Key management for compromised enterprise endpoints
US-2017078093-A1 · Mar 16, 2017 · US
Labeling objects on an endpoint for encryption management
US9965627B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9965627-B2 |
| Application number | US-201414485769-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 14, 2014 |
| Priority date | Sep 14, 2014 |
| Publication date | May 8, 2018 |
| Grant date | May 8, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: labeling each of a plurality of processes on an endpoint with a labeling scheme in which a process is either in, wherein the process conforms to a compliance policy administered for the endpoint from a remote threat management facility, or the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes; labeling each of a plurality of files on the endpoint as either in, wherein the file is encrypted using a remotely managed key ring, or the file is out, wherein the file is not encrypted using the remotely managed key ring, thereby providing a plurality of in files and a plurality of out files; providing access to the remotely managed key ring by the plurality of in processes, thereby facilitating access to the plurality of in files by the plurality of in processes; changing a label for one of the plurality of processes from in to out in response to an observed action that exposes the process to an object external to the endpoint, thereby providing a relabeled process; and revoking access by the relabeled process to the plurality of in files, thereby preventing the relabeled process from opening additional ones of the plurality of in files and preventing the relabeled process from creating a new in file. 2. The method of claim 1 wherein labeling the plurality of processes includes inferring a label for at least one of the plurality of processes based on a corresponding label of an associated executable. 3. The method of claim 1 further comprising monitoring at least one of the plurality of processes for compliance with the compliance policy. 4. The method of claim 3 wherein monitoring for compliance includes monitoring an action of the at least one of the plurality of processes. 5. The method of claim 4 wherein the action includes an interaction of the at least one of the plurality of processes with one or more other ones of the plurality of processes. 6. The method of claim 1 wherein labeling the plurality of files includes inferring a label for at least one of the plurality of files based on a corresponding label of a process that created the one of the plurality of files. 7. The method of claim 1 wherein labeling the plurality of files includes inferring a label for at least one of the plurality of files based on a corresponding label of a process that accessed the one of the plurality of files. 8. The method of claim 1 further comprising denying access to the remotely managed key ring by the plurality of out processes, thereby denying access to the plurality of in files by the plurality of out processes. 9. The method of claim 1 wherein the external object includes at least one of data, a URL, an external process, and an external file. 10. The method of claim 1 wherein the external object is known or suspected to be malicious. 11. The method of claim 1 wherein a security status of the external object is unknown. 12. The method of claim 1 wherein the observed action for the process includes exposure to an object labeled as out. 13. The method of claim 1 wherein the observed action for the process includes exposure to an object with a poor reputation. 14. The method of claim 1 further comprising changing a label for one of the plurality of files from in to out. 15. The method of claim 1 further comprising changing a label for one of the plurality of files from out to in. 16. The method of claim 1 wherein revoking access occurs when the observed action for the process deviates from an expected action. 17. The method of claim 1 further comprising managing use of the key ring to control access to the plurality of files with a file system for the endpoint. 18. The method of claim 1 further comprising coupling a data loss prevention system to an endpoint protection system for an endpoint in an enterprise by labeling files as in or out on the endpoint according to compliance with an endpoint policy. 19. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: labeling each of a plurality of processes on an endpoint with a labeling scheme in which a process is either in, wherein the process conforms to a compliance policy administered for the endpoint from a remote threat management facility, or the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes; labeling each of a plurality of files on the endpoint as either in, wherein the file is encrypted using a remotely managed key ring, or the file is out, wherein the file is not encrypted using the remotely managed key ring, thereby providing a plurality of in files and a plurality of out files; providing access to the remotely managed key ring by the plurality of in processes, thereby facilitating access to the plurality of in files by the plurality of in processes; changing a label for one of the plurality of processes from in to out in response to an observed action that exposes the process to an object external to the endpoint, thereby providing a relabeled process; and revoking access by the relabeled process to the plurality of in files, thereby preventing the relabeled process from opening additional ones of the plurality of in files and preventing the relabeled process from creating a new in file.
Assignees
Inventors
Classifications
involving long-term monitoring or reporting · CPC title
File encryption · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9965627B2 cover?
- Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-…
- Who is the assignee on this patent?
- Sophos Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 08 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).