US20180191781A1 - Data insights platform for a security and compliance environment - Google Patents

Data insights platform for a security and compliance environment Download PDF

Info

Publication number
US20180191781A1
US20180191781A1 US15/474,042 US201715474042A US2018191781A1 US 20180191781 A1 US20180191781 A1 US 20180191781A1 US 201715474042 A US201715474042 A US 201715474042A US 2018191781 A1 US2018191781 A1 US 2018191781A1
Authority
US
United States
Prior art keywords
signals
data
query
aggregation
collected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/474,042
Other languages
English (en)
Inventor
Suresh C. Palani
Ben Appleby
Rui Chen
Binyan Chen
Puhazholi Vetrivel
Michael A. Wilde
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Priority to US15/474,042 priority Critical patent/US20180191781A1/en
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: APPLEBY, BEN, PALANI, SURESH C., VETRIVEL, PUHAZHOLI, WILDE, MICHAEL A., CHEN, RUI, CHEN, Binyan
Publication of US20180191781A1 publication Critical patent/US20180191781A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • Hosted services provided by tenants of service providers to their users are an increasingly common software usage model.
  • Hosted services cover a wide range of software applications and systems from cloud storage to productivity, and collaboration to communication.
  • any number of users may utilize applications provided under a hosted service umbrella in generating, processing, storing, and collaborating on documents and other data.
  • Embodiments are directed to a data insights platform for a security and compliance environment.
  • a data insights platform associated with a hosted service may collect a plurality of signals from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and context.
  • the data insights platform may receive a query associated with the collected plurality of signals and focus/filter the query on a portion of the collected and correlated signals based on a context of the query in relation to the collected and correlated signals.
  • the data insights platform may then reply to the query with a comprehensive analysis report.
  • FIGS. 1A through IC include display diagrams illustrating an example network environment where a system to provide a data insights platform for a security and compliance environment may be implemented;
  • FIGS. 2A and 2B include display diagrams illustrating components and interactions of a security and compliance service providing a data insights platform for a security and compliance environment;
  • FIG. 3 includes a display diagram illustrating conceptually inputs and outputs of a data insights platform in a security and compliance environment
  • FIG. 4 includes a display diagram illustrating a data explorer dashboard in conjunction with a data insights platform for a security and compliance environment
  • FIG. 5 includes a display diagram illustrating a threat intelligence dashboard in conjunction with a data insights platform for a security and compliance environment
  • FIG. 6 is a networked environment, where a system according to embodiments may be implemented
  • FIG. 7 is a block diagram of an example computing device, which may be used to provide a data insights platform for a security and compliance environment.
  • FIG. 8 illustrates a logic flow diagram of a method to provide a data insights platform for a security and compliance environment, arranged in accordance with at least some embodiments described herein.
  • a multi-purpose platform may collect different types of signals such as metadata, documents, activities, etc. and correlate in a multi-stage evaluation framework in order to allow simple queries from components and clients of a compliance and security environment to be converted into rich analyses on available data.
  • signals may be collected from tenant environment and correlated at multiple levels based on their content and context. Queries from components such as a threat intelligence manager, a data explorer module, or even clients of the system (tenant administrator, other hosted services) may be executed on the correlated data by focusing and/or filtering the queries based on the context, effectively converting a simple query to a comprehensive analysis.
  • the platform may have intelligence to decide which type of data to run a query on based on the request and allow data investigations performing a chain-linked investigation that can go multiple levels deep.
  • program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types.
  • embodiments may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and comparable computing devices.
  • Embodiments may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote memory storage devices.
  • Some embodiments may be implemented as a computer-implemented process (method), a computing system, or as an article of manufacture, such as a computer program product or computer readable media.
  • the computer program product may be a computer storage medium readable by a computer system and encoding a computer program that comprises instructions for causing a computer or computing system to perform example process(es).
  • the computer-readable storage medium is a computer-readable memory device.
  • the computer-readable storage medium can for example be implemented via one or more of a volatile computer memory, a non-volatile memory, a hard drive, a flash drive, a floppy disk, or a compact disk, and comparable hardware media.
  • platform may be a combination of software and hardware components for providing a data insights platform for a security and compliance environment. Examples of platforms include, but are not limited to, a hosted service executed over a plurality of servers, an application executed on a single computing device, and comparable systems.
  • server generally refers to a computing device executing one or more software programs typically in a networked environment. However, a server may also be implemented as a virtual server (software programs) executed on one or more computing devices viewed as a server on the network. More detail on these technologies and example operations is provided below.
  • FIGS. 1A through IC include display diagrams illustrating an example network environment where a system to provide a data insights platform for a security and compliance environment may be implemented.
  • an example system may include a datacenter 112 executing a hosted service 114 on at least one processing server 116 , which may provide productivity, communication, cloud storage, collaboration, and comparable services to users in conjunction with other servers 120 , for example.
  • the hosted service 114 may further include scheduling services, online conferencing services, and comparable ones.
  • the hosted service 114 may be configured to interoperate with a client application 106 through one or more client devices 102 over one or more networks, such as network 110 .
  • the client devices 102 may include a desktop computer, a laptop computer, a tablet computer, a vehicle-mount computer, a smart phone, or a wearable computing device, among other similar devices.
  • the hosted service 114 may allow users to access its services through the client application 106 executed on the client devices 102 .
  • the hosted service 114 may be provided to a tenant (e.g., a business, an organization, or similar entities), which may configure and manage the services for their users.
  • the processing server 116 may be operable to execute a security and compliance application 118 of the hosted service 114 , where the security and compliance application 118 may be integrated with the hosted service 114 to provide data management, security, threat management, data storage and processing compliance, and similar services.
  • the security and compliance application 118 may include a data insights platform 122 configured to collect different types of signals from the hosted service 114 environment such as metadata, documents, activities, etc. and correlate in a multi-stage evaluation framework in order to allow simple queries from components and clients of the compliance and security application 118 to be converted into rich analyses on available data.
  • the security and compliance module 118 may be executed at a client device 102 in conjunction with the client application 106 .
  • the data insights platform 122 may still be within the hosted service 114 receiving and aggregating data and activities throughout the hosted service 114 and providing the above-mentioned services.
  • a separate protection service 126 may be executed by one or more processing servers 124 and include components like a data explorer or threat intelligence module 128 to deal with various aspects of security and data compliance services.
  • the protection service 126 may be configured to serve the hosted service 114 and/or multiple applications associated with the hosted service 114 , such as the client application 106 . Furthermore, the protection service 126 may provide its services to multiple hosted services.
  • a data insights platform 122 may be executed by separate servers 120 and work in conjunction with both the protection service 126 and the hosted service 114 .
  • the data insights platform 122 may be a multi-purpose platform providing its data aggregation services with correlation and multi-stage evaluation to multiple hosted services/protection services.
  • the hosted service 114 , the security and compliance application 118 , the data insights platform 122 , and the protection service 126 may be implemented as software, hardware, or combinations thereof.
  • hosted services provided by tenants of service providers to their users are an increasingly common software usage model because it allows any number of users to utilize applications provided under the hosted service umbrella in generating, processing, storing, and collaborating on documents and other data.
  • the usage of hosted services may include processing and storage or large amounts of data, which may be subject to regulatory, legal, industry, and other rules, internal and external threats, etc.
  • system administrators to determine different categories of data, applicable policies and rules for the categories, configure systems, and implement the applicable policies and take remediation actions.
  • Implementation of a data insights platform for a security and compliance environment as described herein may allow tenants of a hosted service to understand their data, determine their security and compliance needs, configure their systems, implement new policies, and customize user interfaces in an efficient manner.
  • the actions/operations described herein are not a mere use of a computer, but address results of a system that is a direct consequence of software used as a service offered in conjunction with a large number of devices and users using hosted services.
  • FIGS. 2A and 2B include display diagrams illustrating components and interactions of a security and compliance service providing a data insights platform for a security and compliance environment.
  • Diagrams 200 A and 200 B show an example infrastructure for a comprehensive security and compliance service that may include among its components a data insights platform for aggregating data in a correlated and multi-stage evaluated manner.
  • data to be analyzed, categorized, protected, and handled according to policies may come from a variety of sources such as a communications data store 202 , a collaboration data store 204 , and cloud storage 206 .
  • On-premise data sources 208 may also contribute to the data to be processed.
  • the data insights platform (correlated, multi-stage data storage service) 210 may receive stored data, activities associated with the data, and metadata, and correlate the data at multiple levels based on the activities and metadata.
  • a policy defining sharing or retention schedules for all word processing documents or all marketing documents may be an overkill and consume unnecessary resources, result in false positives, etc.
  • the broader data types may be categorized based on specific aspects such as who is accessing the data, where the data is being accessed from, whether the document include sensitive information, etc. Policies and remediation actions may be determined according to these more granular categories allowing a more accurate and efficient handling and protection of the data.
  • the larger infrastructure may also include an alerts engine 212 to determine and issue alerts based on threats or unacceptable data usage, and a policy engine 214 to determine and implement retention, handling, and protection policies.
  • an alerts engine 212 to determine and issue alerts based on threats or unacceptable data usage
  • a policy engine 214 to determine and implement retention, handling, and protection policies.
  • the correlated, multi-stage data storage may be utilized by a multitude of modules such as a threat intelligence module 230 to manage internal and external threats and data explorer module 226 to identify categories of data and determine applicable policies and remediation actions for the identified data.
  • the data explorer module 226 may be configured to receive attribute information such as a label, a sensitive data type, a data type, an age, a storage location of the data, a location of a user accessing the data, an identity of a user or an entity accessing the data, and whether the data is shared internally or externally for data stored in a correlated and multi-stage evaluated storage structure of for the hosted service.
  • the attribute information may be generalized as classification, property, applied policy, and access.
  • the data explorer module 226 may present a dashboard with one or more actionable visualizations representing distinct attributes of the data and upon receiving selections of attribute filters for the data through the dashboard, analyze the filtered data based on the received attribute information.
  • the module may also determine a label, an applicable policy, and/or a remediation action for the data based on the analysis results. The determined label, applicable policy, and/or remediation action may be presented through the dashboard.
  • the data explorer module 226 may suggest a policy or remediation action to be implemented in some examples.
  • the suggestion may be to customize or update a currently implemented policy or configuration.
  • the suggestion may encompass regulatory, legal, industrial, internal compliance, external compliance, and other security and compliance rules or standards employed to protect the tenant, for example.
  • User experiences such as threat intelligence user interface 232 , alerts user interface 224 , and policy user interface 222 may be provided as part of a security and compliance center 220 to present actionable visualizations associated with various aspects of the service and receive user/administrator input to be provided to the various modules.
  • Various application programming interfaces (APIs) such as REST API may be used for exchange of communications among the different components of the system.
  • FIG. 3 includes a display diagram illustrating conceptually inputs and outputs of a data insights platform for a security and compliance environment.
  • a data insights platform 310 may include a reporting framework 312 , and aggregation store 314 , and data insights API 318 , where contextual searches 316 may be performed on the aggregated data (correlated and multi-stage evaluated) through the data insights API 318 .
  • the reporting framework may define and manage replies to queries.
  • a background job framework 320 may perform tasks associated with alert, policy, threat intelligence aggregation 322 .
  • Other aggregation tasks may include reporting aggregation 326 and user experience data aggregation 328 , which may manage customization insights 332 and tenant usage insights.
  • the background job framework 320 may also perform default and system policy tasks 324 .
  • Different types of signals such as metadata, documents, communications, activities, etc. may be collected from tenant environment and correlated in a multi-stage evaluation framework based on their content and context.
  • the correlation and aggregation may be performed according to a component of the security and compliance service such as alert, policy, threat management aggregation.
  • the system may allow simple queries from components and clients of the security and compliance service to be converted into rich analyses on available tenant data.
  • the aggregated reports may be provided to the system components for alert notifications, threat management policies, data explorer classifications, etc. ( 302 ).
  • the background job framework 320 may work with a security and compliance data store 308 , which may also be used by policy and threat intelligence management services 306 .
  • the services may create workloads 304 for the system.
  • the collected signals may also include relationships (organizational), configurations (data, system, permissions, etc.), and comparable ones.
  • pre-correlated signals such as those from a graph-based data correlation system may also be received and used.
  • New signals may be generated as signals are correlated at different levels.
  • the data insights platform may have the intelligence to decide which type of data to run a query on based on the request and how to augment a query based on context.
  • the data insights platform may allow data investigations in some examples.
  • a chain-linked investigation that can go multiple levels deep may be performed on various types of data.
  • a malware threat may be detected as an attachment to emails.
  • Some emails may have been delivered to recipients prior to detection.
  • Multi-stage investigation may determine who were the recipients; among the recipients, who opened their emails; among those who opened their emails, who opened the attachment, and correlate those levels with corresponding remediation actions.
  • the investigation may be made even more comprehensive by adding context of which recipients are considered higher risk for the organization, which documents/content may be affected, etc.
  • the data insights platform may be used for pattern detection through the multi-stage evaluation, as well as, anomaly detection (e.g., query for alerts may be set as “Tell me which activities are abnormal”).
  • anomaly detection e.g., query for alerts may be set as “Tell me which activities are abnormal”.
  • an insight may be derived, for example, for an applicable policy based on the pattern and the application policy presented as a suggested policy for the data based on the derived insight.
  • the platform may also provide, in addition to the query results, raw or filtered signals from among the collected signals and/or any signals generated by the platform during routine correlation.
  • FIG. 4 includes a display diagram illustrating a data explorer dashboard in conjunction with a data insights platform for a security and compliance environment.
  • Diagram 400 illustrates an example dashboard through which actionable visualizations may be presented, actions/policies implemented, and monitored.
  • a client application may provide an administrator, for example, access to a user interface, such as a dashboard 402 , associated with a data explorer module of a hosted service or a separate protection service.
  • the dashboard 402 may present summary and/or detailed information associated with data categories, threats, security and compliance configurations, analyses results, and configuration controls, for example.
  • the dashboard 402 may comprise a plurality of tabs 404 that each offer one or more security and compliance-based features that may be managed by the tenant, administrators, and/or users through the dashboard 402 .
  • Example tabs 404 may include a home dashboard view, and additional views associated with threat analysis, alerts, security policies, data management, investigation, reports, global trends, and local trends.
  • users may be enabled to search data under various labels through a search box 406 , and view/select actions 408 , filters 410 , etc.
  • Various visualizations may include data by policy 412 , data by label 414 , sensitive data by type 416 , access by location 418 , data by age 420 , and data sharing 422 , for example.
  • the visualizations may include graphic representations such as bar charts, pie charts, maps, and other representations employing a variety of highlighting, color, textual, graphic, and shading schemes.
  • Some or all of the visualizations may be actionable, that is, a user may drill down on data by clicking on elements of the visualization, see details, change filtering parameters, change visualization parameters, etc.
  • a default data by label visualization may display a top 5 or 10 labels. Users may reduce or increase the number, change the graphic representation, etc.
  • users may be enabled to combine visualizations. For example, access by location visualization may be combined with sensitive data type or policy visualization such that a new visualization providing an intersection of the selected attributes may be presented.
  • the underlying data for the visualizations and other information displayed on the dashboard may be received from a data insights platform through a series of queries to the platform, which may collect signals from a number of resources within the tenant's hosted environment. The collected signals may be correlated at one or more levels based their content and context.
  • the data insights platform may focus and/or filter the queries on a portion of the collected and correlated signals based on a context of the query in relation to the collected and correlated signals.
  • the data insights platform may then reply to the query with a comprehensive analysis report.
  • FIG. 5 includes a display diagram illustrating a threat intelligence dashboard in conjunction with a data insights platform for a security and compliance environment.
  • a threat intelligence dashboard may provide visual information associated with current threats, protection status, and investigations with actionable items allowing selection of more detailed views, drill-down operations, and remediation actions.
  • dashboard 502 may present a user experience with visual and actionable information on potential threats and detected threats (global, industry level, regional, type, and other categories) using charts, lists, and/or maps (map or origination, affected areas, etc.). Through various schemes (color, shading, graphic, textual, etc.) correlation between internal and external threats may be displayed along with detailed information available through drill-down (i.e., user can click on any displayed data point and be provided individual data).
  • the user experience may also indicate whether threats are directed to the organization (or a particular group/people within the organization) or are general. Automatic remediation actions and results may be displayed along with suggested actions.
  • the dashboard 502 may comprise a plurality of tabs 504 that each offer one or more security and compliance-based features that may be managed by the tenant, administrators, and/or users through the dashboard 502 .
  • Example tabs 504 may include a home dashboard view, and additional views associated with threat analysis, alerts, security policies, data management, data discovery, investigation, reports, global trends, and local trends.
  • threat detections 505 presents various categories of threat detections graphically (e.g., scanned items, topped threats, removed threats, etc.).
  • Detected threats 510 may present graphically and textually types of threats detected such as malware, viruses, phishing scams, etc.
  • An attack origins map 508 may display a geographical map of where the detected threats originate from.
  • a top targeted users list 514 may display a list of users who receive the most targeted threats. The displayed information may include the ability to drill down.
  • an administrator may be able to see details of threats received by that user, documents or communications affected by the threats, and even follow a chain of events, that is, see other users who may be affected by the selected user through exchanged communication, shared documents, etc.
  • the dashboard 502 may also display suggestions 512 providing policy or remediation action proposals in light of the threat analysis, and an investigations section 516 that may allow the administrator to perform searches on people, communications, documents, and other threat related topics. Audit trails may also be accessed through the investigations section 516 .
  • the underlying data for some of the visualizations and other information displayed on the dashboard may be received from a data insights platform through a series of queries to the platform, which may collect signals from a number of resources within the tenant's hosted environment. The collected signals may be correlated at one or more levels based their content and context.
  • the data insights platform may focus and/or filter the queries on a portion of the collected and correlated signals based on a context of the query in relation to the collected and correlated signals.
  • the data insights platform may then reply to the query with a comprehensive analysis report.
  • the dashboards 402 and 502 are not limited to the above described components and features. Various graphical, textual, coloring, shading, and visual effect schemes may be employed to provide a dashboard based on data from a data insights platform for a security and compliance environment.
  • FIGS. 1A through 5 are illustrated with specific systems, services, applications, modules, and displays. Embodiments are not limited to environments according to these examples.
  • a data insights platform for a security and compliance environment may be implemented in environments employing fewer or additional systems, services, applications, modules, and displays.
  • the example systems, services, applications, modules, and notifications shown in FIG. 1A through 5 may be implemented in a similar manner with other user interface or action flow sequences using the principles described herein.
  • FIG. 6 is a networked environment, where a system according to embodiments may be implemented.
  • a data insights platform as described herein may be employed in conjunction with hosted applications and services (for example, the client application 106 associated with the hosted service 114 , or the protection service 126 ) that may be implemented via software executed over one or more servers 606 or individual server 608 , as illustrated in diagram 600 .
  • a hosted service or application may communicate with client applications on individual computing devices such as a handheld computer 601 , a desktop computer 602 , a laptop computer 603 , a smart phone 604 , a tablet computer (or slate), 605 (‘client devices’) through network(s) 610 and control a user interface, such as a dashboard, presented to users.
  • Client devices 601 - 605 are used to access the functionality provided by the hosted service or client application.
  • One or more of the servers 606 or server 608 may be used to provide a variety of services as discussed above.
  • Relevant data may be stored in one or more data stores (e.g. data store 614 ), which may be managed by any one of the servers 606 or by database server 612 .
  • Network(s) 610 may comprise any topology of servers, clients, Internet service providers, and communication media.
  • a system according to embodiments may have a static or dynamic topology.
  • Network(s) 610 may include a secure network such as an enterprise network, an unsecure network such as a wireless open network, or the Internet.
  • Network(s) 610 may also coordinate communication over other networks such as PSTN or cellular networks.
  • Network(s) 610 provides communication between the nodes described herein.
  • network(s) 610 may include wireless media such as acoustic, RF, infrared and other wireless media.
  • FIG. 7 is a block diagram of an example computing device, which may be used to provide a data insights platform for a security and compliance environment.
  • computing device 700 may be used as a server, desktop computer, portable computer, smart phone, special purpose computer, or similar device.
  • the computing device 700 may include one or more processors 704 and a system memory 706 .
  • a memory bus 708 may be used for communicating between the processor 704 and the system memory 706 .
  • the basic configuration 702 is illustrated in FIG. 7 by those components within the inner dashed line.
  • the processor 704 may be of any type, including but not limited to a microprocessor ( ⁇ P), a microcontroller ( ⁇ C), a digital signal processor (DSP), or any combination thereof.
  • the processor 704 may include one more levels of caching, such as a level cache memory 712 , one or more processor cores 714 , and registers 716 .
  • the example processor cores 714 may (each) include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP Core), or any combination thereof.
  • An example memory controller 718 may also be used with the processor 704 , or in some implementations the memory controller 718 may be an internal part of the processor 704 .
  • the system memory 706 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof.
  • the system memory 706 may include an operating system 720 , a protection application or service 722 , and program data 724 .
  • the protection application or service 722 may include a data insights platform 726 , which may be an integrated module of the protection application or service 722 .
  • the data insights platform 726 may be configured to collect a plurality of signals from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and context.
  • the data insights platform may receive a query associated with the collected plurality of signals and focus/filter the query on a portion of the collected and correlated signals based on a context of the query in relation to the collected and correlated signals.
  • the data insights platform may then reply to the query with a comprehensive analysis report.
  • the program data 724 may include, among other data, insights data 728 as described herein.
  • the computing device 700 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 702 and any desired devices and interfaces.
  • a bus/interface controller 730 may be used to facilitate communications between the basic configuration 702 and one or more data storage devices 732 via a storage interface bus 734 .
  • the data storage devices 732 may be one or more removable storage devices 736 , one or more non-removable storage devices 738 , or a combination thereof.
  • Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disk (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSD), and tape drives to name a few.
  • Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • the system memory 706 , the removable storage devices 736 and the non-removable storage devices 738 are examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVDs), solid state drives, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 700 . Any such computer storage media may be part of the computing device 700 .
  • the computing device 700 may also include an interface bus 740 for facilitating communication from various interface devices (for example, one or more output devices 742 , one or more peripheral interfaces 744 , and one or more communication devices 746 ) to the basic configuration 702 via the bus/interface controller 730 .
  • interface devices for example, one or more output devices 742 , one or more peripheral interfaces 744 , and one or more communication devices 746 .
  • Some of the example output devices 742 include a graphics processing unit 748 and an audio processing unit 750 , which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 752 .
  • One or more example peripheral interfaces 744 may include a serial interface controller 754 or a parallel interface controller 756 , which may be configured to communicate with external devices such as input devices (for example, keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (for example, printer, scanner, etc.) via one or more I/O ports 758 .
  • An example communication device 746 includes a network controller 760 , which may be arranged to facilitate communications with one or more other computing devices 762 over a network communication link via one or more communication ports 764 .
  • the one or more other computing devices 762 may include servers, computing devices, and comparable devices.
  • the network communication link may be one example of a communication media.
  • Communication media may typically be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • a “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media.
  • RF radio frequency
  • IR infrared
  • the term computer readable media as used herein may include both storage media and communication media.
  • the computing device 700 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions.
  • the computing device 700 may also be implemented as a personal computer including both laptop computer and non-laptop computer configurations.
  • Example embodiments may also include methods to provide a data insights platform for a security and compliance environment. These methods can be implemented in any number of ways, including the structures described herein. One such way may be by machine operations, of devices of the type described in the present disclosure. Another optional way may be for one or more of the individual operations of the methods to be performed in conjunction with one or more human operators performing some of the operations while other operations may be performed by machines. These human operators need not be collocated with each other, but each can be only with a machine that performs a portion of the program. In other embodiments, the human interaction can be automated such as by pre-selected criteria that may be machine automated.
  • FIG. 8 illustrates a logic flow diagram of a method to provide a data insights platform for a security and compliance environment.
  • Process 800 may be implemented on a computing device, server, or other system.
  • An example server may comprise a communication interface to facilitate communication between one or more client devices and the server.
  • the example server may also comprise a memory to store instructions, and one or more processors coupled to the memory.
  • the processors, in conjunction with the instructions stored on the memory, may be configured to provide a data insights platform for a security and compliance environment.
  • Process 800 begins with operation 810 , where a plurality of signals such as documents, communication, metadata, and activities may be collected from a plurality of resources within a tenant's hosted environment.
  • the collected signals may be correlated at one or more levels based their content and context (e.g., documents based on metadata or activities associated with them).
  • a query associated with the collected plurality of signals may be received from a component or client of a security and compliance service such as a data explorer module or a threat intelligence module.
  • the query may be focused on a portion of the collected and correlated signals or filtered based on a context of the query in relation to the collected and correlated signals at operation 830 .
  • the query may be replied to by the data insights platform with a comprehensive analysis report based on the focused/filtered execution of the query on the contextual portion of the signals.
  • process 800 The operations included in process 800 are for illustration purposes.
  • a data insights platform for a security and compliance environment may be implemented by similar processes with fewer or additional steps, as well as in different order of operations using the principles described herein.
  • the operations described herein may be executed by one or more processors operated on one or more computing devices, one or more processor cores, specialized processing devices, and/or general purpose processors, among other examples.
  • the means may include a means for collecting a plurality of signals from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and context; a means for receiving a query associated with the collected plurality of signals; a means for focusing and filtering the query on a portion of the collected plurality of signals based on a context of the query in relation to the collected plurality of signals; and a means for replying to the query with a comprehensive analysis report based on the focused and filtered execution of the query on the portion of the collected plurality of signals.
  • a method to provide a data insights platform for a security and compliance environment may include collecting a plurality of signals from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and context; receiving a query associated with the collected plurality of signals; focusing and filtering the query on a portion of the collected plurality of signals based on a context of the query in relation to the collected plurality of signals; and replying to the query with a comprehensive analysis report based on the focused and filtered execution of the query on the portion of the collected plurality of signals.
  • the method may also include aggregating the plurality of signals in real time.
  • the method may further include receiving the query from and replying to one or more of a data explorer module configured to identify and categorize the aggregated plurality of signals and a threat intelligence module configured to manage threats to the tenant's hosted environment.
  • the method may also include providing one or more of raw signals, filtered signals at one or more correlation levels, and signals generated during the aggregation of the collected plurality of signals to one or more of the data explorer module and the threat intelligence module.
  • the method may yet include detecting a pattern associated with and a usage of the collected plurality of signals; deriving an insight based on the pattern; and presenting the derived insight.
  • the method may also include receiving pre-correlated signals from a graph-based data correlation service.
  • the collected plurality of signals may include one or more of documents, non-document content, communications, metadata, activities, organizational relationships, and configurations.
  • the method may further include determining which type of collected signals to execute a received query on based on a request for the query.
  • the method may also include determining how to augment the query based on a context of the request and/or aggregating query results based on a type requesting module of a security and compliance service.
  • the type of the requesting module may include one of a data classification module, a threat management module, a policy management module, and an alert management module.
  • a server configured to provide a data insights platform for a security and compliance environment.
  • the server may include a communication interface configured to facilitate communication between another server hosting a security and compliance service, one or more client devices, and the server; a memory configured to store instructions; and one or more processors coupled to the communication interface and the memory and configured to execute the data insights platform.
  • the data insights platform may be configured to collect a plurality of signals from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and context; receive a query associated with the collected plurality of signals; focus and filter the query on a portion of the collected plurality of signals based on a context of the query in relation to the collected plurality of signals; reply to the query with a comprehensive analysis report based on the focused and filtered execution of the query on the portion of the collected plurality of signals; and provide one or more of raw signals, filtered signals at one or more correlation levels, and signals generated during an aggregation of the collected plurality of signals to one or more of a data explorer module, an alert management module, and a threat intelligence module within the security and compliance service.
  • the data insights platform may include a reporting framework to manage replies to queries, an aggregation store to store aggregated signals, and a data insights application programming interface (API) to communicate with the data explorer module, the alert management module, and the threat intelligence module.
  • the data insights platform may further include a background job framework configured to manage aggregation tasks associated with the data insights platform.
  • the aggregation tasks may include one or more of alert aggregation, policy aggregation, threat intelligence aggregation, default aggregation, system policy aggregation, reporting aggregation, and user experience data aggregation.
  • the user experience data aggregation may include customization insights and tenant usage insights.
  • the plurality of signals may include documents, non-document content, communications, and activities and metadata associated with the documents, the non-document content, and the communications.
  • the data insights platform may be configured to correlate and evaluate the documents, the non-document content, and the communications in context of corresponding activities and metadata associated with the documents, the non-document content, and the communications.
  • a computer-readable memory device with instructions stored thereon to provide a data insights platform for a security and compliance environment.
  • the instructions when executed, may be configured to cause one or more computing devices to perform actions that include collect a plurality of signals comprising documents, non-document content, communications, and activities and metadata associated with the documents, the non-document content, and the communications from a plurality of resources within a tenant's hosted environment, where the collected plurality of signals are correlated at one or more levels based their content and a context of corresponding activities and metadata associated with the documents, the non-document content, and the communications; receive a query associated with the collected plurality of signals; focus and filter the query on a portion of the collected plurality of signals based on a context of the query in relation to the collected plurality of signals; and reply to the query with a comprehensive analysis report based on the focused and filtered execution of the query on the portion of the collected plurality of signals.
  • the correlation may be based on one or more of a label of, a sensitive content within, a type of, an age of, a storage location of, a location of a user accessing, and an identity of a user or an entity accessing the documents, the non-document content, and the communications.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)
US15/474,042 2016-12-30 2017-03-30 Data insights platform for a security and compliance environment Abandoned US20180191781A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/474,042 US20180191781A1 (en) 2016-12-30 2017-03-30 Data insights platform for a security and compliance environment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662440934P 2016-12-30 2016-12-30
US15/474,042 US20180191781A1 (en) 2016-12-30 2017-03-30 Data insights platform for a security and compliance environment

Publications (1)

Publication Number Publication Date
US20180191781A1 true US20180191781A1 (en) 2018-07-05

Family

ID=62708604

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/474,042 Abandoned US20180191781A1 (en) 2016-12-30 2017-03-30 Data insights platform for a security and compliance environment
US15/473,998 Active 2037-07-25 US10701100B2 (en) 2016-12-30 2017-03-30 Threat intelligence management in security and compliance environment

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/473,998 Active 2037-07-25 US10701100B2 (en) 2016-12-30 2017-03-30 Threat intelligence management in security and compliance environment

Country Status (4)

Country Link
US (2) US20180191781A1 (fr)
EP (1) EP3563285A1 (fr)
CN (1) CN110140125B (fr)
WO (1) WO2018125854A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10579821B2 (en) 2016-12-30 2020-03-03 Microsoft Technology Licensing, Llc Intelligence and analysis driven security and compliance recommendations
US10701100B2 (en) 2016-12-30 2020-06-30 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
US10848501B2 (en) 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US11290479B2 (en) * 2018-08-11 2022-03-29 Rapid7, Inc. Determining insights in an electronic environment
US11356484B2 (en) * 2016-02-12 2022-06-07 Micro Focus Llc Strength of associations among data records in a security information sharing platform
US20220327226A1 (en) * 2021-04-07 2022-10-13 Salesforce.Com, Inc. Service for sharing data insights
US11539531B2 (en) * 2019-02-24 2022-12-27 Ondefend Holdings, Llc System and apparatus for providing authenticable electronic communication
US11546381B1 (en) * 2021-11-08 2023-01-03 Beijing Bytedance Network Technology Co., Ltd. Unified data security labeling framework
US11973784B1 (en) 2017-11-27 2024-04-30 Lacework, Inc. Natural language interface for an anomaly detection framework
US11991198B1 (en) 2017-11-27 2024-05-21 Lacework, Inc. User-specific data-driven network security

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9342661B2 (en) * 2010-03-02 2016-05-17 Time Warner Cable Enterprises Llc Apparatus and methods for rights-managed content and data delivery
US10565372B1 (en) * 2017-08-03 2020-02-18 Amazon Technologies, Inc. Subscription-based multi-tenant threat intelligence service
US10887333B1 (en) 2017-08-03 2021-01-05 Amazon Technologies, Inc. Multi-tenant threat intelligence service
US10397273B1 (en) 2017-08-03 2019-08-27 Amazon Technologies, Inc. Threat intelligence system
US10904272B2 (en) * 2017-11-02 2021-01-26 Allstate Insurance Company Consumer threat intelligence service
US11228614B1 (en) * 2018-07-24 2022-01-18 Amazon Technologies, Inc. Automated management of security operations centers
US11477226B2 (en) * 2019-04-24 2022-10-18 Saudi Arabian Oil Company Online system identification for data reliability enhancement
CN110460594B (zh) * 2019-07-31 2022-02-25 平安科技(深圳)有限公司 威胁情报数据采集处理方法、装置及存储介质
US11693961B2 (en) 2019-12-03 2023-07-04 Sonicwall Inc. Analysis of historical network traffic to identify network vulnerabilities
US11388176B2 (en) * 2019-12-03 2022-07-12 Sonicwall Inc. Visualization tool for real-time network risk assessment
US11663544B2 (en) * 2020-01-28 2023-05-30 Salesforce.Com, Inc. System and methods for risk assessment in a multi-tenant cloud environment
US11381591B2 (en) * 2020-01-29 2022-07-05 Bank Of America Corporation Information security system based on multidimensional disparate user data
US11914719B1 (en) 2020-04-15 2024-02-27 Wells Fargo Bank, N.A. Systems and methods for cyberthreat-risk education and awareness
US11777979B2 (en) 2020-05-11 2023-10-03 Firecompass Technologies Pvt Ltd System and method to perform automated red teaming in an organizational network
CN112039865A (zh) * 2020-08-26 2020-12-04 北京计算机技术及应用研究所 一种威胁驱动的网络攻击检测与响应方法
US20220109696A1 (en) * 2020-10-01 2022-04-07 Zscaler, Inc. Cloud access security broker user interface systems and methods
CN112596984B (zh) * 2020-12-30 2023-07-21 国家电网有限公司大数据中心 业务弱隔离环境下的数据安全态势感知系统
US11671457B2 (en) * 2021-04-30 2023-06-06 Splunk Inc. On-premises action execution agent for cloud-based information technology and security operations applications
US11528279B1 (en) 2021-11-12 2022-12-13 Netskope, Inc. Automatic user directory synchronization and troubleshooting
US11936678B2 (en) * 2022-01-06 2024-03-19 Oracle International Corporation System and techniques for inferring a threat model in a cloud-native environment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020091940A1 (en) * 2001-01-05 2002-07-11 Welborn Christopher Michael E-mail user behavior modification system and mechanism for computer virus avoidance
US9100422B1 (en) * 2004-10-27 2015-08-04 Hewlett-Packard Development Company, L.P. Network zone identification in a network security system
US20150319185A1 (en) * 2013-12-13 2015-11-05 Palerra, Inc. Systems and Methods for Contextual and Cross Application Threat Detection and Prediction in Cloud Applications
US20160142433A1 (en) * 2014-11-13 2016-05-19 Masami Nasu Information assessment system, information assessment apparatus, and information assessment method
US20160306965A1 (en) * 2015-04-20 2016-10-20 Splunk Inc. User activity monitoring
US20170034196A1 (en) * 2015-08-01 2017-02-02 Splunk Inc. Selecting network security investigation timelines based on identifiers
US20170116426A1 (en) * 2015-10-24 2017-04-27 Oracle International Corporation Generation of dynamic contextual pivot grid analytics
US20170289178A1 (en) * 2016-03-30 2017-10-05 Symantec Corporation Systems and methods for detecting security threats
US10230749B1 (en) * 2016-02-29 2019-03-12 Palo Alto Networks, Inc. Automatically grouping malware based on artifacts

Family Cites Families (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7813947B2 (en) 2003-09-23 2010-10-12 Enterra Solutions, Llc Systems and methods for optimizing business processes, complying with regulations, and identifying threat and vulnerabilty risks for an enterprise
US8201257B1 (en) * 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
US20090307755A1 (en) 2005-02-24 2009-12-10 Dvorak Carl D System and method for facilitating cross enterprises data sharing in a healthcare setting
US9069599B2 (en) 2008-06-19 2015-06-30 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US20100319004A1 (en) 2009-06-16 2010-12-16 Microsoft Corporation Policy Management for the Cloud
US8910278B2 (en) 2010-05-18 2014-12-09 Cloudnexa Managing services in a cloud computing environment
WO2012109633A2 (fr) 2011-02-11 2012-08-16 Achilles Guard, Inc. D/B/A Critical Watch Plateforme de gestion de contre-mesures de sécurité
US8464335B1 (en) 2011-03-18 2013-06-11 Zscaler, Inc. Distributed, multi-tenant virtual private network cloud systems and methods for mobile security and policy enforcement
US9369433B1 (en) 2011-03-18 2016-06-14 Zscaler, Inc. Cloud based social networking policy and compliance systems and methods
US8577823B1 (en) 2011-06-01 2013-11-05 Omar M. A. Gadir Taxonomy system for enterprise data management and analysis
US9509711B1 (en) 2012-02-01 2016-11-29 Tripwire, Inc. Comparing an organization's security data to aggregate security data
US20130346294A1 (en) 2012-03-21 2013-12-26 Patrick Faith Risk manager optimizer
CN103366116B (zh) * 2012-03-27 2016-12-14 百度在线网络技术(北京)有限公司 移动终端的应用程序潜在威胁的预判系统、方法及装置
US9912638B2 (en) 2012-04-30 2018-03-06 Zscaler, Inc. Systems and methods for integrating cloud services with information management systems
US8990948B2 (en) 2012-05-01 2015-03-24 Taasera, Inc. Systems and methods for orchestrating runtime operational integrity
US9117027B2 (en) 2012-09-03 2015-08-25 Tata Consultancy Services Limited Method and system for compliance testing in a cloud storage environment
US10169090B2 (en) 2012-09-12 2019-01-01 Salesforce.Com, Inc. Facilitating tiered service model-based fair allocation of resources for application servers in multi-tenant environments
US20140289793A1 (en) * 2012-12-20 2014-09-25 Bank Of America Corporation Granular risk expression
CN103886384B (zh) 2012-12-20 2018-10-19 伊姆西公司 用于数据保护的方法和系统
US9203723B2 (en) 2013-01-30 2015-12-01 Broadcom Corporation Network tracing for data centers
CN105009137B (zh) * 2013-01-31 2017-10-20 慧与发展有限责任合伙企业 定向安全警告
US9613322B2 (en) 2013-04-02 2017-04-04 Orbis Technologies, Inc. Data center analytics and dashboard
US9438648B2 (en) 2013-05-09 2016-09-06 Rockwell Automation Technologies, Inc. Industrial data analytics in a cloud platform
US20150067761A1 (en) 2013-08-29 2015-03-05 International Business Machines Corporation Managing security and compliance of volatile systems
US9467477B2 (en) 2013-11-06 2016-10-11 Intuit Inc. Method and system for automatically managing secrets in multiple data security jurisdiction zones
US9692789B2 (en) * 2013-12-13 2017-06-27 Oracle International Corporation Techniques for cloud security monitoring and threat intelligence
US9444819B2 (en) 2014-01-16 2016-09-13 International Business Machines Corporation Providing context-based visibility of cloud resources in a multi-tenant environment
WO2015134008A1 (fr) * 2014-03-05 2015-09-11 Foreground Security Système de détection et d'atténuation automatisées de menace internet et procédés associés
US9785795B2 (en) 2014-05-10 2017-10-10 Informatica, LLC Identifying and securing sensitive data at its source
US10585892B2 (en) 2014-07-10 2020-03-10 Oracle International Corporation Hierarchical dimension analysis in multi-dimensional pivot grids
US9386033B1 (en) 2014-09-10 2016-07-05 Amazon Technologies, Inc. Security recommendation engine
EP3200115B1 (fr) * 2014-10-14 2019-01-09 Nippon Telegraph and Telephone Corporation Dispositif de spécification, procédé de spécification et programme de spécification
US9521151B2 (en) 2014-10-22 2016-12-13 CloudHealth Technologies, Inc. Automated and policy driven optimization of cloud infrastructure through delegated actions
US20160127418A1 (en) 2014-11-03 2016-05-05 Hewlett Packard Enterprise Development Lp Policy-guided fulfillment of a cloud service
US9692778B1 (en) * 2014-11-11 2017-06-27 Symantec Corporation Method and system to prioritize vulnerabilities based on contextual correlation
US10855688B2 (en) 2014-12-16 2020-12-01 Netapp Inc. Multi-tenant security in the cloud
WO2016099569A1 (fr) 2014-12-19 2016-06-23 Nordholm Cameron Système de publication à locataires multiples
US9521160B2 (en) 2014-12-29 2016-12-13 Cyence Inc. Inferential analysis using feedback for extracting and combining cyber risk information
CN105991595B (zh) * 2015-02-15 2020-08-07 华为技术有限公司 网络安全防护方法及装置
CN107409126B (zh) 2015-02-24 2021-03-09 思科技术公司 用于保护企业计算环境安全的系统和方法
WO2016138566A1 (fr) 2015-03-04 2016-09-09 Lumanetix Pty Ltd Système et procédé destinés des analyses d'entreprises fédérées
US20170236131A1 (en) 2015-04-30 2017-08-17 NetSuite Inc. System and methods for leveraging customer and company data to generate recommendations and other forms of interactions with customers
US10033766B2 (en) 2015-06-05 2018-07-24 Cisco Technology, Inc. Policy-driven compliance
US10033604B2 (en) 2015-08-05 2018-07-24 Suse Llc Providing compliance/monitoring service based on content of a service controller
US9456000B1 (en) * 2015-08-06 2016-09-27 Palantir Technologies Inc. Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications
US10169608B2 (en) 2016-05-13 2019-01-01 Microsoft Technology Licensing, Llc Dynamic management of data with context-based processing
CN106060018B (zh) * 2016-05-19 2019-11-15 中国电子科技网络信息安全有限公司 一种网络威胁情报共享模型
US10579821B2 (en) 2016-12-30 2020-03-03 Microsoft Technology Licensing, Llc Intelligence and analysis driven security and compliance recommendations
US20180191781A1 (en) 2016-12-30 2018-07-05 Microsoft Technology Licensing, Llc Data insights platform for a security and compliance environment
US10848501B2 (en) 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020091940A1 (en) * 2001-01-05 2002-07-11 Welborn Christopher Michael E-mail user behavior modification system and mechanism for computer virus avoidance
US9100422B1 (en) * 2004-10-27 2015-08-04 Hewlett-Packard Development Company, L.P. Network zone identification in a network security system
US20150319185A1 (en) * 2013-12-13 2015-11-05 Palerra, Inc. Systems and Methods for Contextual and Cross Application Threat Detection and Prediction in Cloud Applications
US20160142433A1 (en) * 2014-11-13 2016-05-19 Masami Nasu Information assessment system, information assessment apparatus, and information assessment method
US20160306965A1 (en) * 2015-04-20 2016-10-20 Splunk Inc. User activity monitoring
US20170034196A1 (en) * 2015-08-01 2017-02-02 Splunk Inc. Selecting network security investigation timelines based on identifiers
US20170116426A1 (en) * 2015-10-24 2017-04-27 Oracle International Corporation Generation of dynamic contextual pivot grid analytics
US10230749B1 (en) * 2016-02-29 2019-03-12 Palo Alto Networks, Inc. Automatically grouping malware based on artifacts
US20170289178A1 (en) * 2016-03-30 2017-10-05 Symantec Corporation Systems and methods for detecting security threats

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11356484B2 (en) * 2016-02-12 2022-06-07 Micro Focus Llc Strength of associations among data records in a security information sharing platform
US10579821B2 (en) 2016-12-30 2020-03-03 Microsoft Technology Licensing, Llc Intelligence and analysis driven security and compliance recommendations
US10701100B2 (en) 2016-12-30 2020-06-30 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
US10848501B2 (en) 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US11973784B1 (en) 2017-11-27 2024-04-30 Lacework, Inc. Natural language interface for an anomaly detection framework
US11991198B1 (en) 2017-11-27 2024-05-21 Lacework, Inc. User-specific data-driven network security
US11290479B2 (en) * 2018-08-11 2022-03-29 Rapid7, Inc. Determining insights in an electronic environment
US11856017B2 (en) 2018-08-11 2023-12-26 Rapid7, Inc. Machine learning correlator to infer network properties
US11539531B2 (en) * 2019-02-24 2022-12-27 Ondefend Holdings, Llc System and apparatus for providing authenticable electronic communication
US20220327226A1 (en) * 2021-04-07 2022-10-13 Salesforce.Com, Inc. Service for sharing data insights
US11907387B2 (en) * 2021-04-07 2024-02-20 Salesforce, Inc. Service for sharing data insights
US11546381B1 (en) * 2021-11-08 2023-01-03 Beijing Bytedance Network Technology Co., Ltd. Unified data security labeling framework

Also Published As

Publication number Publication date
US10701100B2 (en) 2020-06-30
EP3563285A1 (fr) 2019-11-06
US20180191771A1 (en) 2018-07-05
WO2018125854A1 (fr) 2018-07-05
CN110140125A (zh) 2019-08-16
CN110140125B (zh) 2023-07-07

Similar Documents

Publication Publication Date Title
US20180191781A1 (en) Data insights platform for a security and compliance environment
US10848501B2 (en) Real time pivoting on data to model governance properties
US8677448B1 (en) Graphical user interface including usage trending for sensitive files
US11550921B2 (en) Threat response systems and methods
US7996374B1 (en) Method and apparatus for automatically correlating related incidents of policy violations
Choudhary et al. A survey on social network analysis for counter-terrorism
US20180255099A1 (en) Security and compliance alerts based on content, activities, and metadata in cloud
US10984112B2 (en) Systems and methods for automated threat modeling of an existing computing environment
US11314872B2 (en) Systems and methods for automated threat modeling when deploying infrastructure as a code
US20140324517A1 (en) Communication Data Analysis and Processing System and Method
US9172720B2 (en) Detecting malware using revision control logs
RU2696347C2 (ru) Визуальные инструменты для анализа отказов в распределенных системах
Stergiopoulos et al. Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0
US9141692B2 (en) Inferring sensitive information from tags
Hong et al. An analysis of security systems for electronic information for establishing secure internet of things environments: Focusing on research trends in the security field in South Korea
Faiz et al. Predicting likelihood of legitimate data loss in email DLP
Ayala et al. A Hybrid Recommender for Cybersecurity Based on Rating Approach
Kuehn et al. The Notion of Relevance in Cybersecurity: A Categorization of Security Tools and Deduction of Relevance Notions
Howes et al. Enabling trustworthy spaces via orchestrated analytical security
Aserkar et al. Impact of personal data protection (PDP) regulations on operations workflow
Securosis Understanding and selecting a data loss prevention solution
US20220292426A1 (en) Systems and methods for creating, training, and evaluating models, scenarios, lexicons, and policies
Feng et al. SHINE: a Collaborative System for Sharing Insights and Information of Economic Impacts of Cyberattacks
Garbis et al. Security Operations
Li et al. A privacy risk identification framework of open government data: A mixed-method study in China

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PALANI, SURESH C.;CHEN, RUI;APPLEBY, BEN;AND OTHERS;SIGNING DATES FROM 20170319 TO 20170329;REEL/FRAME:041797/0171

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION