U.S. patent application number 17/482999 was filed with the patent office on 2022-01-13 for methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking.
The applicant listed for this patent is SENTINEL LABS ISRAEL LTD.. Invention is credited to Almog Cohen, Tomer Weingarten.
Application Number | 20220014539 17/482999 |
Document ID | / |
Family ID | |
Filed Date | 2022-01-13 |
United States Patent
Application |
20220014539 |
Kind Code |
A1 |
Weingarten; Tomer ; et
al. |
January 13, 2022 |
METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING
ENDPOINTS FOR EDGE NETWORKING
Abstract
Various embodiments described herein disclose an endpoint
modeling and grouping management system that can collect data from
endpoint computer devices in a network. In some embodiments, agents
installed on the endpoints can collect real-time information at the
kernel level providing the system with deep visibility. In some
embodiments, the endpoint modeling and grouping management system
can identify similarities in behavior in response to assessing the
data collected by the agents. In some embodiments, the endpoint
modeling and grouping management system can dynamically model
groups such as logical groups, and cluster endpoints based on the
similarities and/or differences in behavior of the endpoints. In
some embodiments, the endpoint modeling and grouping management
system transmits the behavioral models to the agents to allow the
agents to identify anomalies and/or security threats
autonomously.
Inventors: |
Weingarten; Tomer; (Mountain
View, CA) ; Cohen; Almog; (Tel Aviv, IL) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
SENTINEL LABS ISRAEL LTD. |
Tel Aviv |
|
IL |
|
|
Appl. No.: |
17/482999 |
Filed: |
September 23, 2021 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
17069415 |
Oct 13, 2020 |
|
|
|
17482999 |
|
|
|
|
16525415 |
Jul 29, 2019 |
10841325 |
|
|
17069415 |
|
|
|
|
16058810 |
Aug 8, 2018 |
10462171 |
|
|
16525415 |
|
|
|
|
62542288 |
Aug 8, 2017 |
|
|
|
62545917 |
Aug 15, 2017 |
|
|
|
62550439 |
Aug 25, 2017 |
|
|
|
International
Class: |
H04L 29/06 20060101
H04L029/06; H04L 12/24 20060101 H04L012/24; G06F 9/445 20060101
G06F009/445; G06F 8/61 20060101 G06F008/61; H04L 29/08 20060101
H04L029/08 |
Claims
1. A computer-implemented method securing an elastic computer
network, the method comprising: monitoring, by one or more
autonomous software agents of a plurality of autonomous software
agents operating on one or more endpoint devices of a plurality of
endpoint devices forming the elastic computer network, one or more
processes or network communications of a corresponding endpoint
device to obtain endpoint data; transmitting, by the one or more
autonomous software agents, the endpoint data to a central server;
identifying, by a first autonomous software agent of the one or
more autonomous software agents, one or more anomalous indicators
on a corresponding endpoint device based at least in part on the
endpoint data, wherein identifying the one or more anomalous
indicators comprises comparing activity on the corresponding
endpoint device to a baseline usage pattern unique to the
corresponding endpoint device; and responding, by the first
autonomous software agent, to the one or more anomalous indicators
on an endpoint-level, wherein each autonomous software agent is
capable of identifying and responding to the one or more anomalous
indicators of the corresponding endpoint device on which the
autonomous software agent is operating independently of the central
server.
2. The computer-implemented method of claim 1, wherein responding
to the one or more anomalous indicators comprises the first
autonomous software agent limiting one or more operating system
processes or network communications of the corresponding endpoint
device.
3. The computer-implemented method of claim 2, wherein the
responding by the first autonomous software agent is performed
without receiving a command instruction from the central
server.
4. The computer-implemented method of claim 1, wherein monitoring
the one or more processes or the network communications of the
corresponding endpoint device comprises continuously verifying and
authenticating the corresponding endpoint device activities.
5. The computer-implemented method of claim 1, wherein the
plurality of endpoint devices comprise one or more cellphones,
servers, virtual machines, laptops, tablets, desktop computers,
Internet of Things (IoT) devices, landline phones, wearable
devices, or smart home devices.
6. The computer-implemented method of claim 1, wherein at least one
endpoint device of the plurality of endpoint devices is located
outside of a computer network firewall.
7. The computer-implemented method of claim 1, wherein the
plurality of endpoint devices are grouped into endpoint clusters,
and wherein one or more endpoint devices of each endpoint cluster
comprise one or more similar processing or network access
patterns.
8. The computer-implemented method of claim 1, wherein each of the
plurality of autonomous software agents is further configured to
perform a point-in-time validation of the corresponding endpoint
device, wherein the point-in-time validation comprises a
verification that no anomalous indicators are present on the
corresponding endpoint device.
9. The computer-implemented method of claim 1, wherein each of the
plurality of autonomous software agents is further configured to
scan the elastic network to identify devices in or in proximity to
the elastic network.
10. The computer-implemented method of claim 9, wherein the scan
comprises utilizing discovery protocols to identify the devices in
or in proximity to the network and obtain data therefrom.
11. An edge networking system, the system comprising: a plurality
of autonomous agents, wherein each of the plurality of autonomous
agents is operating on a corresponding endpoint device of a
plurality of endpoint devices forming an elastic computer network,
and wherein one or more of the plurality of autonomous agents is
configured to: monitor one or more processes or network
communications of the corresponding endpoint device to obtain
endpoint data; transmit the endpoint data to a central server;
identify one or more anomalous indicators on the corresponding
endpoint device based at least in part on the endpoint data,
wherein identifying the one or more anomalous indicators comprises
comparing activity on the corresponding endpoint device to a
baseline usage pattern unique to the corresponding endpoint device;
and respond to the one or more anomalous indicators on an
endpoint-level, wherein each of the plurality of autonomous
software agents is capable of identifying and responding to the one
or more anomalous indicators of the corresponding endpoint device
independently of the central server.
12. The edge networking system of claim 11, wherein responding to
the one or more anomalous indicators comprises the autonomous
software agent limiting one or more operating system processes or
network communications of the corresponding endpoint device.
13. The edge networking system of claim 12, wherein the responding
is performed without receiving a command instruction from the
central server.
14. The edge networking system of claim 11, wherein monitoring the
one or more processes or the network communications of the
corresponding endpoint device comprises continuously verifying and
authenticating the corresponding endpoint device activities.
15. The edge networking system of claim 11, wherein the plurality
of endpoint devices comprise one or more cellphones, servers,
virtual machines, laptops, tablets, desktop computers, Internet of
Things (IoT) devices, landline phones, wearable devices, or smart
home devices.
16. The edge networking system of claim 11, wherein at least one
endpoint device of the plurality of endpoint devices is located
outside of a computer network firewall.
17. The edge networking system of claim 11, wherein the plurality
of endpoint devices are grouped into endpoint clusters, and wherein
one or more endpoint devices of each endpoint cluster comprise one
or more similar processing or network access patterns.
18. The edge networking system of claim 11, wherein each of the
plurality of autonomous software agents is further configured to
perform a point-in-time validation of the corresponding endpoint
device, wherein the point-in-time validation comprises a
verification that no anomalous indicators are present on the
corresponding endpoint device.
19. The edge networking system of claim 11, wherein each of the
plurality of autonomous software agents is further configured to
scan the elastic network to identify devices in or in proximity to
the elastic network.
20. The edge networking system of claim 19, wherein the scan
comprises utilizing discovery protocols to identify the devices in
or in proximity to the network and obtain data therefrom.
Description
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] The present application is a continuation of U.S. patent
application Ser. No. 17/069,415, filed Oct. 13, 2020, which is a
continuation of U.S. patent application Ser. No. 16/525,415, filed
Jul. 29, 2019, and now U.S. Pat. No. 10,841,325, issued Nov. 17,
2020, which is a continuation of U.S. patent application Ser. No.
16/058,810, filed Aug. 8, 2018, and now U.S. Pat. No. 10,462,171,
issued Oct. 29, 2019, which claims the benefit under 35 U.S.C.
.sctn. 119(c) of U.S. Provisional Application No. 62/542,288, filed
Aug. 8, 2017, U.S. Provisional Application No. 62/545,917, filed
Aug. 15, 2017, and U.S. Provisional Application No. 62/550,439,
filed Aug. 25, 2017, each of which is hereby incorporated herein by
reference in its entirety under 37 C.F.R. .sctn. 1.57. Any and all
applications for which a foreign or domestic priority claim is
identified in the Application Data Sheet as filed with the present
application are hereby incorporated by reference under 37 C.F.R.
.sctn. 1.57.
BACKGROUND
Field
[0002] The embodiments disclosed herein generally relate to systems
and methods for dynamically modeling and grouping endpoints for
edge networking, in particular, modeling and grouping endpoints
based on technical behavioral analysis enabled by deep visibility
into the computer processes of and electronic communications in and
to the endpoints.
Description
[0003] The detection of viruses, malware, ransomware, and the like
on computer endpoints connected to an enterprise network is a
large-scale problem for information technologists who are charged
with maintaining and protecting the confidential information and
software programs stored on these systems. The foregoing challenge
is made more complicated by today's complex enterprise networks
that are no longer just confined to hardware positioned behind or
within a firewall and/or data access management system. With the
development of cloud computing storage facilities and software as a
service (SaaS) capabilities, and the proliferation of mobile
devices, such as smart phones, laptops, tablets and other devices,
all of which generally sit outside the enterprise firewall, the
enterprise network is not just contained by hardware that is behind
or within a firewall and/or data access management system.
[0004] Rather, the enterprise network, broadly speaking, is now an
elastic network as opposed to a fixed boundary network. Thus, new
systems and methods for security, management, control, access, and
supervision of computer networks that are more suitable to modern
networks are needed.
SUMMARY
[0005] For purposes of this summary, certain aspects, advantages,
and novel features of the invention are described herein. It is to
be understood that not all such advantages necessarily may be
achieved in accordance with any particular embodiment of the
invention. Thus, for example, those skilled in the art will
recognize that the invention may be embodied or carried out in a
manner that achieves one advantage or group of advantages as taught
herein without necessarily achieving other advantages as may be
taught or suggested herein.
[0006] In some embodiments, described herein is a dynamic
endpoint-based edge networking system for protecting security and
integrity of an elastic computer network, the system comprising: a
plurality of agents, wherein each of the plurality of agents is
installed on a target endpoint device, the target endpoint device
being one of a plurality of endpoint devices forming an elastic
computer network, and wherein each of the plurality of agents is
configured to: access an operating system of the target endpoint
device on which the agent is installed to obtain visibility of
operating system processes and network communications of the target
endpoint device; monitor the operating system processes and the
network communications of the target endpoint device to obtain
target endpoint data, the target endpoint data comprising
information regarding at least one of the system processes or
network processes of the target endpoint device; transmit the
target endpoint data to a central server system; identify, using a
local security protocol, one or more local anomalous indicators on
the target endpoint device based at least in part on the target
endpoint data; and respond to the one or more local anomalous
indicators on an endpoint-level based at least in part on the local
security protocol, wherein the local security protocol comprises
one or more rule sets, policies, or access rights designed to
ensure local security of each of the plurality of endpoint devices;
and a central server system comprising: one or more computer
readable storage devices configured to store a plurality of
computer executable instructions; and one or more hardware computer
processors in communication with the one or more computer readable
storage devices and configured to execute the plurality of computer
executable instructions in order to cause the central server system
to: receive the target endpoint data from each of the plurality of
agents installed on a target endpoint device; analyze the target
endpoint data received from each of the plurality of agents to
identify network-wide activity patterns; identify, using a
network-wide security protocol, one or more network-wide anomalous
indicators on a network level across the plurality of endpoint
devices based at least in part on the identified network-wide
activity patterns; and respond to the one or more network-wide
anomalous indicators on the network level across the plurality of
endpoint devices based at least in part on the network-wide
security protocol.
[0007] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein monitoring the
operating system processes and the network communications of the
target endpoint device comprises continuously verifying and
authenticating target endpoint activities.
[0008] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the plurality of
endpoint devices comprise one or more cellphones, servers, virtual
machines, laptops, tablets, desktop computers, Internet of Things
(IoT) devices, landline phones, wearable devices, or smart home
devices.
[0009] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the local anomalous
indicator comprises activities of malicious software on the target
endpoint device.
[0010] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the malicious
software comprises a virus, malware, ransomware, adware, spyware,
Trojan horse, worm, rootkit, scareware, rogueware, active content
software, or logic bomb.
[0011] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the malicious
software comprises zero-day software.
[0012] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein responding to the
one or more local anomalous indicators based on the local security
protocol comprises controlling one or more operating system
processes or network communications of the target device.
[0013] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein responding to the
one or more local anomalous indicators based on the local security
protocol comprises limiting one or more operating system processes
or network communications of the target device.
[0014] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein limiting one or more
operating system processes or the network communications of the
target device effectively isolates malicious software located on
the target endpoint.
[0015] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein at least one
endpoint device of the plurality of endpoint devices is located
outside of a computer network firewall.
[0016] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein one or more of the
central server system or plurality of agents is further configured
to analyze the target endpoint data to determine typical network
access behavior and typical processor behavior of the target
endpoint.
[0017] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the determined
typical network access behavior and typical processor behavior of
the target endpoint is used to update the local security
protocol.
[0018] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein one or more
artificial intelligence (AI) techniques are employed by one or more
of the central server system or plurality of agents to analyze the
target endpoint data to determine typical network access behavior
and typical processor behavior of the target endpoint.
[0019] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the central server
system is further caused to group and one or more endpoints of the
plurality of endpoints into an endpoint cluster, wherein the one or
more endpoints of the endpoint cluster comprise one or more similar
processing or network access patterns.
[0020] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the central server
system is further caused to generate and assign a common local
security protocol to each of the one or more endpoints of the
endpoint cluster.
[0021] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein each of the
plurality of agents is further configured to perform a
point-in-time validation of the target endpoint device, wherein the
point-in-time validation comprises a verification that no local
anomalous indicators are present on the target endpoint device.
[0022] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the local anomalous
indicator is a pattern of local anomalous activity on the target
endpoint device.
[0023] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein one or more of the
local security protocol or the network-wide security protocol is
manually configured by a network administrator.
[0024] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein one or more of the
local security protocol or the network-wide security protocol is
based on a pre-configured rule set.
[0025] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein one or more of the
local security protocol or the network-wide security protocol is
automatically generated and assigned by one or more of the central
server system or plurality of agents.
[0026] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein a unique local
security protocol is generated for each of the plurality of
endpoint devices.
[0027] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the local security
protocol is dynamically updated by one or more of the central
server or plurality of agents based on one or more operating system
processes or network communications of the target endpoint
device.
[0028] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the local security
protocol comprises one or more policies for restricting or allowing
access between the target endpoint device and another endpoint
device of the plurality of endpoint devices, between the target
endpoint device and an outside service or system, or between the
target endpoint device and an internal service or system.
[0029] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the plurality of
agents are further configured to scan a visible network to identify
devices in or in proximity to a network.
[0030] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the scan comprises
utilizing discovery protocols to identify the devices in or in
proximity to the network and obtain data therefrom.
[0031] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein the data obtained
from the devices in or in proximity to the network comprises one or
more of an operating system type, device type, IP address, or MAC
address.
[0032] In some embodiments, provided herein is the dynamic
endpoint-based edge networking system, wherein responding to the
one or more local anomalous indicators based on the local security
protocol comprises one or more of altering data access rights of
the target endpoint device, excluding access to the target endpoint
device by a user, or locking the target endpoint device.
[0033] In some embodiments, provided herein is a
computer-implemented method for protecting security and integrity
of an elastic computer network, the method comprising: installing a
software agent on each of a plurality of endpoint devices forming
an elastic computer network; accessing, by each software agent, an
operating system of an endpoint device on which the software agent
is installed to obtain visibility of operating system processes and
network communications of the endpoint device; monitoring, by each
software agent, the operating system processes and the network
communications of the endpoint device to obtain endpoint data, the
endpoint data comprising information regarding at least one of the
system processes or network processes of the endpoint device;
transmitting, by each software agent, the endpoint data to a
central server system; identifying, by the software agent using a
local security protocol, one or more local anomalous indicators on
the endpoint device based at least in part on the endpoint data;
responding, by each software agent, to the one or more local
anomalous indicators on an endpoint-level based at least in part on
the local security protocol, wherein the local security protocol
comprises one or more rule sets, policies, or access rights
designed to ensure local security of each of the plurality of
endpoint devices; receiving, by the central server system, the
endpoint data from each software agent on each of the plurality of
endpoint devices; analyzing, by the central server system, the
endpoint data received from each software agent on each of the
plurality of endpoint devices to identify network-wide activity
patterns; identifying, by the central server system using a
network-wide security protocol, one or more network-wide anomalous
indicators on a network level across the plurality of endpoint
devices based at least in part on the identified network-wide
activity patterns; and responding, by the central server system, to
the one or more network-wide anomalous indicators on the network
level across the plurality of endpoint devices based at least in
part on the network-wide security protocol, wherein the central
server system comprises a computer processor and an electronic
storage medium.
[0034] In some embodiments, provided herein is the
computer-implemented method, wherein at least one endpoint device
of the plurality of endpoint devices is located outside of a
computer network firewall.
[0035] In some embodiments, provided herein is the
computer-implemented method, wherein a common local security
protocol is generated for a portion of the plurality of endpoint
devices and a unique local security protocol is generated for
another portion of the plurality of endpoint devices.
BRIEF DESCRIPTION OF THE DRAWINGS
[0036] A better understanding of the devices and methods described
herein will be appreciated upon reference to the following
description in conjunction with the accompanying drawings,
wherein:
[0037] FIG. 1A is a block diagram illustrating a traditional
enterprise network perimeter based on a firewall and/or data access
management systems;
[0038] FIG. 1B is a block diagram illustrating a traditional
enterprise network perimeter based on a firewall and/or data access
management systems with external devices and cloud services;
[0039] FIG. 1C is a block diagram illustrating a network perimeter
using an endpoint modeling and grouping management system and
agents installed on endpoints according to some embodiments;
[0040] FIG. 1D is a block diagram illustrating a grouping of
endpoints with installed agents according to some embodiments;
[0041] FIG. 1E is a block diagram illustrating a grouping by an
endpoint modeling and grouping management system, which can be
configured to apply access restrictions to the grouping according
to some embodiments;
[0042] FIG. 1F is a block diagram according illustrating various
groupings according to some embodiments;
[0043] FIG. 1G is a block diagram illustrating various groupings of
in-perimeter and out-perimeter endpoints according to some
embodiments;
[0044] FIG. 1H is a block diagram illustrating various groupings
with differing access restrictions according to some
embodiments;
[0045] FIG. 1I is a block diagram illustrating identification of
abnormal behavior according to some embodiments;
[0046] FIG. 1J is a block diagram illustrating deployment of an
agent to an unmanaged endpoint according to some embodiments;
[0047] FIG. 2 is a diagram illustrating example edge networks using
artificial intelligence (AI) according to some embodiments;
[0048] FIG. 3 is a diagram illustrating edge networks in a fully
elastic edge grid according to some embodiments;
[0049] FIG. 4 is a schematic diagram illustrating an endpoint
modeling and grouping management system according to some
embodiments;
[0050] FIG. 5 is a block diagram illustrating a computer hardware
system configured to run software for implementing one or more
embodiments of an endpoint modeling and grouping management system
according to some embodiments;
[0051] FIG. 6 is a block diagram illustrating one or more agents
collecting data from an endpoint according to some embodiments;
[0052] FIG. 7 is a graphical user interface of the data the agent
can collect according to some embodiments;
[0053] FIG. 8 is a flow diagram illustrating transmission of one or
more models to one or more agents based on analysis of data
collected from the agents according to some embodiments of an
endpoint modeling and grouping management system;
[0054] FIG. 9 is a graphical user interface of a group view
according to some embodiments;
[0055] FIG. 10 is a graphical user interface of a dashboard listing
groups, data centers, and services according to some
embodiments;
[0056] FIG. 11 is a graphical user interface of a group and
associated violations according to some embodiments;
[0057] FIG. 12 is a graphical user interface of a group with access
controls to two servers and two services according to some
embodiments;
[0058] FIG. 13 is a graphical user interface of a group with access
controls to servers, two services, and a local database file
storage according to some embodiments; and
[0059] FIG. 14 is a graphical user interface of a listing of groups
and associated characteristics according to some embodiments.
DETAILED DESCRIPTION
[0060] Although several embodiments, examples and illustrations are
disclosed below, it will be understood by those of ordinary skill
in the art that the invention described herein extends beyond the
specifically disclosed embodiments, examples and illustrations and
includes other uses of the invention and obvious modifications and
equivalents thereof. Embodiments of the invention are described
with reference to the accompanying figures, wherein like numerals
refer to like elements throughout. The terminology used in the
description presented herein is not intended to be interpreted in
any limited or restrictive manner simply because it is being used
in conjunction with a detailed description of certain specific
embodiments of the invention. In addition, embodiments of the
invention can comprise several novel features and no single feature
is solely responsible for its desirable attributes or is essential
to practicing the inventions herein described.
[0061] The detection of viruses, spyware, Trojan horses,
ransomware, and like malicious software (collectively referred to
here as "malware") on computer endpoints connected to an enterprise
network is a large-scale problem for information technologists that
are charged with maintaining and protecting information and
software programs stored on these systems. The foregoing challenge
is made more complicated by today's complex enterprise networks
that are no longer just confined to hardware positioned behind or
within a firewall and/or data access management systems. With the
development of cloud computing storage facilities and software as a
service (SaaS) capabilities, and the proliferation of mobile
devices, such as smart phones, laptops, tablets and other devices,
all of which generally sit outside the enterprise firewall, the
enterprise network comprises multiple hardware devices which
communicate with the network from outside within a firewall and/or
data access management systems.
[0062] Rather, the enterprise network, broadly speaking, is now an
elastic network as opposed to a fixed boundary network. With an
elastic network, the challenge of protecting enterprise data and/or
enterprise software systems from malware is made more complicated
because IT administrators need not only be concerned with
protecting computing devices within the firewall and/or data access
management systems but also computing devices interacting with the
corporate network from outside the firewall perimeter and/or data
access management systems. For example, a mobile device that is
located outside the enterprise firewall and/or data access
management systems, and that is infected with a virus or like
malicious software can compromise enterprise data and/or the
systems within the enterprise firewall and/or data access
management systems, especially if the mobile device possesses
authorization to traverse the firewall and access systems and data
within the firewall or other cloud computing systems connected to
endpoints within the firewall.
[0063] Certain anti-virus systems merely focus on detecting known
viruses, malware, ransomware, and the like, and such systems
provide little protection from zero-day (meaning, previously
unknown) malware. Many of today's varieties of malware are
configured to continuously morph themselves so as to, for example,
create a new digital signature associated with their software file,
to allow them to avoid detection by traditional anti-virus systems
that rely on "black listed" digital signatures for detection of
such malware. Accordingly, there is a need for a system that is
configured to protect enterprise data and/or software system from
both known and unknown malware, especially in computing
environments where the enterprise network exists not just within a
firewall and/or data access management systems but also outside the
firewall and/or data access management systems in elastic edge
networks or grids.
[0064] To address the foregoing challenges, this disclosure
illustrates systems, methods, and devices for automatically and
dynamically controlling processes and/or network access of endpoint
devices, whether such devices are positioned inside or outside the
enterprise firewall and/or data access management systems. It can
be advantageous to control processes and/or network access of
endpoints because if an endpoint is infected, the systems disclosed
herein can be configured to prevent the endpoint, and therefore
also prevent the malware that is operating on the endpoint, from
accessing certain network connections and/or running certain
processes, all of which can control the malware and/or limit the
reach of the malware and/or prevent the malware from spreading to
other systems and/or manipulating enterprise data.
[0065] In other words, the systems disclosed herein can be
configured to create a safe protected environment for all endpoint
devices on an elastic network whether or not such endpoints reside
inside and outside the enterprise firewall and/or data access
management systems. In certain embodiments, the system can be
configured to create a safe protected environment for endpoints in
an elastic network based on analyzing behavioral characteristics of
all or some of the endpoints in the elastic network to determine
what data access and/or network access privileges an endpoint
should be granted. In many instances, malware causes endpoints to
perform processes and/or to access certain network paths that the
endpoint does not typically perform or access. Accordingly, by
preventing atypical performance processes and/or atypical network
accesses, the system can prevent a virus, malware, ransomware, and
the like from causing damage to the endpoint device and/or to the
enterprise systems and data.
[0066] In some embodiments, the systems, devices, and methods
disclosed herein can be designed around the concept of creating an
initial "zero-trust" security architecture that can continuously
collect endpoint data at various level of granularity within the
system to persistently verify and establish the credibility of
individual endpoints and the network as a whole. Existing security
models are based on point-in-time authentication, and thus are
unable to ensure the integrity of an endpoint device or a network
in between authentications. While the systems, devices, and methods
described herein can provide point-in-time authentication, in some
embodiments, a key aspect of the design is the continual nature of
the verification of the integrity of a network and its various
endpoint devices, as well as the verification of the users'
identity. In some embodiments, this verification is established
through artificial-intelligence (AI) driven analysis of individual
endpoint, group, and network-wide usage patterns. In some
embodiments, this analysis is centered on continuous monitoring and
collection of data from endpoint devices, and the determination of
a baseline usage of a user, endpoint device, group, subnetwork,
network segment, or the network as a whole. Once established,
baseline usage can be continuously updated and compared to current
usage in order to authenticate users and endpoint devices on a
persistent basis. In other words, the system described herein can
establish an expectation of usage for various levels of
granularity, from the network level all the way down to an
individual user and/or endpoint device, and then compare that
expectation to a current real usage to constantly perform
validation. In some embodiments, the system is capable of
separately validating the integrity of both an endpoint device and
a user utilizing the endpoint device.
[0067] In certain embodiments, the systems disclosed herein can be
configured to install agents on endpoints. In certain embodiments,
the agents can be configured to analyze processes and/or network
traffic occurring on an endpoint. In certain embodiments, the
agents can be configured to transmit such analysis data to a
central computing server system. In certain embodiments, the
central computing server system can be configured to analyze the
data to determine typical network access behavior and/or typical
processor behavior for the endpoint. In certain embodiments, the
agent is configured to analyze the data to determine typical
network access behavior and/or typical processor behavior for the
endpoint, and in certain embodiments, both the agent and the
central server are configured to perform such behavioral analysis
of the endpoint. In certain embodiments, artificial intelligence
(AI) techniques are employed by the agent and/or the central server
to perform such behavioral analysis. Based on such behavioral
analysis, the agent and/or the central server can be configured to
determine and/or model what are the typical processes and/or
network access patterns for the endpoint.
[0068] In certain embodiments, the system comprises a plurality of
agents operating on a plurality of endpoints within an elastic
network. In certain embodiments, the plurality of agents operating
on a plurality of endpoints is communicating with the central
server and/or is performing the same behavioral analysis disclosed
above. In certain embodiments, the systems disclosed herein are
configured to group and/or model a subset of the plurality of
endpoints as having the same and/or similar processing and/or
network access patterns. In certain embodiments, the systems
disclosed herein can be configured to automatically and/or
dynamically assign to the various determined groupings of the
plurality of endpoints one or more rules or sets of rules for
controlling certain processes and/or network accesses on the
various determined groupings of the plurality of endpoints. In some
embodiments, the system, through embedded agents and/or security
agents at endpoint devices, which can include, without limitation,
other systems, servers, computers, virtual machines, or the like,
has the ability to monitor the endpoint devices and apply policies
at the individual endpoint level. In some embodiments, the embedded
agents act as a continuous verification and authentication monitor,
rather than as a binary, point-in-time user authentication
tool.
[0069] In some embodiments, the system comprises a plurality of
agents installed on endpoint devices, wherein the agents are
designed to ensure security on the endpoint devices. In some
embodiments, ensuring security may involve accessing the device at
a base level, such that, for example, an agent can monitor
substantially all activity occurring on the device. In some
embodiments, uninterrupted access to endpoint activity may allow
the agent to validate, over time, that the endpoint device and/or
the user utilizing the endpoint device are operating within the
expectations of the system and/or within the expected typical use
or activity or processes for that endpoint and/or user. In some
embodiments, an agent may validate, at each point in time, that no
anomalous activity is occurring on an endpoint device. In some
embodiments, the system can continuously monitor substantially all
aspects of an endpoint device operating system, such that it can
recognize anomalies occurring at any point in time, and also
patterns of anomalous behavior, to determine whether an endpoint
has become compromised or unsecure. Furthermore, in some
embodiments, through monitoring, the system can determine whether
implemented security rules are violated, implement various controls
or limitations over the endpoint functions, or do any other action
defined by the system or a network administrator. In some
embodiments, these actions and controls are implemented at the
individual endpoint level. In some embodiments, these actions or
controls are implemented on a defined or undefined group of
endpoints or at the entire network level. In some embodiments, a
centralized system can collect data from all the agents installed
on a network to identify network-wide patterns of usage, such that
vulnerabilities and issues that may be difficult or impossible to
identify with the data from a single endpoint can be identified by
the central system. For example, a specific use or pattern of usage
on one or more endpoints may not be identified as anomalous alone
by the agents installed therein, but may, when combined with data
from some other endpoints or substantially all endpoints of the
network, nonetheless be identified as anomalous by the system. In
some embodiments, the agent-based system described herein can
provide a layered security solution that provides individual
endpoint security as well as network-wide security.
[0070] In some embodiments, the system described herein provides
low-level, cross-platform monitoring of endpoint activities. In
some embodiments, the system is configured to create, define,
and/or dynamically alter a set of rules that determine which
endpoint activities are identified as anomalous. In some
embodiments, the set of rules can be defined by machine learning
aspects, pre-determined rule sets, and/or administrator
management.
[0071] It can be advantageous for the system to perform such
behavioral analysis because the system can reduce the work for IT
administrators and/or the system can determine such behavioral
patterns better than human operators. It can be advantageous for
the system to automatically and/or dynamically assign one or more
rules or sets of rules to one or more endpoints because the system
can reduce the work for IT administrators and/or the system can
better develop and/or assign such rules to endpoints, especially in
situations where the enterprise network comprises, hundreds,
thousands and/or millions of endpoint devices connected to the
enterprise network.
[0072] In some embodiments, another central function of the system
may be the creation, generation, and implementation of access
policies, which can be based around determining a baseline usage or
expectation of usage. In some embodiments, the generated access
policies provide an outline for the endpoints, services, servers,
programs, and the like, that any given user on any given endpoint
can access at any given time. In some embodiments, the access
policies are synthesized through the data collected from the
continuous monitoring of endpoints through agents and the
determination of baseline usage of users and/or endpoint devices.
In some embodiments, the aggregate of the access policies applied
to each individual and/or endpoint device comprise a network access
policy as a whole. In some embodiments, the access policies can be
inferred or generated directly from the baseline usage of users
and/or endpoint devices, and then updated manually or automatically
through AI analysis. In some embodiments, because the network can
be managed by individual agents installed on endpoint devices and a
central server, the access policies can be implemented on any and
all levels of the network.
[0073] In certain embodiments, the agents are configured to assign
to the various determined groupings of the plurality of endpoints
one or more rules or sets of rules for controlling certain
processes and/or network accesses on the various determined
groupings of the plurality of endpoints. In certain embodiments,
the central server is configured to assign to the various
determined groupings of the plurality of endpoints one or more
rules or sets of rules for controlling certain processes and/or
network accesses on the various determined groupings of the
plurality of endpoints. In certain embodiments, the system is
configured to use both the agents and the central server to assign
to the various determined groupings of the plurality of endpoints
one or more rules or sets of rules for controlling certain
processes and/or network accesses on the various determined
groupings of the plurality of endpoints.
[0074] In certain embodiments, the agent operating on a particular
endpoint can be configured to apply the one or more rules or sets
of rules to determine whether to allow or reject a network access
path request coming from a program or instruction running on an
endpoint. In certain embodiments, the central server can be
configured to apply the one or more rules or sets of rules to
determine whether to allow or reject a network access path request
coming from a program or instruction running on an endpoint. In
certain embodiments, it can be advantageous for the agents to
determine whether to allow or reject a network access path request
coming from a program or instruction operating on a particular
endpoint because the system acts in a distributed manner as opposed
to the central server making all determinations and potentially
causing a bottleneck. Additionally, a distributed system reduces
network traffic over the network and the number of requests to the
central server. In some embodiments, the systems described herein
comprise a machine learning component for managing and restricting
access to a network. In other embodiments, AI management and
restriction of access to the network is supplemented or replaced by
human administrator management. In some embodiments, human
administrators may manually implement general or specific rules or
manage access on a system wide or endpoint-by-endpoint basis. In
some embodiments, the rules, policies, and access rights of the
system, regardless of how they are fashioned, can be designed to
ensure security of the endpoints and the network by, for example,
ensuring that no malware or other malicious software is introduced,
that the integrity of the certificates are not compromised, and
that there are no anomalies in usage, among others.
[0075] In some embodiments, an edge network according to various
embodiments herein may comprise, and be defined by, a collection of
connected endpoints. In some embodiments, the policies or rules for
managing or restricting access to the network may be devised and
effected manually by, for example, a network administrator. In some
embodiments, the edge networking system can perform other
functions, such as profiling inbound and outbound connections,
installing agents unto network endpoints, and/or managing and
regulating access to various systems within and outside the
network. In some embodiments, the systems, devices, methods herein
can identify and group one or more endpoints and manage policies
for restricting and/or allowing access between endpoints, between
an endpoint and outside services and systems, and between endpoint
and internal services or systems.
[0076] In some embodiments, the agent-based system described herein
may enable network management through enhanced data availability.
Network management may include altering endpoint data access
rights, user exclusion, and/or endpoint locking, among others. In
some embodiments, the system may restrict any or certain inbound
connections from one or more sources outside the network. In some
embodiments, the monitoring, rule setting, and/or network
management aspects of the system can be controlled at the
individual endpoint devices, as opposed to at the network level,
through installed agents.
[0077] In some embodiments, an agent as described herein can be
installed on an endpoint device to access and manage incoming and
outgoing traffic on the device. In some embodiments, the agent,
through its access to the device systems and traffic, can
continuously validate the identity and permissions of a user of the
device. In some embodiments, a network is defined by endpoint
devices with installed agents and the system gains visibility and
access to all devices of the network through the installed agents.
In some embodiments, when an agent is installed on an endpoint,
substantially all communications to and from an endpoint device can
be monitored and stored by the agent, such that any network
management rules (e.g. access rights) can be applied regardless of
the physical location of the endpoint. In some embodiments, the
agent-based system described herein can monitor and store all
internal communications and/or external communications. For
example, the system may be configured to monitor and store activity
occurring between two endpoints within the network. In some
embodiments, the system has visibility to these communications
through kernel-level monitoring of endpoints with installed agents.
In some embodiments, the system utilizes the data access and
network management policies, enforced at the individual endpoints,
to define a broad-level network across of a plurality of
endpoints.
[0078] Another difficulty faced by existing network security,
management, and control systems is the transient nature of the
network, particularly with regard to new endpoint devices accessing
the network and existing endpoint devices ceasing to exist on the
network. In some embodiments, the systems, devices, and methods
disclosed herein solve the difficulty of a constantly expanding
and/or retracting network by constructing a continuously updated
mapping, visualization, and/or representation of the network
construct, including various network segments and/or subnetworks.
In some embodiments, the system is configured to map a plurality of
endpoint devices in a software-based, distributed manner. That is,
the map or visualization can be assembled based on data received
from distributed software throughout the network. In some
embodiments, this distributed software comprises agents installed
on each endpoint device of a network. In some embodiments, the
system can provide a visualization or view of the network and/or
various sub-networks by aggregating data collected from the agents
installed on a plurality of endpoint devices. In some embodiments,
the network can comprise various subnetworks, each subnetwork
comprising one or more endpoint devices. In some embodiments, the
system can be configured to assemble a view of the network and/or
various subnetworks based on information received from agents. In
some embodiments, the map, view, or visualization of the network,
constructed using data from agents installed on endpoints, can
provide an overall and/or piece-by-piece view of the network and/or
various subnetworks.
[0079] A related issue to the elastic nature of modern networks
discussed above is the existence of non-traditional
network-connected devices. The system described herein deals with
this issue by gaining visibility of these devices through the
distributed agent-based endpoint network and then integrating the
control and network management functionalities to directly or
indirectly supervise these non-traditional devices. In some
embodiments, a network, network segments, and/or subnetworks can
comprise various endpoint devices, some of which may have an agent
installed and some of which may have no agent installed. However,
in some embodiments, by virtue of having an agent installed on one
or more endpoint devices of the network, the system may have
visibility, through scanning or discovery functionality, over all
endpoint devices on the network and/or subnetworks. By having
visibility over endpoint devices without agents installed, the
system can collect data from those devices, including, but not
limited to, the existence of the unmanaged devices (i.e. devices
with no agent installed therein), the network communications that
the unmanaged devices have sent or received to and from other
endpoint devices, and the existence or nonexistence of inbound or
outbound connections to the unmanaged devices. Based on this
collected data, the endpoint-based network system can dynamically
determine necessary actions to take regarding the preservation or
termination of communications and connections between the unmanaged
devices and the network as a whole, subnetworks, network segments,
logical groups, physical groups, or even individual endpoints. In
some embodiments, the system can be configured to include the
unmanaged devices in grouping themselves, and thus apply any
group-specific rules directly to the unmanaged device and its
communications with other endpoint devices in the network. In some
embodiments, the dynamic determination and groupings can be made
by, for example, an orchestration layer as described below.
[0080] In some embodiments, the system can be configured to counter
compromised vulnerable Internet of Things (IoT) devices. Some
malicious software uses IoT devices for use as proxies or
intermediaries for Internet requests to route malicious traffic for
cyber-attacks and computer network exploitation. IoT devices,
sometimes referred to as "smart" devices, are devices that
communicate with the Internet to send or receive data. Examples of
targeted IoT devices include: routers, wireless radios links, time
clocks, audio/video streaming devices, Raspberry Pis, IP cameras,
DVRs, satellite antenna equipment, smart garage door openers, and
network attached storage devices. IoT proxy servers may be
attractive to malicious cyber actors because they provide a layer
of anonymity by transmitting all Internet requests through the
victim device's IP address. In some embodiments, IoT devices may be
particularly attractive targets because they allow access to many
business websites that block traffic from suspicious or foreign IP
addresses. In some embodiments, malicious software can use the
compromised device's IP address to engage in intrusion activities,
making it difficult to filter regular traffic from malicious
traffic. In some embodiments, malicious software can use
compromised IoT devices as proxies to, for example, send spam
e-mails, maintain anonymity or avoid detection, obfuscate network
traffic, mask Internet browsing, generate click-fraud activities,
buy, sell, and trade illegal images and goods, conduct credential
stuffing attacks, and sell or lease IoT botnets to other cyber
actors for financial gain. In some embodiments, IoT devices may
have weak authentication, unpatched firmware or other software
vulnerabilities, or have easily defeated default usernames and
passwords. In some embodiments, the agent-based endpoint network
disclosed herein can combat attacks that occur through IoT devices
by detecting, monitoring, and controlling communications from these
devices into the endpoint devices.
[0081] In some embodiments, the agent-based system may provide
visibility into substantially all computerized devices, including
those without installed agents and/or in proximity with an endpoint
device with an installed agent. In some embodiments, the system can
identify and gain visibility of all devices in the same subnet,
visible, or accessible network in proximity to an endpoint device.
These devices may include any internet or network-connected
devices, such as physical devices, vehicles, home appliances, and
any other items embedded with electronics, software, sensors,
actuators, and connectivity which enable these things to connect
and exchange data In some embodiments, an installed agent may be
configured to scan a visible network, which may include any
sub-network, or the entire network. In some embodiments, the system
can utilize discovery protocols to ascertain the existence and
obtain data from all devices in or in proximity to a network. In
some embodiments, the system can obtain data from these devices,
including the operating system, the type of device, IP address, and
MAC address, among others. In some embodiments, the system may
protect the endpoint-based network from attacks that are directed
through these "unmanaged" (i.e. no agent installed) devices by
restricting network communications between unmanaged devices and
network endpoints.
[0082] In some embodiments, the system may also comprise an
orchestration functionality or layer, which may serve to coordinate
the collection and aggregation of data from the plurality of
agents. In some embodiments, this orchestration layer may increase
system efficiency by directing discovery protocols, network
scanning, data collection and aggregation, network visualization
construction, and various other system functionalities to reduce
excessive or nonessential functions. In some embodiments, the
orchestration functionality can amass the data from all of the
endpoints and agents of the network, network segments, and/or
subnetworks to create one or more cohesive views, visualizations,
asset inventories, lists, or the like, in order to provide a
mapping, grouping or representation of the network, network
segments, and/or subnetworks. In some embodiments, the data is
collected from agents installed in physical endpoints on the
network, data centers, cloud services, non-traditional devices
(e.g. IoT devices, printers, etc.) or any other part of the
network.
[0083] In some embodiments, the system can be configured to utilize
the continuously updated mapping, visualization, and/or
representation to update the network groupings, access rules,
network administration, and all other facets of the security and
network management functionalities. In this way, the system can
dynamically react to the expansion or retraction of the network
through the addition and/or departure of endpoint devices to and
from the network. The system may also include non-traditional
endpoint devices including IoT devices into groupings such that
group access rights and rules can be applied to those devices. In
the alternative, in some embodiments, non-traditional endpoint
devices on the network may not be grouped, and the system may
determine, based on data aggregated from the agents installed on
the endpoint devices, that one or more non-traditional endpoint
devices should be able to communicate with all, some, or none of
the other endpoint devices of the network. In some embodiments,
this determination can be based on a holistic behavioral analysis
of the network, the various network segments, subnetworks, and/or
individual endpoints. The level of granularity and specificity to
which the system can control groupings and therefore access rights
and network communications management of the endpoint devices of
the network, including non-traditional endpoint devices, is not
limited. Specifically, network groupings and rules can be applied
to the network as a whole, to particular subnetworks or network
segments, to groups of endpoints, to individual endpoints, to
non-traditional endpoints, to third-party services, enterprise
services, and the like, and to any and all communications between
any of the above (e.g. between an individual endpoint and its own
group or a separate group of endpoints). There are very few
limitations on the extent and specificity of control that the
system can have on grouping and controlling the endpoints of the
network and the network as a whole, or in parts. In some
embodiments, some devices on the network can be controlled and
managed, even without installing an agent therein, by limiting the
ability of those devices to communicate with other devices on the
network.
[0084] In some embodiments, the system described herein is not
limited by physical proximity to a network. Because agents can be
installed directly on endpoints, the physical location of the
endpoints does not determine whether the endpoint benefits from the
security features of the flexible network system described
herein.
[0085] In some embodiments, the system can be configured to access
a holistic amalgamation of network connection and system activity
data, including, for example, what software is being utilized at an
endpoint, what data is sent and received over a network connection,
the time and form of user authentication, and/or the time and form
of endpoint validation, among others. Thus, in some embodiments,
the security features of the system can function in connection with
a complete view of endpoint activity and network communications. In
some embodiments, the system can be configured to continuously
monitor endpoint activity and network communications, rather than
solely at the time a network connection is formed. In some
embodiments, the agent-based system may be configured to ensure the
integrity of a network connection, in addition to the data sent and
received over that connection.
[0086] In some embodiments, the system can authenticate the sender
and receiver of data over a network connection such that integrity
of the network connection is ensured. In some embodiments, the
system can restrict data transfer over a network connection if it
identifies an illegitimate sender or receiver. In some embodiments,
the system can perform this authentication and other integrity
checks, through an installed agent, by parsing requests and
responses sent and received by an endpoint, monitoring bandwidth
usage, and/or scrutinizing contextual data (e.g. time of access),
among others. In some embodiments, the agent-based system may
terminate illegitimate connections.
[0087] In some embodiments, the system described herein may
facilitate faster and more efficient network communications than,
for example, a virtual private network (VPN). In some embodiments,
the system may introduce no latency into network connections. In
some embodiments, the system may perform without latency regardless
of the underlying network infrastructure, because the system may
not perform routing of network connections and agents are installed
directly at endpoints. In some embodiments, the system is not bound
by any network infrastructure limitations or overhead caused by
routing network traffic.
[0088] Certain enterprise networks can use centralized servers to
identify anomalies, such as malware, and/or to determine access
restrictions. Identification and response to these anomalies can be
delayed based on the latency to and from the centralized servers.
Furthermore, these enterprise networks can be required to perform
anomaly detection for hundreds of thousands of endpoints connected
within its perimeters and/or connected cloud services and data
centers. In some embodiments, the endpoint modeling and grouping
management system disclosed herein addresses these shortcomings by
enabling agents installed on the endpoints to detect anomalies,
respond to security threats, enforce network policies, regulate
network access, and the like. In some embodiments, the agents can
regulate network access by employing AI techniques to generate
access policies for an endpoint, allowing or restricting connection
to, from, and/or of an endpoint and/or an asset, setting
authentication criteria for a connection, establishing roles for
endpoints, change and/or update policies at endpoints, and the
like. In some embodiments, the agents can enforce network policies,
such as shutting down and/or enabling network access, setting
and/or limiting network bandwidth, generating an alert based on
network bandwidth usage, locking an endpoint based on bandwidth
usage, setting bandwidth policies for specified connections to
particular endpoints and/or assets, controlling traffic during
certain time periods such as outside of normal business working
hours, deploying internet security for a particular connection
and/or endpoint, and the like. In some embodiments, the agents can
identify anomalies and perform actions autonomously by applying the
models generated by the endpoint modeling and grouping management
system.
[0089] To enable the foregoing, in certain embodiments, the
endpoint modeling and grouping management system can be configured
to collect data from endpoint computer devices in a network.
[0090] Enterprise networks can collect network traffic data.
However, often times the network traffic data is encrypted and may
not provide any visibility for activities occurring within an
endpoint, within an enterprise network perimeter, within a cloud
service, within a cloud data center, and the like. Furthermore,
endpoints on traditional enterprise networks can connect directly
with a cloud service while outside of the enterprise network
perimeter, and thus, traditional enterprise networks may not have
visibility on this type of traffic. In some embodiments, the
endpoint modeling and grouping management system addresses these
shortcomings of enterprise network technology by enabling an agent
to monitor activity at the kernel level. In some embodiments, the
agents can monitor data packets before encryption and/or after
decryption. In some embodiments, the agents can monitor activity
occurring within the endpoint. In some embodiments, the agents can
monitor activity when the endpoints are outside of a traditional
enterprise network perimeter. In some embodiments, the agents can
monitor data packets enclosed in a layer of protection, such as a
sandbox. Thus, the endpoint modeling and grouping management system
can provide deep visibility on the activities of endpoints
connected to the endpoint modeling and grouping management
system.
[0091] In some embodiments, agents installed on the endpoints can
collect real-time information on the kernel level providing the
system with deep visibility to a wide range of data types, such as
internal endpoint activity, encrypted data, and the like. In some
embodiments, the endpoint modeling and grouping management system
can identify similarities in behavior by employing an artificial
intelligence component on the data collected by the agents. In some
embodiments, the endpoint modeling and grouping management system
can dynamically model groups such as logical groups, and cluster
endpoints based on the behavioral similarities and/or differences
identified among the activities of the endpoints. In some
embodiments, the endpoint modeling and grouping management system
transmits the behavioral models to the agents to allow the agents
to identify anomalies and/or security threats.
[0092] In some embodiments, the endpoint grouping and modeling
systems herein can utilize various data to determine and model
endpoint groupings. In some embodiments, the system can be
configured to use an all-inclusive approach, wherein the system
examines the data from the various endpoints as a whole. For
instance, the system may survey, for example, every IP address
contacted, every service utilized, and every network communication,
inbound or outbound, to and from each endpoint in order to classify
and group endpoints with similar characteristics. In some
embodiments, the result of this classification and grouping
mechanism may be to assemble a group of endpoints having similar
baseline access and network communication patterns. In some
embodiments, the endpoint grouping may or may not coincide with
user's having similar access needs based on, for example, their job
responsibilities, their location, or any other user classification.
For example, software developers within an enterprise network may
utilize use-case specific services like GitHub, Visual Studio,
Python that may indicate to the system that this endpoint or user
should be grouped with other endpoints or users with similar usage
patterns (e.g. other software developers), and that the group
should have limited access or communication to services or
endpoints that do not match the established pattern of usage of the
group or do not pair with a system-determined purpose or intent of
the group's users or endpoints. In some embodiments, the grouping
modeling system's analysis extends beyond the identity of the
services, resources, or endpoints to which an endpoint is
accessing. In some embodiments, the system may also analyze, for
example, when the access occurs, how frequently access occurs, the
duration of each instance of access, the amount of data transferred
during each instance of access, the type of data transferred,
bandwidth usage, identity of the user accessing, current processes
running on the endpoint device before, and during, and after the
time of access. In some embodiments, all of the above and more may
be utilized to determine groupings, to establish a baseline of
usage for an endpoint device and/or a grouping, and to generate and
set access rights, security, and network communication
protocols.
[0093] In some embodiments, the system can be configured to
generate and provide multiple unique views or visualizations of the
network and its various groupings and subnetworks. For example, in
some embodiments, the network can be viewed as a whole or in part
based on, for instance, logical groupings, physical location of
endpoints, subnetworks, network segments, device types, managed
devices, unmanaged devices, similarities in inbound and outbound
connections, similarities in types of applications installed, time
of use of endpoint device, frequency of use, time of use of
applications, type of WiFi network used, access point utilized
temperature of devices, device memory usage, type of hardware, RPM
of hardware, number of CPU cycles on endpoint device, third-party
organizational groupings, and any other properties available to an
agent or the central server.
[0094] In some embodiments, the systems, devices, and methods
described herein can be configured to integrate with other existing
third-party services, deployment means, enterprise mobility
management (EMM) tools, authentication software, and security
protocols deployed alongside the endpoint-based network system. In
some embodiments, the data and information collected by the system
described herein can enable automation of third-party solutions
running alongside the system within a network. For example, the
system, through the discovery and grouping protocols described
herein, may scan and discover an unmanaged device within an
existing grouping. Having visibility of this unmanaged device may
allow the system to then use existing deployment tools or means,
such as, for example, Active Directory, to deploy an agent unto the
unmanaged device. The tools and solutions which may be integrated
with the endpoint-based network system herein is not limited, and
may include any other platform running within the network
environment. Specific examples include, for example, Active
Directory, Jamf, Tanium, IBM Bigfix, Kaspersky, Trend Micro,
Tripwire, Carbon Black, Symantec Endpoint Protection, Ivanti
Endpoint, SCCM, McAfee, CrowdStrike, Trend Micro Deep Security,
Avast, Shield, Norton, and the like. In some embodiments, the
system can be integrated into these third-party platforms such that
agents can be automatically deployed to endpoints by the existing
platforms, such that specific access or network management rules
developed by the system can be deployed through the third-party
platforms.
[0095] Traditional enterprise networks can define their network
topology and/or network perimeter based on hardware. FIG. 1A is a
block diagram illustrating a traditional enterprise network
perimeter based on hardware, a firewall and/or data access
management systems. FIG. 1B is a block diagram illustrating a
traditional enterprise network perimeter based on a firewall and/or
data access management systems with external devices and cloud
services. Endpoints (such as computing devices, data centers,
and/or servers) 104, 108, 112, 114 that connect to a network (such
as via a Wi-Fi connection) can be determined to be within an
enterprise network perimeter and that computer's network traffic
can be transmitted through a connection tunnel, for example, VPN,
between the endpoints 104, 108, 112, 114 and external computing
devices 115 and/or external networks 120 with their own endpoints
118 outside of the enterprise network perimeter via the enterprise
network firewall 102 and/or data access management systems. The
perimeter is often defined based on a firewall and/or data access
management systems 102 between endpoints (such as computing
devices/servers) 104, 108, 112, 114 and the external network.
Typically traditional enterprise networks can inspect and/or
monitor inbound and outbound network traffic of the connection
tunnel (such as by using intrusion detection and prevent systems
(IDS) which are a commonly used network security/threat prevention
procedure that examines network traffic flows). Traditional
enterprise networks can monitor and inspect network traffic to
detect and prevent vulnerability exploits coming from malicious
inputs to a target application or service. Attackers can input
malicious input to interrupt and/or gain control of an application
or computing device. For example, attackers can disable an
application, access all rights and permissions available to the
compromised application, and the like.
[0096] However, data available to traditional enterprise networks
can be limited to network traffic to and from the external
computing devices. Thus, these traditional enterprise networks can
monitor and/or inspect network traffic between endpoints 104, 108,
112, 114 that are within the traditional enterprise network
perimeter and computing devices external to the enterprise network
perimeter 115 and/or to other networks 118. Traditional enterprise
networks can also monitor and/or inspect network traffic between
endpoints 104, 108, 112, 114 that are within the traditional
enterprise network perimeter and cloud computing systems (such as
cloud services and/or cloud databases) 122. The traditional
enterprise network may not have access to network traffic internal
to the endpoints within the enterprise network perimeter 104, 108,
112, 114 nor traffic within an external cloud computing system.
This becomes problematic in today's world where a user can be
traveling from one destination to another. For example, an
individual can use his or her cellphone and/or a laptop from a
different location in the world than the location of their desktop.
Endpoints such as a desktop can be connected to a home or work
network for extended periods of time and thus, can stay within the
enterprise network perimeter. However, for endpoints that are
remote computing devices such as the cellphone and laptop, the
endpoints can connect and disconnect from the home or work network
periodically throughout the day. Thus, the endpoints can be outside
the enterprise network perimeter, and thus at certain times,
communicate directly with cloud data centers and/or cloud
applications. The communication channels and/or network traffic may
not be restricted with the same network restrictions an endpoint
may have when within the perimeters of the traditional enterprise
network. The endpoints may also not be protected by the same
network protections available on the enterprise network. As a
result, the direct communication channel to and from the endpoint
may not be monitored and inspected for security threats and/or may
not have any form of access provisioning applied because the
endpoint can bypass these mechanisms by being outside the
enterprise network perimeter.
[0097] In addition, a single user can own several endpoints, some
residing within the enterprise network perimeter (such as a work
desktop) and endpoints that may not be within the enterprise
network perimeter (such as a mobile phone or a laptop).
Furthermore, a user's endpoint can also be continually changing,
such as when a user purchases a new laptop or phone. Therefore, a
user can be connected to a plurality of different networks at once
and change continuously. Traditional enterprise networks can
address this by allowing new devices within the perimeter to have
protections and access rights. However, a shortcoming is that when
malicious code connects within the enterprise network perimeter,
the malicious code can have access to a large amount of data and/or
operations within the enterprise network perimeter.
[0098] Another issue with traditional enterprise networks is the
rise of encryption in network traffic. Network traffic can be
encrypted before transmission and decrypted upon receipt at the
destination computing device. Thus, a traditional enterprise
network that monitors the inbound and/or outbound network traffic
may not be able to view the content and/or other important
information available on the network data packet being transmitted
and/or received.
[0099] Furthermore, the data available to traditional enterprise
networks can often be limited to network traffic. Accordingly,
these enterprise networks can have limited and/or no visibility
into the operations and processes that are occurring within the
transmitting computing device and the receiving computing device.
For example, these enterprise networks can monitor the incoming and
outgoing network traffic of a computing device but may not be able
to monitor communication between applications (such as a browser on
the user's space) and the CPU. Given this limited visibility, the
traditional enterprise networks may not have the information
necessary to effectively assess security risks, understand and
assess behavior of the computing devices, and/or offer cyber
security solutions at the operational level of a computing
device.
[0100] Moreover, traditional enterprise networks may have limited
or no visibility to activities occurring external to its perimeter
(such as activity occurring on the cloud network). As mentioned
herein, traditional enterprise networks have not been able to
effectively regulate communication between corporate enterprise
networks and cloud data centers/services. Given the widespread
adoption of cloud network services by many corporations, users can
access data (for example, work email, sensitive documents) via
their mobile phones that can access cloud applications and/or cloud
data centers directly. This direct communication tunnel from the
endpoint to a cloud service may not involve the transmission of
network traffic through the enterprise network, and thus may not go
through the enterprise network firewall and/or data access
management systems for monitoring and access restrictions.
Accordingly, traditional enterprise networks may not be able to
monitor and/or regulate such communication. Furthermore, a growing
number of data leaks and security breaches include compromise of a
large number of sensitive documents. This is at least partially due
to the fact when there is a security leak into the enterprise
network perimeter, the security breach not only includes the files
that are stored within the enterprise network but can also include
the files that are stored in the cloud data centers and/or the
cloud services that are accessible by endpoints within the
enterprise network. Thus, the security breach can spread to
machines with the perimeter and machines within the cloud. This is
becoming a growing problem as enterprises are adding more devices
and more services to their corporate enterprise networks, growing
the enterprise network perimeter and linking the endpoints to
larger cloud data centers and more cloud services, thus providing
attackers with access to more information.
[0101] Some enterprise networks tried to solve this problem of
limited visibility by placing a secure socket layer (SSL)
terminator. An SSL connection can be used by applying a certificate
for authentication before sending encrypted data from an endpoint
to a web server. Then, the SSL terminator can intercept the
encrypted network traffic and decrypt the network traffic on a
separate computing device using the certificate in order to access
content within the network traffic. These types of solutions,
however, often raise privacy concerns. For example, users may not
want to make their certificates that are used to decrypt the
network traffic available to third parties.
[0102] Various embodiments described herein address one or more
shortcomings of traditional enterprise networks. In some
embodiments, the endpoint modeling and grouping management system
can achieve deep visibility of activity on the network and in the
endpoint, both encrypted and non-encrypted communications, via
agents installed at the endpoints. FIG. 1C is a block diagram
illustrating a network perimeter using an endpoint modeling and
grouping management system and agents installed on endpoints
according to some embodiments. In some embodiments, an enterprise
network perimeter can comprise one or more endpoints with applied
network configurations. An enterprise network perimeter can
comprise applying access restrictions to the one or more endpoints
within the network perimeter. An enterprise network perimeter can
comprise security assessment of inbound and outbound traffic to the
network perimeter. In some embodiments, the endpoint modeling and
grouping management system 140 can access and analyze the network
traffic and/or activity data generated by the agents 145A, 145B,
145C, 145D, 145E, 145F, 145I, 145J (collectively referred to herein
as agents 145). In some embodiments, the endpoint modeling and
grouping management system 140 can model and cluster groups such as
logical groups of endpoints based on the network traffic and/or
activity data. FIG. 1D is a block diagram illustrating a grouping
of endpoints with installed agents according to some embodiments.
The endpoint modeling and grouping management system can determine
a grouping such as a logical grouping 126 that encompasses
endpoints 104, 108, 112, 114, 115, and 118. The endpoint modeling
and grouping management system can assess other types of data, such
as active directory information to model and cluster groups such as
logical groups of endpoints. In some embodiments, the endpoint
modeling and grouping management system 140 can transmit the model
(or the artificial intelligence software) to end points and/or
agents 145 in a group such as logical group. The models can be used
to assess activity on the endpoints in order to identify anomalies.
In some embodiments, the endpoint modeling and grouping management
system 140 can determine enforcement and data control path policies
based on the modeling of groups. In some embodiments, the endpoint
modeling and grouping management system can employ artificial
intelligence to model and cluster groups such as logical groups
and/or determine enforcement and data control path policies. In
some embodiments, the endpoint modeling and grouping management
system 140 can be a cloud-based system. In some embodiments, the
endpoint modeling and grouping management system 140 can be a
system within and/or external to the enterprise network
perimeter.
[0103] In some embodiments, the endpoint modeling and grouping
management system can employ edge computing by optimizing cloud
computing systems to perform data processing at the edges of the
network, near the source of the data. In some embodiments, the
endpoint modeling and grouping management system can identify
similarities and/or differences among the data collected from
agents installed on various endpoint computer devices. In some
embodiments, based on the comparison of the data collected via the
agents, the endpoints can be grouped or clustered into groups such
as logical groups. The models for the groups such as logical groups
can be transmitted to the end points and/or the agents. In some
embodiments, the models can provide an indication of baseline
activity. Agents and/or endpoints can receive the models, identify
baseline activity, and autonomously assess endpoint activity and/or
network traffic for anomalies. Anomalies can be used to flag
behavior that can indicate a security breach, such as malware or a
computer virus. Thus, the agents can identify potential security
breaches and react faster than traditional enterprise networks,
where data can be transmitted to a cloud server for the cloud
server to identify anomalies.
[0104] In some embodiments, the endpoint modeling and grouping
management system can calculate similarities and/or differences
between endpoint devices. In some embodiments, the similarities can
be identified using a similarity measure and/or function (such as
the distance between devices, or certain data packet types
transmitted and received). In some embodiments, the similarities
can include perimeters and/or data points indicative of behaviors
of the endpoints. For example, similarities can be identified based
on an assessment of the inbound and outbound network traffic, the
network connections of the endpoints, the types of devices that the
endpoints are associated with, the amount of network traffic on a
certain network connection, and the like. The groups such as
logical groups can be dynamically and automatically created based
on behavioral activity in order to create network representations
of the groups such as logical groups. In some embodiments, the
endpoint modeling and grouping management system can continually
add and remove endpoints to the groups such as logical groups based
on behavioral activity analysis. The endpoint modeling and grouping
management system can continually change the membership of the
groups such as logical groups, making the groups such as logical
groups an elastic grid. In some embodiments, the endpoint modeling
and grouping management system can define an enterprise network
perimeter based on the grouping. Thus, the endpoint modeling and
grouping management system can create an elastic perimeter that can
virtually encompass endpoints. In some embodiments, the endpoint
modeling and grouping management system can define the enterprise
network perimeter by grouping endpoints with similar behaviors. In
some embodiments, the endpoint modeling and grouping management
system can create the enterprise network perimeter based on an
installed agent such that each endpoint with the installed agent
can be determined to be within the enterprise network perimeter
regardless of the current location of the endpoint. The groups such
as logical groups can be defined behaviorally, beyond the
boundaries of hardware, network, endpoint, cloud, physical, or
virtual datacenters. Thus, the endpoint modeling and grouping
management system can address one or more shortcomings of
traditional enterprise networks where the perimeters can be defined
by hardware connections. These traditional enterprise networks may
not provide protection, access restrictions, and the like to
endpoints that are outside of the enterprise network perimeter
whereas the endpoint modeling and grouping management system can
define its perimeter based on the installed agents, and thus can
provide access restrictions, protection, and the like regardless of
the location of the endpoints.
[0105] In some embodiments, the endpoint modeling and grouping
management system can set policies based on groupings such as
logical groupings. In some embodiments, the policies can regulate
network access of the endpoints. For example, for a particular
group such as logical group, the endpoint modeling and grouping
management system can apply certain policies to certain groups such
as logical groups. For example, a group such as logical group can
access certain datacenters, only access certain endpoints via
virtual private network (VPN), or allow access to cloud
application/servers. For example, the finance logical group can
have access to certain datacenters that the engineering logical
group may not have access to.
[0106] FIG. 1E is a block diagram illustrating a grouping by an
endpoint modeling and grouping management system, which can be
configured to apply access restrictions to the grouping. The agents
145 can be installed on endpoints 115, 104, 112, 108, 114, and 118
to create a grouping such as a logical grouping 126. The endpoint
modeling and grouping management system 140 and/or the agents 145
can employ access restrictions for the group 126, such as allowing
access to an endpoint 121 outside the logical group, allowing
access to cloud computing systems 122 and denying access to
different cloud computing system 124 (such as a cloud service or a
cloud database), and/or denying access to another external network
125 comprising one or more endpoints 123.
[0107] In some embodiments, the endpoint modeling and grouping
management system can be configured to allow a user to adjust a
threshold setting to control the resolution and/or granularity of
the logical groupings. In some embodiments, the threshold level can
be set to a higher level to encompass a smaller population of
endpoints for each group such as logical group.
[0108] FIG. 1F is a block diagram illustrating various groupings
according to some embodiments. If the threshold level is set low,
in other words to be more inclusive, the group can encompass
endpoints 104, 112, 108, 114 to form logical group 126. If the
threshold is set higher, in other words to be less inclusive
requiring endpoints to have more behavioral attributes in common,
the groupings can encompass a smaller number of endpoints, such as
a first grouping 128 with endpoints 104 and endpoints 108 and/or a
second grouping 130 with endpoints 112 and endpoints 114. If the
threshold is set even higher, in other words to be the most
restrictive requiring endpoints to have essentially the same
behavioral attributes, the groupings can encompass a smaller number
of endpoints, such as a first grouping 132 with endpoints 104, a
second grouping 134 with endpoints 108, a third grouping 136 with
endpoints 112, and/or a fourth grouping 138 with endpoints 114.
[0109] FIG. 1G is a block diagram illustrating various groupings of
in-perimeter (i.e. inside the corporate network firewall) and
out-perimeter endpoints according to some embodiments. Endpoints
104 and 112 can be within a traditional enterprise network
perimeter 102. The groupings such as logical groupings can include
one or more endpoints inside of the perimeter and one or more
endpoints outside of the perimeter. The endpoints 104, 112 within a
single perimeter can be grouped into separate groupings such as
logical groupings. A first logical grouping 128 can include
in-perimeter endpoints 104 and out-perimeter endpoints 108. A
second logical grouping 130 can include in-perimeter endpoints 112
and out-perimeter endpoints 114. For example, endpoints 104 can be
desktops within a firewall 102 and endpoints 108 can be laptops
outside the firewall 102. The desktop endpoints 104 and laptop
endpoints 108 can be associated with a logical group 128, and can
only access an email cloud service but be denied access to an
accounting database. As such, the logical grouping 128 can comprise
the desktop endpoints 104 that sit within the firewall 102 and
laptop endpoints 108 that sit outside the firewall 102.
[0110] FIG. 1H is a block diagram illustrating various groupings
with differing access restrictions according to some embodiments.
The endpoint modeling and grouping management system and/or the
agents 145 can restrict access of the endpoints 104, 108, 112, 114.
A first group 128 of endpoints 104, 108 can have access to certain
cloud computing systems 122 but may be denied access to other cloud
computing systems 124, whereas a second group 130 of endpoints 112,
114 can be denied access to both cloud computing systems 122 and
124.
[0111] In some embodiments, an agent installed on one or more
endpoint computer devices can be configured to collect data
associated with and/or from the endpoints. In some embodiments, the
agent can comprise software that collects data about activity
occurring at an endpoint or nearby the endpoint. For example, an
agent can collect data at an endpoint by intercepting and/or
analyzing executed processes on the endpoint and/or monitoring
network traffic to and from the endpoint. In some embodiments, the
agents can monitor inbound and outbound operations and events at
the kernel level. In some embodiments, the agents can monitor
encrypted and/or unencrypted data, as will be described in further
detail below. In some embodiments, the agents can analyze local,
system, and/or operating system activities within the endpoints.
The collection of data via an agent can be performed on a periodic
basis (for example, each microsecond, each millisecond, each
second, each minute, each hour, each day, each month, each year,
and/or the like), continuously, and/or can be performed in response
to an activity (for example, network traffic, operating system
activity, an application, and/or the like). The agents can be
installed on computing devices within the perimeters of an
enterprise network. In some embodiments, the agents can be
installed on cloud data servers and/or cloud services. In some
embodiments, the agents can be installed on computing devices
outside of the perimeter of a company enterprise network. In some
embodiments, the agents can be installed on remote computing
devices (such as a mobile phone or laptop) that can move in and out
of a company enterprise network perimeter. Thus, the network can be
an elastic grid of endpoints that can identify abnormal behavior
and/or provide access restrictions inside and outside a company
enterprise network perimeter.
[0112] FIG. 1I is a block diagram illustrating identification of
abnormal behavior according to some embodiments. In some
embodiments, the endpoint modeling and grouping management system
and/or agents can identify baseline behavior for the endpoint. An
agent 145 can determine that an endpoint 104 comprises baseline
behavior of obtaining a certain amount of data from a cloud
computing system 112. An abnormal behavior can be a large amount of
data and/or a small amount of data as compared to the baseline
amount of expected data. The agent 145B or 145C can determine that
endpoints 108 or 114 comprises baseline behavior of sending or
receiving certain data packets of a particular type, depicted as a
triangle, and/or not sending or receiving other data packets of
another type, depicted as a star. The agent 145D can determine that
an endpoint 112 comprises baseline behavior of performing certain
types of internal processes, depicted as a semi-circle, and/or to
not perform other types of internal processes, depicted as three
straight lines.
[0113] In some embodiments, the endpoint modeling and grouping
management system and/or the agents can map, determine, and/or
identify the network topology of the groups, such as logical
groups. The endpoint modeling and grouping management system and/or
the agents can use the mapping of the network topology to derive a
network map representing one or more endpoints/devices connected to
a network. In some embodiments, the endpoint modeling and grouping
management system can determine a model for the endpoints on the
network map. The models can be used to establish a baseline of
behavior for activity and/or access restrictions for one or more
groups. In some embodiments, the models can be used to identify
access restrictions for the groups. In some embodiments, the
endpoint modeling and grouping management system can transmit the
model to the endpoints and/or the agents. In some embodiments, the
endpoints and/or agents can assess future activity on the endpoint
autonomously to identify anomalies in activity based on the
baseline. In some embodiments, the endpoints can enforce the access
restrictions received from the endpoint modeling and grouping
management system.
[0114] In some embodiments, the mapping can comprise one or more
endpoint devices that may not have agents installed. In some
embodiments, the endpoint modeling and grouping management system
and/or the agents can determine a mapping of the network to
discover one or more endpoint devices. In some embodiments, the
endpoint modeling and grouping management system and/or agent can
identify endpoints that may or may not have agents installed as
part of the mapping. In some embodiments, an agent can be
configured to map the network around the agent to discover
endpoints and/or devices near the agents. In certain embodiments,
the agent can be configured to analyze the mapped network around
the agent to discover managed (an endpoint having at least one
agent installed on the endpoint) and/or unmanaged (an endpoint
having no agent installed on the endpoint) devices. FIG. 1J is a
block diagram illustrating deployment of an agent to an unmanaged
endpoint according to some embodiments. In some embodiments, the
endpoint modeling and grouping management system 140 and/or the
agents 145 can determine one or more endpoint devices 116 for
installing agents 145K on in order to collect data from the
endpoints 116 that do not have agents currently installed. The
endpoint modeling and grouping management system 140 and/or the
agents 145 can identify the network topology and/or the deployment
of agents in response to data collected from one or more agents
and/or the creation/updating of the groups, such as logical groups,
and vice versa. In some embodiments, the endpoint modeling and
grouping management system 140 and/or the agents 145 can determine,
based on the collected data, to augment unmanaged devices 116 that
are within the perimeter of the elastic network. In certain
embodiments, the endpoint modeling and grouping management system
140 can be configured to collect network data via a network device
to augment unmanaged in-perimeter devices 116. In certain
embodiments, network devices can comprise a switch, a router, a
hub, a modem a bridge, a repeater, and/or the like. The endpoint
modeling and grouping management system 140 and/or the agents 145
can expand the collection of data from endpoints within the
perimeter of the elastic network by installing agents 145k on
unmanaged devices 116. In some embodiments, the endpoint modeling
and grouping management system140 can generate and/or update the
model for the network perimeter based on the newly collected data
from the previously unmanaged devices 116 now having an agent 145K
installed on the devices 116 and/or block access for these devices
116 if the devices 116 do not have an agent 145K installed.
[0115] In some embodiments, the endpoint modeling and grouping
management system can continually assess similarities and/or
differences of one or more endpoints. In some embodiments, the
endpoint modeling and grouping management system can update the
network topology based on newly collected data from the recently
deployed agents onto the endpoints that previously did not have
agents installed. The endpoint modeling and grouping management
system can create an elastic edge grid that can continually and
automatically change.
[0116] In some embodiments, the endpoint modeling and grouping
management system can parse and/or index the collected data from
the agents. The endpoint modeling and grouping management system
can store the data into a searchable format. The data received from
the agents can be normalized.
[0117] In some embodiments, the endpoint modeling and grouping
management system can be configured to operate on one or more
endpoints, where one or more of the endpoints can perform certain
steps of the endpoint modeling and grouping management system.
[0118] The endpoint modeling and grouping management system can
create a group, such as logical group, of endpoints. In some
embodiments, the group can comprise one or more endpoints that are
located on different networks and protected by different firewalls.
The endpoints can comprise user computing devices such as a mobile
phone, a desktop computer, a tabloid, a laptop, and/or the like. In
some embodiments, the endpoints can comprise servers that connect
other devices, such as user computing devices. The endpoints can
comprise cloud storage and/or cloud applications. In some
embodiments, the endpoints can be used to perform certain steps,
such as data collection, which can provide the endpoint modeling
and grouping management system with deep visibility. For example,
the endpoints can collect data at the kernel level, instead of
relying on network inbound and outbound traffic. The endpoints can
detect security concerns such as malware injecting itself into a
program before going to the kernel. Because of endpoint processing,
the endpoint modeling and grouping management system can also
assess connection attempts. The endpoint modeling and grouping
management system can disallow connection attempts from a current
endpoint to another system and/or from another system to the
endpoint.
[0119] FIG. 2 is a diagram of edge networks using artificial
intelligence (AI) according to some embodiments. Artificial
intelligence can be used to identify security threats in real-time
or substantially real-time on a device. In some embodiments, the AI
component can identify groups, such as logical groups, of endpoints
based on similarities and/or differences identified from the
collected data from agents. The AI component can identify groups of
endpoints by running various forms of statistical analysis on
accumulated endpoint data (such as network traffic, endpoint
operating system events, kernel monitoring). In some embodiments,
the AI component can develop models for groups. The endpoint
grouping and management system can transmit the models to agents.
The agents can identify baseline behavior from the models generated
by the AI component to identify anomalies in activity and/or
behavior at the endpoint. For example, in some embodiments, the
agents can assess future activity at the endpoint to determine if
the activity is within the baseline behavior and/or if the activity
is a potential security threat. In some embodiments, the agents can
identify anomalies autonomously by assessing activity based on
baseline behavior of the model. In some embodiments, the agents can
assess activity in real-time or substantially real-time without
having to communicate with the cloud to identify security threats.
The AI component of the system can make prevention, detection,
and/or treatment of a security threat autonomous (or
semi-autonomous). In some embodiments, the AI component can
generate a model for the agent to restrict or allow access to and
from an endpoint, and/or prevent access to certain assets and/or
certain modules within an asset. In some embodiments, the AI
component can generate a model for the agent that can enforce
specific usage policies, such as setting and/or limiting network
bandwidth, generating an alert based on network bandwidth usage,
locking an endpoint based on bandwidth usage, setting bandwidth
policies for specified connections to particular endpoints and/or
assets, control traffic during certain time periods such as outside
of normal business working hours, deploying internet security for a
particular connection and/or endpoint, and/or the like. The
endpoint modeling and grouping management system can employ edge
computing by optimizing cloud computing systems to perform data
processing at the edges of the network, near the source of the
data. In some embodiments, edge computing is a method of optimizing
cloud computing systems by performing data processing at the edges
of the network, near the source of the data. In some embodiments,
the system can fuse multilayered protection into one AI driven core
to proactively protect from all vectors of attack. In some
embodiments the system can enable a distributed security approach
utilizing deep real-time visibility of the network endpoints.
[0120] FIG. 3 is a diagram of edge networks in a fully elastic edge
grid according to some embodiments. In some embodiments, the system
can be configured to map the network topology based on similarities
among endpoints, thereby making the network topology an elastic
edge grid. In some embodiments, the endpoint modeling and grouping
management system can add and remove endpoints based on continual,
dynamic, and/or periodic assessment of data from the agents. In
some embodiments, the system redefines the concept of a perimeter
by transforming the network as a fully elastic edge grid for every
asset, from every asset, from the endpoints to the cloud. In some
embodiments, the system and/or agents gain full visibility into
every data access operation including encrypted traffic, without
decrypting it. In some embodiments, the system comprises AI driven
data access control, based on real-time autonomous data paths
baselining and enforcement. In some embodiments, the system can
define any logical network beyond the boundaries of hardware,
network, endpoint, cloud, physical or virtual datacenters. In some
embodiments, the system can identify data access anomalies that
stem from abnormal data consumption, with monitoring every asset
(DLP 2.0).
[0121] In some embodiments, performing the mapping of the network
topology enables the system to gain visibility into unmanaged
devices that are connected to the network.
[0122] The endpoint modeling and grouping management system can
perform the steps described in this disclosure via artificial
intelligence, statistical analysis, and/or machine learning. The
endpoint modeling and grouping management system can identify
and/or determine similarities between one or more endpoint devices
using machine learning techniques, such as artificial intelligence,
statistical analysis, and/or trained modeling. For example, the
endpoint modeling and grouping management system can be configured
to use computational statistics to automatically or
semi-automatically create baseline behavioral profiles and find
meaningful anomalies. In some embodiments, such baselines can be
used to identify similarities between one or more endpoint devices
to include in a grouping such as a logical grouping. Anomalies can
be used to identify differences between endpoint devices to remove
the endpoint device in a grouping. In some embodiments, the machine
learning techniques can employ computational tasks that learn from
and make predictions based on the collected data. For example,
neural networks can be trained using pre-existing training data to
look for certain patterns and apply certain rules or patterns to a
new set of data to make a recommendation and/or create a grouping
such as a logical grouping. Data access abnormalities can be
assessed based on abnormal behavior from the baseline, such as
abnormal data consumption. The abnormalities can be identified by
monitoring one or more assets.
[0123] In some embodiments, groups such as logical groups can be
identified based on an assessment of the activities collected from
the agents. The groups can be determined based on behavior of the
activity on the endpoints. The groups can be defined behaviorally,
beyond the boundaries of hardware, network, endpoint, cloud,
physical, or virtual datacenters.
[0124] In some embodiments, the system completes a behavioral
assessment of endpoints using artificial intelligence. In some
embodiments, artificial intelligence can be used on preexisting
datasets of actual data collected from agents previously, whereby
the endpoints are known to be associated with one or more
particular characteristic indicative of a group such as logical
group. In some embodiments, the endpoint modeling and grouping
management system can train the AI component to identify these
characteristics to create groups based on new data collected from
the agents. The datasets can comprise generated data associated
with one or more characteristics and/or activities. In some
embodiments, the system AI runs at the core or central server
and/or at the agents, and delivers protection from malware,
exploits, file-less attacks, script based attacks and even live
attackers, all with one, fully autonomous low-footprint agent and a
simple deployment process. In some embodiments, the endpoint
software comprises a single, holistic agent for multi-vector
protection. In some embodiments, the system provides full coverage
or protection during pre-execution, execution, and/or
post-execution of endpoint processes. In some embodiments, the
system provides automatic remediation of security threats or
breaches. In some embodiments, the system may provide a rollback
feature, allowing the system to restore one or more endpoints to a
pre-infection condition. In some embodiments, the system is
configured to function on any platform, for example, MacOS,
Windows, VDI, and Linux. In some embodiments, the system provides
deep visibility into endpoints, including encrypted traffic.
[0125] In some embodiments, the groups can be used to determine the
type of protection required to protect from malware, exploits,
file-less attacks, script based attacks, live attacks, and/or the
like. In some embodiments, a single agent can be used for multiple
types of protection, such as multi-vector protection. The types of
protection can vary based on the groups, for example ranging from
prevention, detection, treatment measures, and/or the like. In some
embodiments, the agents can automatically remediate affected files
and/or endpoints. For example, the endpoint modeling and grouping
management system can be configured to roll back at least a portion
of the software, operating system, and the like to a previous
version and/or to a software version installed on another endpoint.
In some embodiments, the endpoint modeling and grouping management
system can be configured to disconnect the endpoint from the
network and solve the issue before reconnecting the endpoint to the
network.
Endpoint Modeling and Grouping Management System
[0126] FIG. 4 is a schematic diagram illustrating an endpoint
modeling and grouping management system according to some
embodiments. In some embodiments, a main server system 402 can be
comprised of an endpoint modeling and grouping management system
404, an agent management system 411, an artificial intelligence
system 413, a remediation system 419, an endpoint modeling and
grouping database 412, an artificial intelligence database 414, a
grouping database 416, an agent database 417, and/or an endpoint
database 418. The main server system can be connected to a network
420. The network can be configured to connect the main server to an
endpoint without installed agent 430 and and/or one or more agents
424.
[0127] In some embodiments, the endpoint modeling and grouping
management system 404 can be configured to identify groups, deploy
agents, and/or the like.
[0128] In some embodiments, the processes of the main server system
402 can be offloaded to the agents located at the endpoints. For
example, in some embodiments, one or more agents can determine
whether a particular endpoint can access a particular data path,
thereby eliminating the need and bottleneck of requesting
permission from the main sever system 402. In some embodiments, the
agent can be configured to store computations, results, and input
to the agents in addition to the main server system. In some
embodiments, offloading certain processing to agents can reduce
network traffic to the main server system and/or speed up
enforcement of topologies.
[0129] In some embodiments, the artificial intelligence database
414 can comprise a collection of various artificial intelligence
algorithms and/or systems. In some embodiments, the grouping
database 416 can comprise a collection of various groupings such as
logical groupings. In some embodiments, the endpoint modeling and
grouping management system 404 can use the artificial intelligence
system 413 to identify groups of endpoints.
[0130] In some embodiments, the agent management system 411 can be
configured to collect and analyze data generated and/or collected
by the agents 424.
[0131] In some embodiments, the agent database 417 can provide a
collection of data received by the agents installed on the
endpoints. In some embodiments, the agent database 417 can comprise
information on the agent, such as a version number of the agent
software. In some embodiments, the endpoint database 418 can
provide a collection of data related to the endpoints. For example,
the endpoint database 418 can include information on the type of
device, an IP address, and/or the like.
[0132] In some embodiments, the endpoint modeling and grouping
management system 404 can provide users with an administrator user
interface to access and/or communicate with the main server system,
and to utilize the functional aspects of the system. In some
embodiments, the endpoint modeling and grouping management system
404 can comprise a user interface 425 to display functions,
statistics, and/or other data to the user and to allow users to
enter commands. In some embodiments, the endpoint modeling and
grouping management system 404 can comprise user data 426 that can
be stored with the user profile.
[0133] In some embodiments, the endpoint modeling and grouping
management system 404 can communicate with endpoints without
installed agents 430. The endpoint modeling and grouping management
system 404 can deploy and/or install agents to the endpoints
without any agents.
Computer System
[0134] In some embodiments, the systems, processes, and methods
described herein are implemented using a computing system, such as
the one illustrated in FIG. 5. The example computer system 502 is
in communication with one or more computing systems 520 and/or one
or more data sources 522 via one or more networks 518. While FIG. 5
illustrates an embodiment of a computing system 502, it is
recognized that the functionality provided for in the components
and systems of computer system 502 can be combined into fewer
components and systems, or further separated into additional
components and systems.
Computing System Components
[0135] The computer system 502 can comprise endpoint modeling and
grouping management system 514 that carries out the functions,
methods, acts, and/or processes described herein. The computer
system 502 can comprise endpoint modeling and grouping management
system 514 is executed on the computer system 502 by a central
processing unit 506 discussed further below.
[0136] In general the word "system," as used herein, refers to
logic embodied in hardware or firmware or to a collection of
software instructions, having entry and exit points. Systems are
written in a program language, such as JAVA, C, or C++, or the
like. Software systems can be compiled or linked into an executable
program, installed in a dynamic link library, or can be written in
an interpreted language such as BASIC, PERL, LAU, PHP or Python and
any such languages. Software systems can be called from other
systems or from themselves, and/or can be invoked in response to
detected events or interruptions. Systems implemented in hardware
include connected logic units such as gates and flip-flops, and/or
can comprise programmable units, such as programmable gate arrays
or processors.
[0137] Generally, the systems described herein refer to logical
systems that can be combined with other systems or divided into
sub-systems despite their physical organization or storage. The
systems are executed by one or more computing systems, and can be
stored on or within any suitable computer readable medium, or
implemented in-whole or in-part within special designed hardware or
firmware. Not all calculations, analysis, and/or optimization
require the use of computer systems, though any of the
above-described methods, calculations, processes, or analyses can
be facilitated through the use of computers. Further, in some
embodiments, process blocks described herein can be altered,
rearranged, combined, and/or omitted.
[0138] The computer system 502 includes one or more processing
units (CPU) 506, which can comprise a microprocessor. The computer
system 502 further includes a physical memory 510, such as random
access memory (RAM) for temporary storage of information, a read
only memory (ROM) for permanent storage of information, and a mass
storage device 504, such as a backing store, hard drive, rotating
magnetic disks, solid state disks (SSD), flash memory, phase-change
memory (PCM), 3D XPoint memory, diskette, or optical media storage
device. Alternatively, the mass storage device can be implemented
in an array of servers. Typically, the components of the computer
system 502 are connected to the computer using a standards based
bus system. The bus system can be implemented using various
protocols, such as Peripheral Component Interconnect (PCI), Micro
Channel, SCSI, Industrial Standard Architecture (ISA) and Extended
ISA (EISA) architectures.
[0139] The computer system 502 includes one or more input/output
(I/O) devices and interfaces 512, such as a keyboard, mouse, touch
pad, and printer. The I/O devices and interfaces 512 can comprise
one or more display devices, such as a monitor, that allows the
visual presentation of data to a user. More particularly, a display
device provides for the presentation of GUIs as application
software data, and multi-media presentations, for example. The I/O
devices and interfaces 512 can also provide a communications
interface to various external devices. The computer system 502 can
comprise one or more multi-media devices 508, such as speakers,
video cards, graphics accelerators, and microphones, for
example.
Computing System Device/Operating System
[0140] FIG. 5 is a block diagram depicting an embodiment of a
computer hardware system configured to run software for
implementing one or more embodiments of an endpoint modeling and
grouping management system.
[0141] The computer system 502 can run on a variety of computing
devices, such as a server, a Windows server, a Structure Query
Language server, a Unix Server, a personal computer, a laptop
computer, and so forth. In other embodiments, the computer system
502 can run on a cluster computer system, a mainframe computer
system and/or other computing system suitable for controlling
and/or communicating with large databases, performing high volume
transaction processing, and generating reports from large
databases. The computing system 502 is generally controlled and
coordinated by operating system software, such as z/OS, Windows,
Linux, UNIX, BSD, PHP, SunOS, Solaris, MacOS, ICloud services or
other compatible operating systems, including proprietary operating
systems. Operating systems control and schedule computer processes
for execution, perform memory management, provide file system,
networking, and I/O services, and provide a user interface, such as
a graphical user interface (GUI), among other things.
Network
[0142] The computer system 502 illustrated in FIG. 5 is coupled to
a network 518, such as a LAN, WAN, or the Internet via a
communication link 516 (wired, wireless, or a combination thereof).
Network 518 communicates with various computing devices and/or
other electronic devices. Network 518 is communicating with one or
more computing systems 520 and one or more data sources 522. The
computer system 502 can comprise an endpoint modeling and grouping
management system 514 can access or can be accessed by computing
systems 520 and/or data sources 522 through a web-enabled user
access point. Connections can be a direct physical connection, a
virtual connection, and other connection type. The web-enabled user
access point can comprise a browser system that uses text,
graphics, audio, video, and other media to present data and to
allow interaction with data via the network 518.
[0143] The output system can be implemented as a combination of an
all-points addressable display such as a cathode ray tube (CRT), a
liquid crystal display (LCD), a plasma display, or other types
and/or combinations of displays. The output system can be
implemented to communicate with input devices and/or interfaces 512
and they also include software with the appropriate interfaces
which allow a user to access data through the use of stylized
screen elements, such as menus, windows, dialogue boxes, tool bars,
and controls (for example, radio buttons, check boxes, sliding
scales, and so forth). Furthermore, the output system can
communicate with a set of input and output devices to receive
signals from the user.
Other Systems
[0144] The computing system 502 can comprise one or more internal
and/or external data sources (for example, data sources 522). In
some embodiments, one or more of the data repositories and the data
sources described above can be implemented using a relational
database, such as DB2, Sybase, Oracle, CodeBase, and Microsoft.RTM.
SQL Server as well as other types of databases such as a flat-file
database, an entity relationship database, and object-oriented
database, and/or a record-based database.
[0145] The computer system 502 can also access one or more data
sources 522. The data sources 522 can be stored in a database or
data repository. The computer system 502 can access the one or more
data sources 522 through a network 518 or can directly access the
database or data repository through I/O devices and interfaces 512.
The data repository storing the one or more data sources 522 can
reside within the computer system 502.
Deep Visibility
[0146] In some embodiments, one or more agents can be installed on
one or more endpoints to collect data in real-time and/or
substantially real-time. The agents can be installed to collect
network activity, kernel-based monitoring of operations and
processes, and encrypted and non-encrypted data, thereby providing
the system with deep visibility into the endpoints. In some
embodiments, such deep visibility allows the endpoint modeling and
grouping management system to monitor and/or assess substantially
all, if not all, traffic data and provide functionality on this
data set (such as a full indicator of compromise (IOC), analyze all
or substantially all endpoints and network activities, provide a
richer data set for security threat and risk assessment, provide
the ability to perform containment actions on the endpoints,
establish baseline behavior based on a fuller dataset, and/or the
like).
[0147] In some embodiments, the agents can collect traffic without
the need to decrypt the network traffic. Thus, the certificates may
not be needed to identify encrypted network traffic. Furthermore,
the agents can collect data before being encrypted for transmission
to an external communication channel and/or collect data after
decryption from transmission from an external communication
channel. As such, the endpoint modeling and grouping management
system can address a shortcoming of traditional enterprise networks
that can be limited to monitoring encrypted network traffic at the
firewall.
[0148] FIG. 6 is a block diagram illustrating one or more agents
collecting data from an endpoint according to some embodiments. In
some embodiments, an agent 604 can be installed on the endpoint.
For example, the agent 604 can be installed using a driver that
monitors activity on the kernel 610. Thus, the endpoint modeling
and grouping management system can access not only network traffic,
but network traffic after the data packets are decrypted for
inbound transmission and/or before the data packets are encrypted
for outbound transmission. The endpoint modeling and grouping
management system can also access and/or monitor all activity on
the kernel level, such as activity internal to the endpoint,
further addressing another shortcoming of traditional enterprise
networks that may be limited to inbound or outbound network
traffic.
[0149] In some embodiments, the user space 602 can comprise one or
more programs 606 that are running on the endpoint, such as a
browser application. One or more data packets 608 can be
transmitted and/or received from the user space 602 to a kernel
610. In some embodiments, the kernel can translate the data packets
to be transmitted to the CPU 612 for processing. In some
embodiments, the data packets 608 can be sent directly from the
user space 602 to the kernel 610 for translation for the CPU 612.
In some embodiments, the data packets 609 can be transmitted and/or
requested via an API call 611, which can be transmitted to the
kernel 610 for translation for the CPU 612.
[0150] In some embodiments, one or more programs 606 can use their
own (and/or a third party) layer of protection 614 for transmitting
and/or receiving data packets 618, such as a sandbox to package the
data packet 618 to send directly to the kernel 610. The additional
layer of protection can prevent malicious injection of security
threats into data packets 618 as the data packet 618 is transmitted
to and from the user space 602 and the kernel 610. The endpoint
modeling and grouping management system can obtain visibility by
placing an agent component 616 onto the layer of protection 614,
such as via a plugin that is placed within the layer of protection
614 where the data packet 618 is also placed. The agent component
616 can identify and collect the data traffic once the program 606
removes the layer of protection 614 upon receipt from the kernel
610 and/or before adding the layer of protection 614 when
transmitting to the kernel 610.
[0151] In some embodiments, one or more programs 606 on the user
space 602 can be configured to communicate to the external network
624. One or more data packets can pass through data access
management system 620. In some embodiments, the data access
management system 620 and/or other device can encrypt the one or
more data packets 622 to be sent to the external network 624,
and/or can decrypt one or more encrypted data packets 622 received
from the external network 624. In some embodiments, in order to
send a data packet to the external network 624, a program 606 can
request data from a library 626 (for example, data to enable the
ability to send and receive port control protocol (PCP)). In some
embodiments, the traffic to this library 626 is passed to the
kernel 610 and to the CPU 612 before being transmitted to an
external computing device outside of the network perimeter. Thus,
the agent 604 can be configured to collect this data passing
through the library 626 before the data is transmitted to the
external computing device. In some embodiments, the agent 604 can
be installed on the library 626 and/or on a driver that collects
data from the library 626.
[0152] The agent 605 can be installed on a program 606 of the user
space 602 and/or can be a driver that collects data from a program
606 on the user space 602. In some embodiments, the endpoint
modeling and grouping management system can install an agent 605 on
the user space 602 and/or install an agent 604 on the kernel layer
610, which can enable detection of abnormal behavior when abnormal
activity occurs between the user space 606 and the kernel layer 610
(such as when malicious code is injected in a data packet traveling
between the user space 606 and a kernel layer 610). Accordingly,
the endpoint modeling and grouping management system can detect
abnormalities and/or security threats when a virus or malware is
injected before a data packet 608 is processed by the CPU 612
and/or affects the programs 606 on the user space 602.
[0153] In some embodiments, because one or more agents are
installed on one or more endpoints and can monitor and collect data
at the kernel level, the endpoint modeling and grouping management
system can obtain access to a wide range of data types that may not
be available in certain enterprise networks. FIG. 7 is a graphical
user interface illustrating some of the types of data the agent can
collect according to certain embodiments. As non-limiting examples,
the types of data that can be collected by one or more agents can
comprise: full disk file monitoring, including the filename, full
path, time created, time modified, SHA1, SHA256, MD5; live process
monitoring including process name, process ID, time created;
originating executable including filename, full path, time created,
time modified, SHA1, SHA256, MD5; process events including network
activity, file creation/modification, timestamp; and live network
monitoring including IP/TCPv4 connections (including attempts), DNS
queries, URLs (for HTTP and HTTPS connections), headers (for HTTP
and HTTPS connections), and timestamps.
[0154] In some embodiments, one or more agents can be configured to
collect data available at the PCP (for example, the uniform
resource locators (URLs)). In some embodiments, the agents and/or
the endpoint modeling and grouping management system can parse
and/or assess collected data. For example, the endpoint modeling
and grouping management system can parse the URL to identify the
host name of the URL and/or the https meta header. In some
embodiments, one or more agents can collect cookie information,
guest parameters, host parameters, and/or http parameters from
endpoint activity. In some embodiments, the endpoint modeling and
grouping management system can monitor browsing history of one or
more endpoints and determine behavioral patterns of the one or more
endpoints based on the browsing history.
[0155] In some embodiments, the endpoint modeling and grouping
management system can identify matches in certain types of
collected data to determine groups. In some embodiments, the
endpoint modeling and grouping management system can create
policies and/or enforcement data in accordance with the type of
data collected. In some embodiments, the endpoint modeling and
grouping management system can allow for a search on the collected
data generated by the agents installed at various endpoints within
the elastic network (for example, analyzing for a specific
indicator of compromise (IOC)). In some embodiments, the endpoint
modeling and grouping management system can analyze and/or match
files and/or header data. Further, in some embodiments, the
endpoint modeling and grouping management system can be configured
to match endpoints visiting a particular website at a particular
time and date, identify endpoints with activity in a certain
geographical region, and the like.
Elastic Grid and Autonomous Anomaly Identification
[0156] In some embodiments, the endpoint modeling and grouping
management system can define an enterprise network perimeter based
on one or more groupings. Thus, the endpoint modeling and grouping
management system can create an elastic perimeter that virtually
encompasses endpoints. In some embodiments, the endpoint modeling
and grouping management system can define the enterprise network
perimeter by grouping endpoints with similar behaviors. For
example, an AI component of the endpoint modeling and grouping
management system can identify similarities in behaviors of
endpoints. In some embodiments, the endpoint modeling and grouping
management system can identify each endpoint installed with an
agent as part of the enterprise network perimeter.
[0157] FIG. 8 is a flow diagram illustrating transmission of
behavioral models to one or more agents based on analysis of data
collected from the agents according to some embodiments of an
endpoint modeling and grouping management system transmitting.
[0158] At block 802, the endpoint modeling and grouping management
system can identify endpoints to which agents can be deployed. For
example, the system can determine that one or more agents need to
be deployed to a computer within an enterprise network perimeter, a
computer outside an enterprise network perimeter, an in-perimeter
datacenter, a datacenter outside of a perimeter, and/or a cloud
datacenter. In some embodiments, at block 804, the endpoint
modeling and grouping management system can deploy the agents to
one or more identified, detected, and/or determined endpoints.
[0159] At block 806, each of the endpoints that received agents can
be configured to install the received agent. In some embodiments,
each or some of the endpoints can comprise computing devices and/or
memory located on an enterprise network, on a cloud system, on a
remote computing device, and/or the like. For example, Endpoint 1
can be an endpoint on a computer within an enterprise network
perimeter. Endpoint 2 can be an endpoint on a computer outside of
an enterprise network perimeter. Endpoint 3 can be an endpoint on
an in-perimeter datacenter. Endpoint 4 can be an endpoint on a
datacenter outside of the perimeter, and endpoint 5 and endpoint 6
can be endpoints on cloud datacenters 1 and 2. In some embodiments,
one of the endpoints in FIG. 8 can be a cloud service, such as
Salesforce, Office 365, Dropbox, Box, GitHub, and/or the like,
wherein the system does not deploy an agent at the cloud service
endpoint, but rather regulates network access to and/or from the
cloud service endpoint.
[0160] At blocks 808, the agents can collect and transmit endpoint
data. For example, the agents can collect data at the kernel level,
identifying internal activities of the endpoints, encrypted and
non-encrypted data, inbound/outbound network traffic data, network
usage, application usage, processor usage, time period usage,
geographic location of the endpoints, corporate department, and/or
the like.
[0161] At block 810, the endpoint modeling and grouping management
system can identify one or more additional endpoints without an
agent installed and deploy an agent to those endpoints. In some
embodiments, the endpoint modeling and grouping management system
can identify an endpoint without an agent on the same computing
platform as another endpoint. For example, an endpoint can have an
agent installed, which can be used to identify another endpoint
without an agent installed that is part of the same cloud
datacenter, in-perimeter data center, out-perimeter datacenter,
in-perimeter computer, and/or out-perimeter computer.
[0162] At block 806, the endpoint can install the agent at
additional endpoints, and at block 808, the agent can collect
endpoint data from the endpoints and transmit the data to the
endpoint modeling and grouping management system. Accordingly, when
an endpoint is added to the network via the agent, the endpoint
modeling and grouping management system can gain visibility to
processing and/or activity of that endpoint by receiving data
collected by the agent installed on the endpoint. Thus, the network
enterprise perimeter can be defined based at least in part on the
data collected by the agents that are installed on the one or more
endpoints. This can improve shortcomings of certain enterprise
network regimes that are configured to provide software-defined or
pre-defined perimeters on a central server, a virtual router, a
cloud server, or the like. This can also further improve
inefficiency of some enterprise network regimes arising from having
to route all traffic to a central server and have the central
server respond with its assessment (for example, transmitting
access regulations for each data packet). Furthermore, some
enterprise network regimes can have limited visibility on encrypted
network packets traveling through the network, whereas certain
embodiments herein provide visibility to activity or processing at
one or more endpoints as described above.
[0163] At block 812, the endpoint modeling and grouping management
system assesses the data collected by the agents and identifies or
determines similarities in the received endpoint data across one or
more endpoints. For example, the system can determine that one or
more endpoints are similar based on network usage, application
usage, processor usage, time period usage, geographic location of
the endpoints, corporate department, and/or the like. Further, at
block 812, the endpoint modeling and grouping management system can
have visibility of activity within the endpoints that have agents
installed, such as network usage, application usage, processor
usage, time period usage, geographic location of the endpoints,
corporate department, and/or the like. For example, the endpoint
modeling and grouping management system can have visibility of
substantially all endpoints with agents installed therein.
[0164] At block 814, the endpoint modeling and grouping management
system can determine groups, such as logical groups, based on
identified similarities and/or differences. For example, the
identified or determined similarities and/or differences can be
based on similarities and/or differences in network usage,
application usage, processor usage, time period usage, geographic
location of the endpoints, corporate department, and/or the like.
Each of the groups can comprise one or more endpoints, one or more
computer systems, one or more data centers, one or more cloud
services, one or more cloud data centers, and/or the like.
[0165] At block 816, the endpoint modeling and grouping management
system can generate a model for each grouping. For example, the
model can be a baseline model that indicates a baseline behavior
for endpoints in the group. In some embodiments, the endpoint
modeling and grouping management system can identify matches in
certain types of collected data to determine groups. In some
embodiments, the endpoint modeling and grouping management system
can match files and/or header data. For example, the endpoint
modeling and grouping management system can match endpoints
visiting a particular website at a particular time and date,
identify activity in a certain common geographical region, and the
like.
[0166] In some embodiments, the endpoint modeling and grouping
management system can determine a model for groups based on one or
more characteristics. For example, the endpoint modeling and
grouping management system can create a model according to traffic
at the kernel, browsing history, all access data, inbound and
outbound connection in a communication protocol (including
encrypted traffic), operations on the operating system, device
type, processes that are running on the user space and/or other
systems of the computing device, network traffic, input from a
user, data storage activity, real-time processing, batch
processing, multitasking, interactive processing, multiprogramming,
transaction processing, multi-access operations, timesharing
operations, active directory, access control lists, packet
information, protocol information, port number information, packet
state information, application information, VPN information, data
usage, bandwidth usage, proxy usage, other types of information
translated by the kernel for processing in the CPU, a subset and/or
all characteristics, and the like.
[0167] In some embodiments, the endpoint modeling and grouping
management system can generate a model to establish network access
regulations. At block 818, the endpoint modeling and grouping
management system can determine network access rights for one or
more groups of endpoints. The endpoint modeling and grouping
management system can regulate the network access restrictions of
the endpoints within a particular group. For example, the endpoint
modeling and grouping management system can restrict and/or allow
network access to a particular cloud data center, a cloud service,
a part of the enterprise network, database server, network
application, or other devices or services. The endpoint modeling
and grouping management system can dynamically identify groups
and/or automatically set access restrictions for the groups.
Instead of traditional enterprise networks where IT staff are
required to identify access regulations for networks with hundreds,
thousands, and/or millions of endpoints connected to servers, data
centers, and cloud services, the endpoint modeling and grouping
management system can automatically identify logical networks and
generate access restrictions. The endpoint modeling and grouping
management system can identify access regulations based on
similarities among endpoints, for example, similarities in network
usage, application usage, processor usage, time period usage,
geographic location of the endpoints, corporate department, and/or
the like.
[0168] At block 820, the endpoints receive the models generated by
the endpoint modeling and grouping management system and, for
example, at blocks 822 and 824, identify baseline behavior based on
the models for each group. For example, some can be assigned to
logical group 1, and other can be assigned to logical group 2.
[0169] In some embodiments, certain endpoints in a group typically
access certain network resources, use a certain amount of
bandwidth, or the like at a particular time periods (for example, a
time of the day, week, month, year). In some embodiments, the
system can be configured to use this information to model a
baseline behavior. Based on the baseline behavior data, the system
can be configured to identify a sudden increase in network data
usage and/or odd time periods when network paths are being accessed
from an endpoint within the elastic network. For example, the
system can be configured to identify when an endpoint is utilizing
abnormal network data bandwidth in order to upload and/or download
data from a cloud service, wherein such usage represents a big
spike above the normal baseline use, and upon identification of
such abnormal network usage patterns, the system can be configured
to flag the endpoint to a user as a concern and/or automatically
and/or immediately restrict network usage for the endpoint acting
abnormally. The endpoint modeling and grouping management system
can perform such analysis to identify data leaks. Such an approach
overcomes the shortcomings of traditional data leak prevention
products that can be focused on identifying fixed strings on a
network and/or can be focused on device control (such as preventing
a device from accessing or copying a file). Focusing on fixed
strings and/or device control cannot effectively be applied to an
elastic enterprise network with connectivity to mobile devices and
to cloud services located outside the firewall.
[0170] In some embodiments, the baseline behavior for each group
such as logical group can be used to identify abnormal behavior.
For example, identifying abnormal behavior can include behavior at
a certain time period, types of data packets, an amount of data,
encryption techniques used, inbound/outbound network traffic,
connection attempts to and from certain external devices, and the
like. At block 826, the agents can collect endpoint data, and at
blocks 828 the agents can identify abnormal behavior from the
baseline identified in the models. Thus, the models that were sent
by the endpoint modeling and grouping management system can enable
the endpoints to act autonomously and identify abnormal behavior on
its own. In some embodiments, the agents can identify abnormal
behavior without having to send data to the endpoint modeling and
grouping management system and/or other central server, cloud
server, network server, or the like. Because the identification of
the abnormal behavior can occur on the endpoints via the agent, the
response can be quicker before the security attack can take further
action without having to send a notice to a central server and wait
for a response. Furthermore, performing the assessment and/or the
enforcement at the agent, the required communications back and
forth with the endpoint modeling and grouping management system
(and/or a central server) is reduced. This becomes important in
today's enterprise networks where over a million endpoints can be
connected to a cloud system with access controls for each endpoint.
Thus, the endpoint modeling and grouping management system in the
present disclosure can be scalable, whereas a centralized server
performing the identification of abnormal behavior may not be
scalable. Another benefit is that the enforcement policies can
occur in real-time as processes are sent and/or received at the
kernel level. Connection attempts from the endpoint to an external
device and/or connection attempts from an external device to the
endpoint can be detected before the connection is established.
Thus, the agents can restrict these connections in real-time before
security breaches occur.
[0171] Once abnormal behavior is identified, the agents can
autonomously take certain action, such as initiating forensics
analysis, mitigation and/or remediation techniques, containment
mechanisms, rolling back capabilities, file and machine quarantine,
external threat feed ingestion, restricting and/or terminating
network path access, and the like.
[0172] At block 830, the endpoint modeling and grouping management
system can receive the identified abnormal behavior and perform
further security risk assessment. At block 816, the endpoint
modeling and grouping management system can update the model based
on the identified abnormal behavior, and transmit the updated model
to endpoints of the group such as logical group.
[0173] In some embodiments, the endpoint modeling and grouping
management system can identify endpoints that appear to belong to a
particular group such as logical group, but can create exceptions
for the endpoint. In some embodiments, the endpoint modeling and
grouping management system can create customizations to groups that
are created, such as changing access restrictions. The
customizations can be applied to the entire group and/or to
individual endpoints. In some embodiments, the endpoint modeling
and grouping management system can create exceptions for
super-users to allow access to certain cloud data centers that
other end points in similar groups may not be able to access.
[0174] In some embodiments, the endpoint modeling and grouping
management system can allow for a search on the collected
information generated by the agents installed at various endpoints
within the elastic network (for example, analyzing for a specific
indicator of compromise (IOC)). In some embodiments, the collected
endpoint data can be parsed and indexed in a database. In some
embodiments, in response to a receiving a request to search the
endpoint data, the endpoint modeling and grouping management system
can perform a search on the indexed database and transmit matches
to keywords, threshold levels, and/or indicators of compromise in
the search inquiry. In some embodiments, the endpoint modeling and
grouping management system provides an indicator of comprise (IOC)
search on all endpoints within the elastic network and/or on
network activities occurring within the elastic network. The
collected information generated by the agents installed at various
endpoints can provide a rich database for threat hunting and data
mining for identifying network activity that could be indicative of
malware or other harmful software operating on an endpoint within
the elastic network. In an embodiment, the system comprises filters
and/or other mechanisms for identifying network behavior suggestive
of a malware attack, and in some embodiments, the system can be
configured to respond to such malware attacks by taking containment
actions and/or restricting network access for particular affected
endpoints in order to protect the rest of the elastic network.
[0175] The endpoint modeling and grouping management system can
adjust the granularity threshold for identifying groups. If the
granularity threshold is set high, there may be too many endpoints
in a group. In some embodiments, having too many endpoints in a
group may make it challenging to assign network access path
privileges. In some embodiments, the granularity of the threshold
can be adjusted for logical grouping and/or modeling. In some
embodiments, the endpoint modeling and grouping management system
can determine groups such as logical groups based on the updated
threshold and deploy updated model data to the agents. In some
embodiments, the endpoints can identify baseline behavior for the
associated groups such as logical groups based on the updated model
data. For example, in response to changing the granularity
threshold for the groups such as logical groups, some endpoints can
remain in group 1 but some endpoints can be regrouped into group 3,
and some endpoints can remain in group 2. The endpoint modeling and
grouping management system can update the models for the new
logical groupings that can be used to determine new baseline
behaviors for each of the new logical groupings. These models can
be deployed to the agents, such that the agents can identify
abnormal behavior for the updated baseline behavior associated with
the new logical groupings. In some embodiments, the agents can set
access policies to regulate inbound and outbound data to and from
the endpoints. These access policies can be determined based on the
models updated for each new group such as logical group.
[0176] In some embodiments, the endpoint modeling and grouping
management system can assess violations of a group. In some
embodiments, a violation can comprise when an endpoint attempts to
access a network path that is restricted based on the privileges
assigned to endpoint, and/or the group that the endpoint is a part
of, by the endpoint modeling and grouping management system. The
endpoint modeling and grouping management system can assess
violations to dynamically and/or automatically change the
granularity threshold for the groupings, in other words, change the
group in which the endpoint is a part of. In some embodiments, the
endpoint modeling and grouping management system can assess
violations to dynamically and/or automatically change the network
access path privileges assigned to the endpoint and/or the group in
which the endpoint is a part of. In some embodiments, violations
can be the identification of an incorrect access restriction. Users
can indicate an incorrect access restriction to the endpoint
modeling and grouping management system. In some embodiments, based
on a number and/or percentage of violations, the endpoint modeling
and grouping management system can increase and/or decrease the
granularity threshold. In some embodiments, the endpoint modeling
and grouping management system can adjust the granularity threshold
based on a number of groups.
[0177] In some embodiments, the endpoint modeling and grouping
management system comprises an antivirus system that is configured
to search for known viruses and can be combined with a system
configured to restrict network access control for endpoints.
[0178] FIG. 9 is a graphical user interface of a group view
according to some embodiments. In some embodiments, the endpoint
modeling and grouping management system can provide a dashboard of
a group such as logical group in a graphical user interface. In
some embodiments, the endpoint modeling and grouping management
system can be configured to generate data for causing the display
of a dashboard on a remote user's computer screen. In some
embodiments, the graphical user interface can display a group and
characteristics of the group. In some embodiments, the group can be
named "West Coast" indicating employees located on the West Coast
of the United States. The graphical user interface can indicate the
number of endpoints associated with the group, such as 2,083 end
points. The group, such as logical group, can include subgroups
within the group, such as one group having 73 subgroups. In some
embodiments, the graphical user interface can be configured to
display the number of violations for groups, such as 43% of
endpoints reporting violations for the "west coast" group. The
graphical user interface can display the access regulations to
other endpoints, such as local and/or remote applications,
protocols, cloud services, data centers, and the like. For example,
in some embodiments, the "West Coast" group can be connected to a
local application, a USB protocol and several data centers, while
being restricted access to a cloud application. In some
embodiments, the graphical user interface can display various
subgroups of the west coast and/or endpoints of the group such as
logical group. In some embodiments, the graphical user interface
can display a list of violations for particular endpoints. In some
embodiments, the graphical user interface can display the number
and/or percentage of violations over a period of time. In some
embodiments, the graphical user interface can display an amount of
data downloaded and/or uploaded to and from endpoints and/or a
group of endpoints. In some embodiments, the graphical user
interface can display an amount of data downloaded and/or uploaded
to and from endpoints and/or a group of endpoints, and compare such
data to historical data. In some embodiments, the system can be
configured to generate a flag and/or an alert and/or terminate or
reduce network access for an endpoint and/or group of endpoints if
the comparison of the amount of data downloaded and/or uploaded
with historical data exceeds a threshold level.
[0179] In some embodiments, the endpoint modeling and grouping
management system can provide a graphical user interface of
available groups, data centers, and/or services. In an embodiment,
the endpoint modeling and grouping management system can provide a
graphical display showing a mapping of endpoints in the elastic
network, wherein the endpoint modeling and grouping management
system can be configured for automatic, semi-automatic, manual,
and/or a combinational determination of access restrictions for the
endpoints. FIGS. 10 and 11 are illustrations of graphical user
interfaces according to some embodiments of a dashboard listing
groups as well as servers, storage devices, data centers,
cloud-based services and storage, and other network services that
endpoints in the elastic network may access. In the embodiments of
FIGS. 10 and 11, the endpoint modeling and grouping management
system can display a list of groups, such as logical groups, and/or
sub-groups. The endpoint modeling and grouping management system
can display available cloud data centers, cloud services, local
and/or remote servers, local and/or remote applications, local
and/or remote databases, protocols, and the like.
[0180] In some embodiments, the endpoint modeling and grouping
management system can display access of a particular group to cloud
data centers, cloud services and/or applications, local servers or
servers, local applications or applications, protocols, network
access privileges, and the like. FIGS. 12 and 13 are a graphical
user interfaces according to some embodiments. In the embodiment of
FIG. 12, the graphical user interface displays a group with access
to a server and two cloud-based services. In the embodiment of FIG.
12, a subgroup with a certain number of endpoints and subgroups is
selected and shown to have access to two cloud services and one
local data center, and/or access restrictions on a cloud service, a
local server, and two local data centers. In the embodiment of FIG.
13, the graphical user interface displays a group, such as logical
group, with access controls to a server, two cloud-based services,
and a local database file storage. In some embodiments, the
endpoint modeling and grouping management system can automatically
determine and/or display access restrictions on a graphical user
interface. In some embodiments, the endpoint modeling and grouping
management system can allow manual determination and/or
modification of access restrictions on a graphical user
interface.
[0181] In some embodiments, the endpoint modeling and grouping
management system can display a list of groups with associated
characteristics. FIG. 14 is a graphical user interface according to
some embodiments of a listing of groups such as logical groups and
associated characteristics. In some embodiments, the graphical user
interface can display the number of end points and/or sub-groups
for each group. In some embodiments, the graphical user interface
can display the number of access allowances and/or restrictions to
protocols, data centers, cloud applications and cloud resources,
local applications and/or data, and the like for each group. In
some embodiments, the graphical user interface can display the
number of violations for each group.
URLs and Cookies
[0182] In some embodiments, one or more features of the systems,
methods, and devices described herein can utilize a URL and/or
cookies, for example for storing and/or transmitting data or user
information. A Uniform Resource Locator (URL) can comprise a web
address and/or a reference to a web resource that is stored on a
database and/or a server. The URL can specify the location of the
resource on a computer and/or a computer network. The URL can
comprise a mechanism to retrieve the network resource. The source
of the network resource can receive a URL, identify the location of
the web resource, and transmit the web resource back to the
requestor. A URL can be converted to an IP address, and a Doman
Name System (DNS) can look up the URL and its corresponding IP
address. URLs can be references to web pages, file transfers,
emails, database accesses, and other applications. The URLs can
comprise a sequence of characters that identify a path, domain
name, a file extension, a host name, a query, a fragment, scheme, a
protocol identifier, a port number, a username, a password, a flag,
an object, a resource name and/or the like. The systems disclosed
herein can generate, receive, transmit, apply, parse, serialize,
render, and/or perform an action on a URL.
[0183] A cookie, also referred to as an HTTP cookie, a web cookie,
an internet cookie, and a browser cookie, can comprise data sent
from a website and/or stored on a user's computer. This data can be
stored by a user's web browser while the user is browsing. The
cookies can comprise useful information for websites to remember
prior browsing information, such as a shopping cart on an online
store, clicking of buttons, login information, and/or records of
web pages or network resources visited in the past. Cookies can
also comprise information that the user enters, such as names,
addresses, passwords, credit card information, etc. Cookies can
also perform computer functions. For example, authentication
cookies can be used by applications (for example, a web browser) to
identify whether the user is already logged in (for example, to a
web site). The cookie data can be encrypted to provide security for
the consumer. Tracking cookies can be used to compile historical
browsing histories of individuals. Systems disclosed herein can
generate and use cookies to access data of an individual. Systems
can also generate and use JSON web tokens to store authenticity
information, HTTP authentication as authentication protocols, IP
addresses to track session or identity information, URLs, and the
like.
Alternative Embodiments
[0184] Although this invention has been disclosed in the context of
certain embodiments and examples, it will be understood by those
skilled in the art that the invention extends beyond the
specifically disclosed embodiments to other alternative embodiments
and/or uses of the invention and obvious modifications and
equivalents thereof. In addition, while several variations of the
embodiments of the invention have been shown and described in
detail, other modifications, which are within the scope of this
invention, will be readily apparent to those of skill in the art
based upon this disclosure. It is also contemplated that various
combinations or sub-combinations of the specific features and
aspects of the embodiments can be made and still fall within the
scope of the invention. It should be understood that various
features and aspects of the disclosed embodiments can be combined
with, or substituted for, one another in order to form varying
modes of the embodiments of the disclosed invention. Any methods
disclosed herein need not be performed in the order recited. Thus,
it is intended that the scope of the invention herein disclosed
should not be limited by the particular embodiments described
above.
[0185] Conditional language, such as, among others, "can," "could,"
"might," or "may," unless specifically stated otherwise, or
otherwise understood within the context as used, is generally
intended to convey that certain embodiments include, while other
embodiments do not include, certain features, elements and/or
blocks. Thus, such conditional language is not generally intended
to imply that features, elements and/or blocks are in any way
required for one or more embodiments or that one or more
embodiments necessarily include logic for deciding, with or without
user input or prompting, whether these features, elements and/or
blocks are included or are to be performed in any particular
embodiment. The headings used herein are for the convenience of the
reader only and are not meant to limit the scope of the inventions
or claims.
[0186] Further, while the methods and devices described herein may
be susceptible to various modifications and alternative forms,
specific examples thereof have been shown in the drawings and are
herein described in detail. It should be understood, however, that
the invention is not to be limited to the particular forms or
methods disclosed, but, to the contrary, the invention is to cover
all modifications, equivalents, and alternatives falling within the
spirit and scope of the various implementations described and the
appended claims. Further, the disclosure herein of any particular
feature, aspect, method, property, characteristic, quality,
attribute, element, or the like in connection with an
implementation or embodiment can be used in all other
implementations or embodiments set forth herein. Any methods
disclosed herein need not be performed in the order recited. The
methods disclosed herein may include certain actions taken by a
practitioner; however, the methods can also include any third-party
instruction of those actions, either expressly or by implication.
The ranges disclosed herein also encompass any and all overlap,
sub-ranges, and combinations thereof. Language such as "up to," "at
least," "greater than," "less than," "between," and the like
includes the number recited. Numbers preceded by a term such as
"about" or "approximately" include the recited numbers and should
be interpreted based on the circumstances (for example, as accurate
as reasonably possible under the circumstances, for example .+-.5%,
.+-.10%, .+-.15%, etc.). For example, "about 3.5 seconds" includes
"3.5 seconds." Phrases preceded by a term such as "substantially"
include the recited phrase and should be interpreted based on the
circumstances (for example, as much as reasonably possible under
the circumstances). For example, "substantially constant" includes
"constant." Unless stated otherwise, all measurements are at
standard conditions including temperature and pressure.
* * * * *