Search

US-12621334-B2 - Cybersecurity risk assessment and measurement

US12621334B2US 12621334 B2US12621334 B2US 12621334B2US-12621334-B2

Abstract

A cross domain monitoring service is described herein. The cross domain monitoring service may receive a request of a requestor to associate a set of attributes to an access control set for a predetermined set of users with respect to a computing resource of a domain, which the set of attributes includes at least one of a read access privilege, a write access privilege, or an execute access privilege for the computing resource. In response to a determination that the requestor has a privilege to perform an association of the set of attributes to the access control set for the predetermined set of users, the cross domain monitoring service may update the access control set with the association to the set of attributes, in which the updating the access control set causes one or more cryptographic keys associated with the access control set to receive the sets of attributes.

Inventors

  • John-Philip Galinski
  • Gordon Richard WINSTON

Assignees

  • QSecGrid, Inc.

Dates

Publication Date
20260505
Application Date
20230627

Claims (20)

  1. 1 . One or more non-transitory computer-readable media storing computer-executable instructions that upon execution cause one or more processors to perform acts comprising: receiving a request of a requestor to associate a set of attributes to an access control set for a predetermined set of users with respect to a computing resource of a domain, the set of attributes including at least one of a read access privilege, a write access privilege, or an execute access privilege for the computing resource; and in response to a determination that the requestor has a privilege to perform an association of the set of attributes to the access control set for the predetermined set of users, updating the access control set with the association to the set of attributes, wherein the updating the access control set causes one or more cryptographic keys associated with the access control set to receive the set of attributes; aggregating data across a plurality of domains, including the domain; and determining from the aggregated data whether a malicious event has occurred in one or more of the plurality of domains.
  2. 2 . The one or more non-transitory computer-readable media of claim 1 , wherein the acts further comprise propagating the association of the set of attributes to one or more child access control sets of the access control set such that the one or more child access control sets inherit the set of attributes.
  3. 3 . The one or more non-transitory computer-readable media of claim 2 , wherein a child access control set of the one or more child access control sets further includes an additional set of attributes that is independent from the set of attributes.
  4. 4 . The one or more non-transitory computer-readable media of claim 1 , wherein the access control set includes one or more child access control sets that are associated with the one or more cryptographic keys, and wherein the updating the access control set automatically propagates the set of attributes to the one or more child access control sets of the access control set.
  5. 5 . The one or more non-transitory computer-readable media of claim 1 , wherein the one or more cryptographic keys include a key for accessing the computing resource.
  6. 6 . The one or more non-transitory computer-readable media of claim 5 , wherein the key is a one-use key for accessing the computing resource.
  7. 7 . The one or more non-transitory computer-readable media of claim 1 , wherein the computing resource is a data file, and wherein the one or more cryptographic keys include a cryptographic key for accessing the data file.
  8. 8 . The one or more non-transitory computer-readable media of claim 1 , wherein the one or more cryptographic keys include a quantum cryptographic key generated using a quantum seed generator.
  9. 9 . The one or more non-transitory computer-readable media of claim 1 , wherein the acts further comprise sending a notification to an analytics engine of one or more events that include the association of the set of attributes to the access control set for the predetermined set of users.
  10. 10 . The one or more non-transitory computer-readable media of claim 9 , wherein the sending of the notification of the one or events to the analytics engine causes the analytics engine to interpret the one or more events.
  11. 11 . The one or more non-transitory computer-readable media of claim 9 , wherein the sending of the notification of the one or events to the analytics engine causes the analytics engine to interpret the one or more events and trigger a remediation action based on an interpretation of the one or more events.
  12. 12 . The one or more non-transitory computer-readable media of claim 9 , wherein the sending of the one or events to the analytics engine causes the analytics engine to add associations of the set of attributes, the access control set, and the one or more cryptographic keys to an event data store.
  13. 13 . The one or more non-transitory computer-readable media of claim 1 , wherein the acts further comprise: receiving an additional request to associate an additional set of attributes to the access control set for the predetermined set of users; and updating the access control set with an additional association with the additional set of attributes.
  14. 14 . The one or more non-transitory computer-readable media of claim 1 , wherein the computing resource is further associated with an additional access control set for an additional predetermined set of users.
  15. 15 . The one or more non-transitory computer-readable media of claim 14 , wherein the additional access control set is associated with an additional set of attributes and one or more additional cryptographic keys.
  16. 16 . The one or more non-transitory computer-readable media of claim 1 , wherein the acts further comprise tracking application program interface (API) events from a set of APIs associated with the domain that at least include cloud APIs of cloud computing resources.
  17. 17 . The one or more non-transitory computer-readable media of claim 16 , wherein the acts further comprise: analyzing the API events to detect at least one of a set of one or more adverse events and a set of one or more potentially adverse events; and generating one or more statistical risk measurements based on the set of one or more adverse events and the set of one or more potentially adverse events.
  18. 18 . The one or more non-transitory computer-readable media of claim 17 , wherein the acts further comprise creating an actuarial table for calculating insurable risk based on the one or more statistical risk measurements.
  19. 19 . A system, comprising: one or more processors; a global quantum key manager including a plurality of computer-executable components that are executable by the one or more processors to perform a plurality of actions, the plurality of actions comprising: receiving a request of a requestor to associate a set of attributes to an access control set for a predetermined set of users with respect to a computing resource of a domain, the set of attributes including at least one of a read access privilege, a write access privilege, or an execute access privilege for the computing resource; and in response to a determination that the requestor has a privilege to perform an association of the set of attributes to the access control set for the predetermined set of users, updating the access control set with the association to the set of attributes, wherein the updating the access control set causes one or more cryptographic keys associated with the access control set to receive the set of attributes; a monitor including a plurality of computer-executable components that are executable by the one or more processors to perform a plurality of actions, the plurality of actions comprising aggregating data across a plurality of domains, including the domain; and an analytics engine including a plurality of computer-executable components that are executable by the one or more processors to perform a plurality of actions, the plurality of actions comprising determining from the aggregated data whether a malicious event has occurred in one or more of the plurality of domains.
  20. 20 . A computer-implemented method, comprising: receiving, at a monitoring service, a request of a requestor to associate a set of attributes to an access control set for a predetermined set of users with respect to a computing resource of a domain, the set of attributes including at least one of a read access privilege, a write access privilege, or an execute access privilege for the computing resource; in response to a determination that the requestor has a privilege to perform an association of the set of attributes to the access control set for the predetermined set of users, updating, via the monitoring service, the access control set with the association to the set of attributes, wherein the updating the access control set causes one or more cryptographic keys associated with the access control set to receive the set of attributes; aggregating data across a plurality of domains, including the domain; and determining from the aggregated data whether a malicious event has occurred in one or more of the plurality of domains.

Description

CROSS-REFERENCE TO RELATED PATENT APPLICATION This application claims priority to U.S. Provisional Patent Application No. 63/356,448, filed on Jun. 28, 2022, entitled “Cybersecurity Risk Assessment and Measurement,” which is hereby incorporated by reference in its entirety. BACKGROUND Enterprises and other establishments typically have computer infrastructure connected to networks including the Internet. Accordingly, this exposes that infrastructure to cybersecurity attacks. Cybersecurity attacks range from pranksters to petty criminals, to organized crime, and even in some cases to national governments seeking to misappropriate data or cause harm. According to NortonLifeLock™, in 2021 more than 2,200 cybersecurity attacks occurred every day, an average of one every 39 seconds. The more prominent the enterprise or establishment, the more likely the attack. Accordingly, enterprises and establishments have sought to ensure against the harm of cybersecurity attacks. Determining insurance coverage amounts can be performed via techniques to assess the cost of a successful cybersecurity attack ranging from repair and recovery of web pages to the cost of a data breach response. However, the ability to determine insurance premiums is predicated on an insurance provider's ability to create accurate actuarial tables and statistics to measure the risk of attack. One of the difficulties in calculating statistics of cybersecurity risk is that presently there are no deterministic ways to quantify the number of cybersecurity attacks and successful cybersecurity attacks that an enterprise or establishment receives. Specifically, an enterprise may receive a cybersecurity attack that is not detected for months or even years. Furthermore, some unsuccessful cybersecurity attacks may go undetected as well. Accordingly, it is possible for an enterprise to believe that it has had zero successful attacks out of five, when in fact it has suffered two successful attacks out of nineteen. To a certain extent, enterprises and establishments, insurance companies, and other related parties are put in the position of “proving a negative,” that is proving that no successful cybersecurity attacks have occurred. For these and similar reasons, there is a need to be able to deterministically assess and measure cybersecurity attack frequency and success. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features. FIG. 1 is a diagram of an exemplary platform for cybersecurity risk assessment and measurement. FIG. 2 is a diagram of an exemplary hardware, software, and communications computing environment for cybersecurity risk assessment and measurement. FIG. 3 is a diagram of an exemplary hierarchical quantum key management system for cybersecurity risk assessment and measurement. FIG. 4 is a flow chart of an exemplary operation of a hierarchical quantum key management system for cybersecurity risk assessment and measurement. DETAILED DESCRIPTION Context of Cybersecurity Risk Assessment and Measurement Measurement is predicated on defining what is to be measured, that is to define the object of measurement. In the case of assessing and measuring cyberattacks, this may mean identifying anything from theft of data, to damaging or denying service to computing resources, or simply a breach of security where an unauthorized user, malicious or otherwise, gains access to computing resources. Prior art services suffered from various deficiencies. First, there was no comprehensive survey of activity on all computing resources. In some instances, prior art parties might monitor activity on data files and applications. Other prior art parties might monitor activity on some, but not all computing resources, such as registry keys on the Microsoft Windows™ operating system. However, without monitoring all activity on all computing resources, there was always the possibility that an event would occur where an unauthorized and potentially malicious party might access a computing resource. If that computing resource was not monitored, then any access, authorized or not, was not detected and therefore not measured. To address this deficiency, the present disclosure describes a cross domain monitoring service called a Quantum Security Service (“QSS”) access to all resources, not just data files and applications. Specifically, if there is a computing resource that could be accessed by an application programming interface (API), then that API activity and the access of the resource is monitored. Computing resources include without limitation not only data files and applications, but also memory accesses, communications channels, process/thread creation facilities, and any other