Threat Management System

Figure 1 illustrates an environment for threat management. Specifically, Figure 1 depicts a block diagram of a threat management facility 168 providing protection to one or more enterprises, networks, locations, users, businesses, etc. against a variety of threats–a context in which the techniques disclosed herein may usefully be deployed. The threat management facility 168 may be used to protect devices and assets (e.g., IoT devices or other devices) from computer-generated and human-generated threats. For example, a corporation, school, web site, homeowner, network administrator, or other entity may institute and enforce one or more policies that control or prevents certain network users (e.g. employees, residents, users, guests, etc.) from accessing certain types of applications, devices, resources generally or in a particular manner. Policies may be created, deployed and managed, for example, through the threat management facility 168, which may update and monitor network devices, users, and assets accordingly. 

The threat of malware or other compromise may be present at various points within a network 170 such as laptops, desktops, servers, gateways, communication ports, handheld or mobile devices, IoT devices, firewalls. In addition to controlling or stopping malicious code, a threat management facility 168 may provide policy management to controldevices, applications, or users that might otherwise undermine productivity and network performance within the network 170. 

The threat management facility 168 may provide protection to network 170 from computer-based malware, including viruses, spyware, adware, trojans, intrusion, spam, policy abuse, advanced persistent threats, uncontrolled access, and the like. In general, the network 170 may be any networked computer-based infrastructure or the like managed by the threat management facility 168, such as an organization, association, institution, or the like, or a cloud-based facility that is available for subscription by individuals. For example, the network 170 may be a corporate, commercial, educational, governmental, or other network 170, and may include multiple networks, computing resources, and other facilities, may be distributed among more than one geographical locations, and may include an administration facility 108, a firewall 110, an appliance 144, a server 136, network devices 132-B, clients 114-D, such as IoT devices or other devices. It will be understood that any reference herein to a client or client facilities may include the clients 114-D shown in Figure 1 and vice-versa. Further, the recitation of an element number ending with a letter should be understood to refer to a particular instance of the element, and the recitation of an element number without a letter should be understood to refer to any one or more instances of the element. Thus, for example, the recitation of the client 114 should be understood to refer only to the specific instance of the client labeled 114 in Figure 1, while the recitation of the clients 144 should be understood to refer to any one or more instances of the client labeled 114, 116, 118, 128, 126, 130, 120 in Figure 1, unless otherwise specified or made clear from the context.

The threat management facility 168 may include computers, software, or other computing facilities supporting a plurality of functions, such as one or more of a security management facility 102, a policy management facility 146, an update facility 150, a definitions management facility 156, a network access rules facility 106, a remedial action facility 152, a detection techniques facility 148, a testing facility 164, a threat research facility 104, and the like. In embodiments, the threat protection provided by the threat management facility 400 may extend beyond the network boundaries of the network 170 to include clients 128 (or client facilities) that have moved into network connectivity not directly associated with or controlled by the network 170. Threats to client facilities may come from a variety of sources, such as from network threats 154, physical proximity threats 158, a secondary location threat network 162, and the like. Clients 114-D may be protected from threats even when the client 114-D is not directly connected to or in association with the network 170, such as when a client 126-F moves in and out of the network 170, for example when interfacing with an unprotected server 138 through the internet 160, when a client 130 is moving into the secondary location threat network 162 such as interfacing with components that are not protected (e.g., the appliance 166, the server 142, the network devices 122, 124, and the like). 

The threat management facility 168 may use or may be included in an integrated system approach to provide the network 170 with protection from a plurality of threats to device resources in a plurality of locations and network configurations. The threat management facility 168 may also or instead be deployed as a stand-alone solution. For example, some or all of the threat management facility 168components may be integrated into a server or servers at a remote location, for example in a cloud computing facility. For example, some or all of the threat management facility 168components may be integrated into a firewall, gateway, or access point within or at the border of the network 170. In some embodiments, the threat management facility 168 may be integrated into a product, such as a third-party product (e.g., through an application programming interface), which may be deployed on endpoints, on remote servers, on internal servers or gateways for a network, or some combination of these. 

The security management facility 102 may include a plurality of elements that provide protection from malware to device resources of the network 170 in a variety of ways, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like. The security management facility 102 may include a local software application that provides protection to one or more device resources of the network 402. The security management facility 102 may have the ability to scan client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures. This may include scanning some or all of the files stored on the client facility or accessed by the client facility on a periodic basis, scanning an application when the application is executed, scanning data (e.g., files or other communication) in transit to or from a device, etc. The scanning of applications and files may be performed to detect known or unknown malicious code or unwanted applications. 

The security management facility 102 may provide email security and control. The security management facility 102 may also or instead provide for web security and control, such as by helping to detect or block viruses, spyware, malware, unwanted applications, and the like, or by helping to controlweb browsing activity originating from client devices. In certain embodiments, the security management facility 102 may provide for network access control, which may provide control over network connections. In addition, network access control may controlaccess to virtual private networks (VPN) that provide communications networks tunneled through other networks. The security management facility 102 may provide host intrusion prevention through behavioral based analysis of code, which may guard against known or unknown threats by analyzing behavior before or while code executes. Further, or instead, the security management facility 102 may provide reputation filtering, which may target or identify sources of code. 

In embodiments, the security management facility 102 may use wireless characteristics to identify a device on the network 170. For example, the security management facility 102 may determine a reliability index value of any one or more devices (e.g., the servers 142, the clients 144, and combinations thereof) connected via a wireless link to the network 170, for example, an IoT device. Through one or more access points (e.g., the firewall 110) or other sensor (e.g., the appliance 144) in the network 170, the security management facility 102 may monitor RF characteristics of the IoT device to obtain current RF characteristics. The security management facility 102 may compare the current RF characteristics to baseline RF characteristics, and when there is a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjust the reliability index value to indicate greater reliability, and when there is not a match between the current RF characteristics and the baseline RF characteristics based on the comparison, adjusting the reliability index value to indicate lesser reliability, and when the reliability index value exceeds a threshold value, performing an action to reduce a potential threat of the IoT device to the network. This aspect of the security management facility 102 may also take place on the firewall 110 (e.g., an access point) or appliance 144. 

In general, the security management facility 102 may support overall security of the network 170 using the various techniques described above, optionally as supplemented by updates of malicious code information and so forth for distribution across the network 170. 

The administration facility 108 may provide control over the security management facility 102 when updates are performed. Information from the security management facility 102 may also be sent from the enterprise back to a third party, a vendor, or the like, which may lead to improved performance of the threat management facility 168. 

The policy management facility 146 of the threat management facility 168 may be configured to take actions, such as to block applications, users, communications, devices, and so on based on determinations made. The policy management facility 146 may employ a set of rules or policies that determine network 170access permissions for one or more of the clients 144. In some embodiments, a policy database may include a block list, a black list, an allowed list, a white list, or the like, or combinations of the foregoing, that may provide a list of resources internal or external to the network 170 that may or may not be accessed by the clients 144. The policy management facility 146 may also or instead include rule-based filtering of access requests or resource requests, or other suitable techniques for controlling access to resources consistent with a corresponding policy. 

In embodiments, the policy management facility 146 may include reliability index thresholds for devices, such as IoT devices. The policy management facility 146 may include policies to permit or deny access, to take remedial action, to issue alerts, and so on based on particular reliability index determinations. 

The policy management facility 146 may also or instead provide configuration policies to be used to compare and control the configuration of applications, operating systems, hardware, devices, and the like associated with the network 170. An evolving threat environment may dictate timely updates, and thus the update management facility 150 may also be provided by the threat management facility 168. In addition, the policy management facility 146 may require update management (e.g., as provided by the update facility 150 herein described). In embodiments, the update management facility 150 may provide for patch management or other software updating, version control, and so forth. 

The security facility 102 and policy management facility 146 may push information to the network 170 and/or to a given one or more of the clients 144. The network 170 and/or one or more of the clients 114-F may also or instead request information from the security facility 102 and/or from the policy management facility 146, the servers 136-C, or there may be a combination of pushing and pulling of information. In some embodiments, the policy management facility 146 and the security facility 102 management update modules may work in concert to provide information to the network 170 and/or to one or more of the clients 114 facility for control of applications, devices, users, and so on. 

As threats are identified and characterized, the threat management facility 168 may create updates that may be used to allow the threat management facility 168 to detect and remediate malicious software, unwanted applications, configuration and policy changes, and the like. The definitions management facility 156 may contain threat identification updates, also referred to as definition files. A definition file may be a virus identity file that may include definitions of known or potential malicious code. The virus identity definition files may provide information that may identify malicious code within files, applications, or the like. The definition files may be accessed by the security management facility 102 when scanningfiles or applications within the client facility for the determination of malicious code that may be within the file or application. The definitions management facility 156 may include a definition for a neural network or other recognition engine. The definitions management facility 156 may provide timely updates of definition files information to the network, client facilities, and the like. 

In embodiments, the definitions management facility 156 may include default values or baseline values for RF characteristics of devices, such as IoT devices. For example, the definitions management facility 156 may include a baseline value for particular RF characteristics of a particular IoT device. 

The security management facility 102 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per rules and policies of the network 170. By checking outgoing files, the security management facility 102 may be able to discover malicious code infected files that were not detected as incoming files. 

The threat management facility 168 may provide controlled access to the network 170. For example, the network access rules facility 106 may be responsible for determining if an application running on a given one or more of the clients 144 should be granted access to a requested network resource. In some embodiments, the network access rules facility 106 may verify access rights for one or more of the client facilities to or from the network 170 or may verify access rights of computer facilities to or from external networks. When network access for a client facility is denied, the network access rules facility 106 may send an information file to the client facility (e.g., a command or command file that the remedial action facility 428 may access and take action upon). The network access rules facility 106 may include one or more databases including one or more of a block list, a black list, an allowed list, a white list, a reputation list, an unacceptable network resource database, an acceptable network resource database, a network resource reputation database, or the like. The network access rules facility 106 may incorporate rule evaluation. Rule evaluation may, for example, parse network access requests and apply the parsed information to network accessrules. The network access rule facility 106 may also or instead provide updated rules and policies to the network 170. 

When a threat or policy violation is detected by the threat management facility 168, the threat management facility 168 may perform or initiate remedial action through the remedial action facility 152. Remedial action may take a variety of forms, such as terminating or modifying an ongoing process or interaction, issuing an alert, sending a warning (e.g., to a client or to the administration facility 108) of an ongoing process or interaction, executing a program or application to remediate against a threat or violation, record interactions for subsequent evaluation, and so forth. The remedial action may include one or more of blocking some or all requests to a network location or resource, performing a malicious code scan on a device or application, performing a malicious code scan on one or more of the clients 144, quarantining a related application (or files, processes or the like), terminating the application or device, isolating the application or device, moving a process or application code to a sandbox for evaluation, isolating one or more of the clients 144 to a location or status within the network that restricts network access, blocking a network access port from one or more of the clients 144, reporting the application to the administration facility 108, or the like, as well as any combination of the foregoing. 

In embodiments, remedial action may be taken based on a reliability index determination based on RF characteristics of a wireless device. 

Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 148 may include tools for monitoring the network 170 or managed devices within the network 170. The detection techniques facility 148 may provide functions such as monitoring activity and stored files on computing facilities. Detection techniques, such as scanning a computer’sstored files, may provide the capability of checking files for stored threats, either in the active or passive state. Detection techniques such as streaming file management may be used to check files received at the network 170, a gateway facility, a client facility, and the like. 

Verifying that the threat management facility 168 detects threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 164 may allow the administration facility 108 to coordinate the testing of the security configurations of computing facilities of the clients 144 on the network 170. For example, the administration facility 108 may be able to send test files to a set of computing facilities of the clients 144 to test the ability of a given client facility to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by one or more of the clients 144 in reaction to the test file. The recording facility may aggregate the testing information from the clients 144 and report the testing information to the administration facility 108. The administration facility 108 may be able to determine the level of preparedness of the respective clients 144 based on the reported information. Remedial action may be taken for any of the clients 144 as determined by the administration facility 108. 

The threat management facility 168 may provide threat protection across the network 170 to devices such as the clients 144, the servers 142, the administration facility 108, the firewall 138, a gateway, one or more of the network devices 148 (e.g., hubs and routers), one or more of the appliances 140 (e.g., a threat management appliance), any number of desktop or mobile users, and the like. As used herein, the term endpoint may refer to any compute instance running on a device that can source data, receive data, evaluate data, buffer data, process data or the like (such as a user’sdesktop computer, laptop, IoT device, server, etc.). This may, for example, include any client devices as well as other network devices and the like within the network 170, such as a firewall or gateway (as a data evaluation endpoint computer system), a laptop (as a mobile endpoint computer), a tablet (as a hand-held endpoint computer), a mobile phone, or the like. The term endpoint may also or instead refer to any final or intermediate source or destination for data within a network 170. An endpoint computer security facility 112 may be an application locally loaded onto any corresponding computer platform or computer support component, either for local security functions or for management by the threat management facility 168 or other remote resource, or any combination of these. 

The network 170 may include a plurality of client facility computing platforms (e.g., the clients 144) on which the endpoint computer security facility 112 is installed. A client facility computing platform may be a computer system that is able to access a service on another computer, such as one or more of the servers 142, via a network. The endpoint computer security facility 112 may, in corresponding fashion, provide security in any suitable context such as among a plurality of networked applications, for a client facility connecting to an application server facility, for a web browser client facility connecting to a web server facility, for an e-mail client facility retrieving e-mail from an internet 160service provider’smail storage servers or web site, and the like, as well as any variations or combinations of the foregoing. As used herein, any one or more of the application server facility, the web server facility, and the mail storage servers should be understood to include one or more of the servers 142. 

The network 170 may include one or more of the servers 142, such as application servers, communications servers, file servers, database servers, proxy servers, mail servers, fax servers, game servers, web servers, and the like. The servers 142, which may also be referred to as server facilities 142, server facility 142 applications, server facility 142 operating systems, server facility 142 computers, or the like, may be any device(s), application program(s), operating system(s), or combination of the foregoing that accepts client facility connections to service requests from the clients 144. In embodiments, the threat management facility 168 may provide threat protection to server facilities 142 within the network 170 as load conditions and application changes are made. 

The server facilities 142 may include an appliance facility 140, where the appliance facility 140 provides specific services to other devices on the network 170. The server facilities may also include simple appliances utilized across the network 170infrastructure, such as switches, routers, hubs, gateways, print servers, modems, and the like. These appliances may provide interconnection services within the network 170, and therefore may advance the spread of a threat if not properly protected. 

The clients 144 may be protected from threats from within the network 170 using a local or personal firewall, which may be a hardware firewall, software firewall, or a combination thereof, that controlsnetwork traffic to and from a client. The local firewall may permit or deny communications based on a security policy. The endpoint computer security facility 112 may additionally protect the firewall 110, which may include hardware or software, in a standalone device or integrated with another network component, that may be configured to permit, deny, or proxy data through the network 170. 

The interface between the threat management facility 168 and the network 170, and through the appliance 140 to embedded endpoint computer security facilities, may include a set of tools that may be the same or different for various implementations, and may allow each network administrator to implement custom controls. In embodiments, these controls may include both automatic actions and managed actions. The administration facility 108 may configure policy rules that determine interactions. The administration facility 108 may also establish license management, which in turn may further determine interactions associated with licensed applications. In embodiments, interactions between the threat management facility 168 and the network 170 may provide threat protection to the network 170 by managing the flow of network data into and out of the network 170 through automatic actions that may be configured by the threat management facility 168 for example by action or configuration of the administration facility 108. 

The clients 144 within the network 170 may be connected to the network 170 by way of the network devices 132-B, which may be wired devices or wireless facilities. The clients 144 may be mobile wireless facilities and, because of their ability to connect to a wireless network access point, may connect to the internet 160 outside the physical boundary of the network 170, and therefore outside the threat-protected environment of the network 170. Such mobile wireless facilities, if not for the presence of a locally-installed endpoint computer security facility 112, may be exposed to a malware attack or perform actions counter to policies of the network 170. Thus, the endpoint computer security facility 112 may provide local protection against various threats and policy violations. The threat management facility 168 may also or instead be configured to protect the out-of-enterprise facility mobile client facility (e.g., the clients 144) through interactions over the internet 160 (or other network) with the locally-installed endpoint computer security facility 112. Thus, mobile client facilities that are components of the network 170 but temporarily outside connectivity with the network 170 may be provided with the same or similar threat protection and policy control provided to the clients 144 inside the network 170. In addition, mobile client facilities (e.g., the clients 444) may receive the same interactions to and from the threat management facility 168 as client facilities 144 inside the enterprise facility 102, such as by receiving the same or equivalent services via an embedded endpoint computer security facility 112. 

Interactions between the threat management facility 168 and the components of the network 170, including mobile client facility extensions of the network 170, may ultimately be connected through the internet 160 or any other network or combination of networks. Security-related or policy-related downloads and upgrades to the network 170 may be passed from the threat management facility 168 through to components of the network 170 equipped with the endpoint computer security facility 112. In turn, the endpoint computer security facilities 112 of the enterprise facility 102 may upload policy and access requests back across the internet 160 and through to the threat management facility 168. The internet 160, however, is also the path through which threats may be transmitted from their source, and one or more of the endpoint computer security facilities 112 may be configured to protect a device outside the network 170 through locally-deployed protective measures and through suitable interactions with the threat management facility 168. 

Thus, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at the secondary location threat network 162 that is not a part of the network 170, the mobile client facility, such as one or more of the clients 144, may be required to request network interactions through the threat management facility 168, where contacting the threat management facility 168 may be performed prior to any other network action. In embodiments, the endpoint computer security facility 112 of the client 144 may manage actions in unprotected network environments such as when the client facility (e.g., the client 130) is in a secondary location 162, where the endpoint computer security facility 112 may dictate which applications, actions, resources, users, etc. are allowed, blocked, modified, or the like. 

The secondary location threat network 162 may have no endpoint computer security facilities 112 as a part of its components, such as the firewall 140, the server 142, the client 120, the network devices 448C-D (e.g., hubs and routers), and the like. As a result, the components of the secondary location threat network 162 may be open to threat attacks, and may become potential sources of threats, as well as any mobile enterprise facility clients (e.g., the clients 116-F) that may be connected to the secondary location threat network 162. In such instances, these components may now unknowingly spread a threat to other devices connected to the network 170. 

Some threats do not come directly from the internet 160. For example, one or more physical proximity threats 158 may be deployed on a client device while that device is connected to an unprotected network connection outside the network 170 and, when the client device is subsequently connected to one or more of the clients 144 on the network 402, the device can deploy malware or otherwise pose a threat. In embodiments, the endpoint computer security facility 112 may protect the network 170 against these types of physical proximity threats 158, for instance, through scanning any device prior to allowing data transfers, through security validation certificates, through establishing a safe zone within the network 170 to receive data for evaluation, and the like. 

Figure 2 illustrates a computer system. In general, the computer system 200 may include a computing device 206 connected to a network 202, for example, through an external device 204. The computing device 206 may be or may include any type of network endpoint or endpoints as described herein such as, for example, the network endpoints described above with reference to Figure 1. For example, the computing device 206 may include a desktop computer workstation. The computing device 206 may also or instead be any suitable device that has processes and communicates over the network 202 including, without limitation, a laptop computer, a desktop computer, a personal digital assistant, a tablet, a mobile phone, a television, a set top box, a wearable computer (e.g., watch, jewelry, or clothing), a home device (e.g., a thermostat or a home appliance controller), just as some examples. The computing device 206 may also or instead include a server, or it may be disposed on a server. 

The computing device 206 may be used for any of the entities described in the threat management environment described above with reference to Figure 1. For example, the computing device 206 may be a server, a client an enterprise facility, a threat management facility, or any of the other facilities or computing devices described therein. In certain aspects, the computing device 206 may be implemented using hardware (e.g., in a desktop computer), software (e.g., in a virtual machine or the like), or a combination of software and hardware, and the computing device 206 may be a standalone device, a device integrated into another entity or device, a platform distributed across multiple entities, or a virtualized device executing in a virtualization environment. 

The network 202 may include any network described above, e.g., data network(s) or internetwork(s) suitable for communicating data and control information among participants in the computer system 200. This may include public networks such as the internet, private networks, and telecommunications networks such as the Public Switched Telephone Network or cellular networks using third generation cellular technology (e.g., 3G or IMT-2000), fourth generation cellular technology (e.g., 4G, LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/or other technologies, as well as any of a variety of corporate area, metropolitan area, campus or other local area networks or enterprise networks, along with any switches, routers, hubs, gateways, and the like that might be used to carry data among participants in the computer system 200. The network 202 may also include a combination of data networks, and need not be limited to a strictly public or private network. 

The external device 204 may be any computer or other remote resource that connects to the computing device 206 through the network 202. This may include threat management resources such as any of those contemplated above, gateways or other network devices, remote servers or the like containing content requested by the computing device 206, a network storage device or resource, a device hostingmalicious content, or any other resource or device that might connect to the computing device 206 through the network 202. 

The computing device 206 may include a processor 208, a memory 210, a network interface 212, a data store 214, and one or more input/output interface 216. The computing device 206 may further include or be in communication with peripherals 218 and other external input/output interface 216. 

The processor 208 may be any as described herein, and in general may be capable of processing instructions for execution within the computing device 206or computer systemcomputer system 200. The processor 208 may include a single-threaded processor or a multi-threaded processor. The processor 208 may be capable of processing instructions stored in the memory 210 or on the data store 214. 

The memory 210 may store information within the computing device 206or computer systemcomputer system 200. The memory 210 may include any volatile or non-volatile memory or other computer-readable medium, including without limitation a Random-Access Memory (RAM), a flash memory, a read Only memory (ROM), a Programmable Read-only Memory (PROM), an Erasable PROM (EPROM), registers, and so forth. The memory 210 may store program instructions, program data, executables, and other software and data useful for controlling operation of the computing device 200 and configuring the computing device 200 to perform functions for a user. The memory 210 may include a number of different stages and types for different aspects of operation of the computing device 206. For example, a processor (e.g., the processor 208) may include on-board memory and/or cache for faster access to certain data or instructions, and a separate, main memory or the like may be included to expand memory capacity as desired. 

The memory 210 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 200 creates an execution environment for a computer program in question (e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of the foregoing, and/or code that performs some or all of the steps set forth in the various flow charts and other algorithmic descriptions set forth herein). While the memory 210 is depicted as a single memory, it will be understood that any number of memories may be usefully incorporated into the computing device 206. For example, a first memory may provide non-volatile storage such as a disk drive for permanent or long-term storage of files and code even when the computing device 206 is powered down. A second memory such as a Random-Access Memory may provide volatile (but higher speed) memory for storing instructions and data for executing processes. A third memory may be used to improve performance by providing even higher speed memory physically adjacent to the processor 208 for registers, caching and so forth. 

The network interface 212 may include any hardware and/or software for connecting the computing device 206 in a communicating relationship with other resources through the network 202. This may include remote resources accessible through the internet, as well as local resources available using short range communicationsprotocols using, e.g., physical connections (e.g., ethernet), radio frequency communications (e.g., WiFi), optical communications, (e.g., fiber optics, infrared, or the like), ultrasonic communications, or any combination of these or other media that might be used to carry data between the computing device 206 and other devices. The network interface 212 may, for example, include a router, a modem, a network card, an infrared transceiver, a radio frequency (RF) transceiver, a near field communications interface, a radio-frequency identification (RFID) tag reader, or any other data reading or writing resource or the like. 

More generally, the network interface 212 may include any combination of hardware and software suitable for coupling the components of the computing device 206 to other computing or communications resources and, thus, may typically include one or more communication channels 222 and be connected to one or more networks (e.g., the network 202). By way of example and not limitation, this may include electronics for wired or wireless transmission of information over the network 202 either wirelessly or through a physical connection, depending on the needs of a specific implementation. As an example, the communication may be via an ethernet connection operating according to the IEEE 802.11 standard (or any variation thereof), or any other short or long range wireless networking components or the like. This may include hardware for short range data communications such as bluetooth or an infrared transceiver, which may be used to couple to other local devices, or to connect to a local area network or the like that is in turn coupled to a data network 202 such as the internet. This may also or instead include hardware/software for a WiMax connection or a cellular network connection (using, e.g., CDMA, GSM, LTE, or any other suitable protocol or combination of protocols). The network interface 212 may be included as part of the input/output interface 216 or vice-versa. 

The data store 214 may be any internal memory store providing a computer-readable medium such as a disk drive, an optical drive, a magnetic drive, a flash drive, or other device capable of providing mass storage for the computing device 206. The data store 214 may store computer readable instructions, data structures, program modules, and other data for the computing device 206or computer systemcomputer system 200 in a non-volatile form for subsequent retrieval and use. For example, the data store 214 may store without limitation one or more of the operating system, application programs, program data, databases, files, and other program modules or other software objects and the like. 

The input/output interface 216 may support input from and output to other devices that might couple to the computing device 206. This may, for example, include serial ports (e.g., RS-226 ports), universal serial bus (USB) ports, optical ports, ethernet ports, telephone ports, audio jacks, component audio/video inputs, HDMI ports, and so forth, any of which might be used to form wired connections to other local devices. This may also or instead include an infrared interface, RF interface, magnetic card reader, or other input/output system for coupling in a communicating relationship with other local devices. It will be understood that, while the network interface 212 for network communications is described separately from the input/output interface 216 for local device communications, these two interfaces may be the same, or may share functionality, such as where a USB port is used to attach to a WiFi accessory, or where an ethernet connection is used to couple to a local network attached storage. 

A peripheral 218 may include any device used to provide information to or receive information from the computing device 200. This may include human input/output (I/O) devices such as a keyboard, a mouse, a mouse pad, a track ball, a joystick, a microphone, a foot pedal, a camera, a touch screen, a scanner, or other device that might be employed by the user 224 to provide input to the computing device 206. This may also or instead include a display, a speaker, a printer, a projector, a headset or any other audiovisual device for presenting information to a user. The peripheral 218 may also or instead include a digital signal processing device, an actuator, or other device to support control or communication to other devices or components. Other I/O devices suitable for use as a peripheral 218 include haptic devices, three-dimensional rendering systems, augmented-reality displays, magnetic card readers, and so forth. In one aspect, the peripheral 218 may serve as the network interface 212, such as with a USB device configured to provide communications via short range (e.g., bluetooth, WiFi, infrared, RF, or the like) or long range (e.g., cellular data or WiMax) communicationsprotocols. In another aspect, the peripheral 218 may provide a device to augment operation of the computing device 206, such as a global positioning system (GPS) device, a security dongle, or the like. In another aspect, the peripheral may be a storage device such as a flash card, USB drive, or other solid-state device, or an optical drive, a magnetic drive, a disk drive, or other device or combination of devices suitable for bulk storage. More generally, any device or combination of devices suitable for use with the computing device 200 may be used as the peripheral 218 as contemplated herein. 

Other hardware 220 may be incorporated into the computing device 200. Examples of the other hardware 220 include a co-processor, a digital signal processing system, a math co-processor, a graphics engine, a video driver, and so forth. The other hardware 220 may also or instead include expanded input/output ports, extra memory, additional drives (e.g., a DVD drive or other accessory), and so forth. 

A bus 226 or combination of busses may serve as an electromechanical platform for interconnecting components of the computing device 200, such as the processor 208, the memory 210, the network interface 212, the other hardware 220, the data store 214, and an input/output interface. As shown in the figure, each of the components of the computing device 206 may be interconnected using the bus 226 or other communication mechanism for communicating information. 

Methods and systems described herein can be realized using the processor 208 of the computer system 200 to execute one or more sequences of instructions contained in the memory 210 to perform predetermined tasks. In embodiments, the computing device 200 may be deployed as a number of parallel processors synchronized to execute code together for improved performance, or the computing device 200 may be realized in a virtualized environment where software on a hypervisor or other virtualization management facility emulates components of the computing device 200 as appropriate to reproduce some or all of the functions of a hardware instantiation of the computing device 200. 

Figure 3 illustrates an exemplary threat management system 300 as contemplated herein. In general, the threat management system may include an endpoint 302 for example, a laptop, or a device such as an IoT device, an access point 304, a server 306 and a threat management facility 308 in communication with one another directly or indirectly through a data network 316, for example, as generally described above. Each of the entities depicted in Figure 3, may, for example, be implemented on one or more computing devices such as the computing device described above with reference to Figure 2. 

A number of systems may be distributed across these various components to support threat management, for example, including a coloring system 310, a key management system 312 and a heartbeat system 314, each of which may include software components executing on any of the foregoing system components, and each of which may communicate with the threat management facility 308 or an endpoint threat protection agent 318 executing on an endpoint 302, on an access point or a firewall 304, or on a server 306 to support improved threat detection and remediation. 

The coloring system 310 may be used to label or `color` software objects for improved tracking and detection of potentially harmful activity. The coloring system 310 may, for example, label files, executables, processes, network communications, data sources and so forth with any suitable label. A variety of techniques may be used to select static and/or dynamic labels for any of these various objects, and to manage the mechanics of applying and propagatingcoloring information as appropriate. For example, a process may inherit a color from an application that launches the process. Similarly, a file may inherit a color from a device when it is created or opened by a device, and/or a process may inherit a color from a file that the process has opened. More generally, any type of labeling, as well as rules for propagating, inheriting, changing, or otherwise manipulating such labels, may be used by the coloring system 310 as contemplated herein. A color may be or may be based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. A color of a device may be used in a security policy. A color of a process, a file, a network request, and so on may be based on a color of a device, and that color may be used in a security policy. 

The key management system 312 may support management of keys for the endpoint 302 in order to selectively permit or prevent access to content on the endpoint 302 on a file-specific basis, a process-specific basis, an application-specific basis, a user-specific basis, or any other suitable basis in order to prevent data leakage, and in order to support more fine-grained and immediate control over access to content on the endpoint 302 when a security compromise is detected. Thus, for example, if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, for example, data leakage or other malicious activity. In embodiments, keys on device may be revoked based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. 

The heartbeat system 314 may be used to provide periodic or aperiodic information from an endpoint about system health, security, status, etc. A heartbeat may be encrypted or plaintext, or some combination of these, and may be communicated unidirectionally (e.g., from the endpoint 302 to the threat management facility 308) or bidirectionally (e.g., between the endpoint 302 and the server 306, or any other pair of system components) on a useful schedule. 

In implementations, the access point or firewall 304 may use the heartbeat 314 to report a potential or actual compromise of a device based, for example, on a color of the device, or based on one or more reliability index values, the meeting of one or more reliability index thresholds, the rate of change of one or more reliability index values, etc. The heartbeat 314 from the access point 304 may be communicated to the server 306, for example, and administrative server or directly or indirectly to a threat management facility 308. If the endpoint device 302 has an endpoint threat protection facility 318, the endpoint threat protection facility 318 may be used to investigate further the status, or to take remedial measures, again by communication using the secure heartbeat 314. 

In general, these various monitoring and management systems may cooperate to provide improved threat detection and response. For example, the coloring system 310 may be used to evaluate when a particular device is potentially compromised, and a potential threat may be confirmed based on an interrupted heartbeat from the heartbeat system 314 or by information communicated in a heartbeat. The key management system 312 may then be used to revoke keys to a process so that no further files can be opened, deleted or otherwise modified. More generally, the cooperation of these systems enables a wide variety of reactive measures that can improve detection and remediation of potential threats to an endpoint.