locations and network configurations. The threat management facility 168 may also or instead be deployed as a stand-alone solution. For example, some or all of the threat management facility 168components may be integrated into a server or servers at a remote location, for example in a cloud computing facility. For example, some or all of the threat management facility 168components may be integrated into a firewall, gateway, or access point within or at the border of the network 170. In some embodiments, the threat management facility 168 may be integrated into a product, such as a third-party product (e.g., through an application programming interface), which may be deployed on endpoints, on remote servers, on internal servers or gateways for a network, or some combination of these.
The security management facility 102 may include a plurality of elements that provide protection from malware to device resources of the network 170 in a variety of ways, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like. The security management facility 102 may include a local software application that provides protection to one or more device resources of the network 402. The security management facility 102 may have the ability to scan client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. This may include scanning some or all of the files stored on the client facility or accessed by the client facility on a periodic basis, scanning an application when the application is executed, scanning data (e.g., files or other communication) in transit to or from a device, etc. The scanning of applications and files may be performed to detect known or unknown malicious code or unwanted applications.
The security management facility 102 may provide email security and control. The security management facility 102 may also or instead provide for web security and control, such as by helping to detect or block viruses, spyware, malware, unwanted applications, and the like, or by helping to controlweb browsing activity originating from client devices. In certain embodiments, the security management facility 102 may provide for network access control, which may provide control over network connections. In addition, network access control may controlaccess to virtual private networks (VPN) that provide communications networks tunneled through other networks. The security management facility 102 may provide host intrusion prevention through behavioral based analysis of code, which may guard against known or unknown threats by analyzing behavior before or while code executes. Further, or instead, the security management facility 102 may provide reputation filtering, which may target or identify sources of code.
In embodiments, the security management facility 102 may use wireless characteristics to identify a device on the network 170. For example, the security management facility 102 may determine a reliability index value of any one or more devices (e.g., the servers 142, the clients 144, and combinations thereof) connected via a wireless link to the network 170, for example, an IoT device. Through one or more access points (e.g., the firewall 110) or other sensor (e.g., the appliance 144) in the network 170, the security management facility 102 may monitor RF characteristics of the IoT device to obtain current RF characteristics. The security management facility 102 may compare the current RF characteristics to baseline RF characteristics, and when there is a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjust the reliability index value to indicate greater reliability, and when there is not a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjusting the reliability index value to indicate lesser reliability, and when the reliability index value exceeds a threshold value, performing an action to reduce a potential threat of the IoT device to the network. This aspect of the security management facility 102 may also take place on the firewall 110 (e.g., an access point) or appliance 144.
In general, the security management facility 102 may support overall security of the network 170 using the various techniques described above, optionally as supplemented by updates of malicious code information and so forth for distribution across the network 170.
The administration facility 108 may provide control over the security management facility 102 when updates are performed. Information from the security management facility 102 may also be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 168.
The policy management facility 146 of the threat management facility 168 may be configured to take actions, such as to block applications, users, communications, devices, and so on based on determinations made. The policy management facility 146 may employ a set of rules or policies that determine network 170access permissions for one or more of the clients 144. In some embodiments, a policy database may include a block list, a black list, an allowed list, a white list, or the like, or combinations of the foregoing, that may provide a list of resources internal or external to the network 170 that may or may not be accessed by the clients 144. The policy management facility 146 may also or instead include rule-based filtering of access requests or resource requests, or other suitable techniques for controlling access to resources consistent with a corresponding policy.
In embodiments, the policy management facility 146 may include reliability index thresholds for devices, such as IoT devices. The policy management facility 146 may include policies to permit or deny access, to take remedial action, to issue alerts, and so on based on particular reliability index determinations.
The policy management facility 146 may also or instead provide configuration policies to be used to compare and control the configuration of applications, operating systems, hardware, devices, and the like associated with the network 170. An evolving threat environment may dictate timely updates, and thus the update management facility 150 may also be provided by the threat management facility 168. In addition, the policy management facility 146 may require update management (e.g., as provided by the update facility 150 herein described). In embodiments, the update management facility 150 may provide for patch management or other software updating, version control, and so forth.
The security facility 102 and policy management facility 146 may push information to the network 170 and/or to a given one or more of the clients 144. The network 170 and/or one or more of the clients 114-F may also or instead request information from the security facility 102 and/or from the policy management facility 146, the servers 136-C, or there may be a combination of pushing and pulling of information. In some embodiments, the policy management facility 146 and the security facility 102 management update modules may work in concert to provide information to the network 170 and/or to one or more of the clients 114 facility for control of applications, devices, users, and so on.
As threats are identified and characterized, the threat management facility 168 may create updates that may be used to allow the threat management facility 168 to detect and remediate malicious software, unwanted applications, configuration and policy changes, and the like. The definitions management facility 156 may contain threat identification updates, also referred to as definition files. A definition file may be a virus identity file that may include definitions of known or potential malicious code. The virus identity definition files may provide information that may identify malicious code within files, applications, or the like. The definition files may be accessed by the security management facility 102 when scanningfiles or applications within the client facility for the determination of malicious code that may be within the file or application. The definitions management facility 156 may include a definition for a neural network or other recognition engine. The definitions management facility 156 may provide timely updates of definition files information to the network, client facilities, and the like.
In embodiments, the definitions management facility 156 may include default values or baseline values for RF characteristics of devices, such as IoT devices. For example, the definitions management facility 156 may include a baseline value for particular RF characteristics of a particular IoT device.
The security management facility 102 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per rules and policies of the network 170. By checking outgoing files, the security management facility 102 may be able to discover malicious code infected files that were not detected as incoming files.
The threat management facility 168 may provide controlled access to the network 170. For example, the network access rules facility 106 may be responsible for determining if an application running on a given one or more of the clients 144 should be granted access to a requested network resource. In some embodiments, the network access rules facility 106 may verify access rights for one or more of the client facilities to or from the network 170 or may verify access rights of computer facilities to or from external networks. When network access for a client facility is denied, the network access rules facility 106 may send an information file to the client facility (e.g., a command or command file that the remedial action facility 428 may access and take action upon). The network access rules facility 106 may include one or more databases including one or more of a block list, a black list, an allowed list, a white list, a reputation list, an unacceptable network resource database, an acceptable network resource database, a network resource reputation database, or the like. The network access rules facility 106 may incorporate rule evaluation. Rule evaluation may, for example, parse network access requests and apply the parsed information to network accessrules. The network access rule facility 106 may also or instead provide updated rules and policies to the network 170.
When a threat or policy violation is detected by the threat management facility 168, the threat management facility 168 may perform or initiate remedial action through the remedial action facility 152. Remedial action may take a variety of forms, such as terminating or modifying an ongoing process or interaction, issuing an alert, sending a warning (e.g., to a client or to the administration facility 108) of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, record interactions for subsequent evaluation, and so forth. The remedial action may include one or more of blocking some or all requests to a network location or resource, performing a malicious code scan on a device or application, performing a malicious code scan on one or more of the clients 144, quarantining a related application (or files, processes or the like), terminating the application or device, isolating the application or device, moving a process or application code to a sandbox for evaluation, isolating one or more of the clients 144 to a location or status within the network that restricts network access, blocking a network access port from one or more of the clients 144, reporting the application to the administration facility 108, or the like, as well as any combination of the foregoing.
In embodiments, remedial action may be taken based on a reliability index determination based on RF characteristics of a wireless device.
Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 148 may include tools for monitoring the network 170 or managed devices within the network 170. The detection techniques facility 148 may provide functions such as monitoring activity and stored files on computing facilities. Detection techniques, such as scanning a computer’sstored files, may provide the capability of checking files for stored threats, either in the active or passive state. Detection techniques such as streaming file management may be used to check files received at the network 170, a gateway facility, a client facility, and the like.
Verifying that the threat management facility 168 detects threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 164 may allow the administration facility 108 to coordinate the testing of the security configurations of computing facilities of the clients 144 on the network 170. For example, the administration facility 108 may be able to send test files to a set of computing facilities of the clients 144 to test the ability of a given client facility to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by one or more of the clients 144 in reaction to the test file. The recording facility may aggregate the testing information from the clients 144 and report the testing information to the administration facility 108. The administration facility 108 may be able to determine the level of preparedness of the respective clients 144 based on the reported information. Remedial action may be taken for any of the clients 144 as determined by the administration facility 108.
The threat management facility 168 may provide threat protection across the network 170 to devices such as the clients 144, the servers 142, the administration facility 108, the firewall 138, a gateway, one or more of the network devices 148 (e.g., hubs and routers), one or more of the appliances 140 (e.g., a threat management appliance), any number of desktop or mobile users, and the like. As used herein, the term endpoint may refer to any compute instance running on a device that can source data, receive data, evaluate data, buffer data, process data or the like (such as a user’sdesktop computer, laptop, IoT device, server, etc.). This may, for example, include any client devices as well as other network devices and the like within the network 170, such as a firewall or gateway (as a data evaluation endpoint computer system), a laptop (as a mobile endpoint computer), a tablet (as a hand-held endpoint computer), a mobile phone, or the like. The term endpoint may also or instead refer to any final or intermediate source or destination for data within a network 170. An endpoint computer security facility 112 may be an application locally loaded onto any corresponding computer platform or computer support component, either for local security functions or for management by the threat management facility 168 or other remote resource, or any combination of these.
The network 170 may include a plurality of client facility computing platforms (e.g., the clients 144) on which the endpoint computer security facility 112 is installed. A client facility computing platform may be a computer system that is able to access a service on another computer, such as one or more of the servers 142, via a network. The endpoint computer security facility 112 may, in corresponding fashion, provide security in any suitable context such as among a plurality of networked applications, for a client facility connecting to an application server facility, for a web browser client facility connecting to a web server facility, for an e-mail client facility retrieving e-mail from an internet 160service provider’smail storage servers or web site, and the like, as well as any variations or combinations of the foregoing. As used herein, any one or more of the application server facility, the web server facility, and the mail storage servers should be understood to include one or more of the servers 142.
The network 170 may include one or more of the servers 142, such as application servers, communications servers, file servers, database servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. The servers 142, which may also be referred to as server facilities 142, server facility 142 applications, server facility 142 operating systems, server facility 142 computers, or the like, may be any device(s), application program(s), operating system(s), or combination of the foregoing that accepts client facility connections to service requests from the clients 144. In embodiments, the threat management facility 168 may provide threat protection to server facilities 142 within the network 170 as load conditions and application changes are made.
The server facilities 142 may include an appliance facility 140, where the appliance facility 140 provides specific services to other devices on the network 170. The server facilities may also include simple appliances utilized across the network 170infrastructure, such as switches, routers, hubs, gateways, print servers, modems, and the like. These appliances may provide interconnection services within the network 170, and therefore may advance the spread of a threat if not properly protected.
The clients 144 may be protected from threats from within the network 170 using a local or personal firewall, which may be a hardware firewall, software firewall, or a combination thereof, that controlsnetwork traffic to and from a client. The local firewall may permit or deny communications based on a security policy. The endpoint computer security facility 112 may additionally protect the firewall 110, which may include hardware or software, in a standalone device or integrated with another network component, that may be configured to permit, deny, or proxy data through the network 170.
The interface between the threat management facility 168 and the network 170, and through the appliance 140 to embedded endpoint computer security facilities, may include a set of tools that may be the same or different for various implementations, and may allow each network administrator to implement custom controls. In embodiments, these controls may include both automatic actions and managed actions. The administration facility 108 may configure policy rules that determine interactions. The administration facility 108 may also establish license management, which in turn may further determine interactions associated with licensed applications. In embodiments, interactions between the threat management facility 168 and the network 170 may provide threat protection to the network 170 by managing the flow of network data into and out of the network 170 through automatic actions that may be configured by the threat management facility 168 for example by action or configuration of the administration facility 108.
The clients 144 within the network 170 may be connected to the network 170 by way of the network devices 132-B, which may be wired devices or wireless facilities. The clients 144 may be mobile wireless facilities and, because of their ability to connect to a wireless network access point, may connect to the internet 160 outside the physical boundary of the network 170, and therefore outside the threat-protected environment of the network 170. Such mobile wireless facilities, if not for the presence of a locally-installed endpoint computer security facility 112, may be exposed to a malware attack or perform actions counter to policies of the network 170. Thus, the endpoint computer security facility 112 may provide local protection against various threats and policy violations. The threat management facility 168 may also or instead be configured to protect the out-of-enterprise facility mobile client facility (e.g., the clients 144) through interactions over the internet 160 (or other network) with the locally-installed endpoint computer security facility 112. Thus, mobile client facilities that are components of the network 170 but temporarily outside connectivity with the network 170 may be provided with the same or similar threat protection and policy control provided to the clients 144 inside the network 170. In addition, mobile client facilities (e.g., the clients 444) may receive the same interactions to and from the threat management facility 168 as client facilities 144 inside the enterprise facility 102, such as by receiving the same or equivalent services via an embedded endpoint computer security facility 112.
Interactions between the threat management facility 168 and the components of the network 170, including mobile client facility extensions of the network 170, may ultimately be connected through the internet 160 or any other network or combination of networks. Security-related or policy-related downloads and upgrades to the network 170 may be passed from the threat management facility 168 through to components of the network 170 equipped with the endpoint computer security facility 112. In turn, the endpoint computer security facilities 112 of the enterprise facility 102 may upload policy and access requests back across the internet 160 and through to the threat management facility 168. The internet 160, however, is also the path through which threats may be transmitted from their source, and one or more of the endpoint computer security facilities 112 may be configured to protect a device outside the network 170 through locally-deployed protective measures and through suitable interactions with the threat management facility 168.
Thus, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at the secondary location threat network 162 that is not a part of the network 170, the mobile client facility, such as one or more of the clients 144, may be required to request network interactions through the threat management facility 168, where contacting the threat management facility 168 may be performed prior to any other network action. In embodiments, the endpoint computer security facility 112 of the client 144 may manage actions in unprotected network environments such as when the client facility (e.g., the client 130) is in a secondary location 162, where the endpoint computer security facility 112 may dictate which applications, actions, resources, users, etc. are allowed, blocked, modified, or the like.
The secondary location threat network 162 may have no endpoint computer security facilities 112 as a part of its components, such as the firewall 140, the server 142, the client 120, the network devices 448C-D (e.g., hubs and routers), and the like. As a result, the components of the secondary location threat network 162 may be open to threat attacks, and may become potential sources of threats, as well as any mobile enterprise facility clients (e.g., the clients 116-F) that may be connected to the secondary location threat network 162. In such instances, these components may now unknowingly spread a threat to other devices connected to the network 170.
Some threats do not come directly from the internet 160. For example, one or more physical proximity threats 158 may be deployed on a client device while that device is connected to an unprotected network connection outside the network 170 and, when the client device is subsequently connected to one or more of the clients 144 on the network 402, the device can deploy malware or otherwise pose a threat. In embodiments, the endpoint computer security facility 112 may protect the network 170 against these types of physical proximity threats 158, for instance, through scanning any device prior to allowing data transfers, through security validation certificates, through establishing a safe zone within the network 170 to receive data for evaluation, and the like.