Search

EP-3982259-B1 - POLICY-DRIVEN COMPLIANCE

EP3982259B1EP 3982259 B1EP3982259 B1EP 3982259B1EP-3982259-B1

Inventors

  • GUPTA, SUNIL KUMAR
  • YADAV, NAVINDRA
  • WATTS, Michael Standish
  • PARANDEHGHEIBI, ALI
  • GANDHAM, SHASHIDHAR
  • KULSHRESHTHA, ASHUTOSH
  • DEEN, Khawar

Dates

Publication Date
20260513
Application Date
20160601

Claims (12)

  1. A computer-implemented method comprising: receiving, at a collector (106) of a network, network traffic data and corresponding data associated with a first flow; making the network traffic data and corresponding data available to an analytics engine (110); analyzing, by the analytics engine (110), the network traffic data and corresponding data to identify a malicious traffic pattern by using machine learning algorithms to identify anomalies in the network traffic data and corresponding data based on a model of network behavior; updating, using machine learning algorithms, the model used to identify anomalies in the network traffic data and corresponding data; and applying a network policy to at least partially deny access to the network for one or more endpoints associated with the first flow based on the identification of the malicious traffic pattern, wherein the endpoint is assigned a security score that changes over time based on a security state of the endpoint and wherein the network policy to at least partially deny access to the network is based on the security score.
  2. The method of claim 1, wherein at least partially denying access to the network comprises denying general access to the network and allowing access to image update, patch management, and other remediation endpoints.
  3. The method of claim 1, wherein the applicable policy fulfills a protection from malicious software requirement.
  4. The method of claim 1, wherein the applicable policy fulfills a response and reporting requirement.
  5. The method of claim 1, wherein the applicable policy fulfills a requirement to mitigate the effect of an attack.
  6. The method of any preceding claim, wherein the network traffic data includes information regarding at least one of a source or destination MAC address, a source or destination IP address, a protocol, a port number, a number of packets, a number of bytes, a number of flows, bandwidth usage, response time, latency, packet loss, and/or jitter.
  7. The method of any preceding claim, further comprising receiving, at a first sensor (104), network traffic corresponding to the first flow; capturing, at the sensor, network traffic data and corresponding data associated with a first flow; and sending the network traffic data and corresponding data to the collector.
  8. The method of claim 7, wherein sensors are associated with at least one of a network switch, router, appliance, or network device (124).
  9. The method of claim 7, wherein sensors are associated with at least one of a VM, container, or other virtual partition (120).
  10. The method of any preceding claim, wherein the first flow is one of a plurality of flows, and wherein the collector receives network traffic data and corresponding data associated with a plurality of flows.
  11. A system (100) comprising: a processor; and memory including instructions that, upon being executed by the processor, cause the system to perform a method according to any of claims 1 to 10.
  12. A computer-readable medium having computer readable instructions that, upon being executed by a processor of a network traffic monitoring system (100), cause the network traffic monitoring system to perform a method according to any of claims 1 to 10.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority to U.S. Provisional Application 62/171,899, titled System for Monitoring and Managing Datacenters and filed at June 5, 2015. TECHNICAL FIELD The present technology pertains to compliance and more specifically pertains to effecting compliance via network policies. BACKGROUND Network attacks are becoming increasingly sophisticated and malicious, and the risk of data breaches and their consequences grows. Failure to thwart attacks can damage a business's reputation and result in loss of revenue. In addition, governments and other authoritative bodies are taking on a more active role in protecting individual's sensitive electronic information. For example, in the United States and abroad, statutes and standards such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS) have been put in place for enterprises to take appropriate steps to ensure the proper use and protection of both corporate and personal communications and information. These regulations and standards are often backed by financial penalties for public or private organizations that fail to comply or where personal data is actually breached. Compliance can be a state of comporting with governmental regulations, industry standards, and similar guidelines, or the process toward this state. Conventional approaches for compliance may be inadequate to the challenges facing networks today. Many solutions tend to focus on the network edge (i.e., north-south traffic). Thus, networks using these solutions may be especially vulnerable to attacks occurring within the network (i.e., east-west traffic) and are likely to be non-compliant. Conventional techniques are also typically reactive and cannot resolve security breaches in real time or substantially real time. In addition, conventional networks often fail to gather all relevant information for preventing, diagnosing, and remedying malicious network activity. US 2013/0298244 A1 describes, according to its abstract, instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations). A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator. BRIEF DESCRIPTION OF THE FIGURES In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only example embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which: FIG. 1 illustrates a network traffic monitoring system in accordance with an example embodiment;FIG. 2 illustrates a policy engine in accordance with an example embodiment;FIG. 3A-3C illustrates a compliance mapping in accordance with an example embodiment;FIG. 4 illustrates a network environment in accordance with an example embodiment;FIG. 5 shows an example process for providing compliance via network policies in accordance with an example embodiment; andFIGS. 6A and 6B show systems in accordance with some example embodiments. DESCRIPTION OF EXAMPLE EMBODIMENTS The detailed description set forth below is intended as a description of various configurations of example embodiments and is not intended to represent the only configurations in which the subject matter of this disclosure can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject matter of this disclosure. However, it will be clear and apparent that the subject matter