Sophos Limited

Dynatrace Corporation

Andreas Berger

Kenneth D Ray

Harald Schütz

Anthony John Merry

Andrew James Thomas

Russell Humphries

John Edward Tyrone Shaw

Christian Schwarzbauer

Mark David Harris

Gordon Sullivan

Stefan Ortner

Markus Hein

Gerald Wintersberger

Vincent Vanbiervliet

Norbert Gruber

Artur Wenzel

A technology to identify processing paths of untrusted input data received by applications that are vulnerable to attacks and to further detect and prevent actual attacks that try to exploit those vulnerabilities is disclosed. Application code is augmented at run-time with sensor code which detects the entry of input-data into the application and further traces the propagation, manipulation and, sanitization of this input-data until its usage in a data sink. The so generated data-flow traces reveal data-flow paths that lack required sanitization measures to neutralize potentially harmful input-data. Such data-flow paths are reported as vulnerabilities. Further, input-data that reaches data-sink interfaces is scanned by data-sink sensors to identify harmful input data. On identification of harmful input data, an attack is reported, and countermeasures are applied to prevent the identified attack.

Method and system for data flow monitoring to identify application security vulnerabilities and to detect and prevent attacks

A technology is disclosed to perform real-time and online identification and prioritization of vulnerabilities of components of software applications. Agents are deployed to components of monitored applications that monitor and report application topology, communication, code execution and code loading activity. Reported code loading and execution activity data is used to detect the loading and execution of vulnerable code, topology and communication data is used to create a topology model of the application containing communication paths, trust boundaries and location of sensitive data. The analysis of code loading and execution data reveals the extend to which vulnerable code is used by monitored application components. The topology data combined with code execution data reveals the extent to which components executing vulnerable code are exposed to untrusted entities and/or accessing sensitive data. Execution data of vulnerable code, exposure and access data of components executing the vulnerable code are used to calculate priority scores for identified vulnerabilities.

Method and system for real time detection and prioritization of computing assets affected by publicly known vulnerabilities based on topological and transactional monitoring data

A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.

Intrusion detection with honeypot keys

Rules are applied at a network perimeter to outbound network communications that contain file attachments. The rules may, in a variety of circumstances, require wrapping of an outbound file from the endpoint in a portable encrypted container. The network perimeter may be enforced locally at the endpoint, or at any network device between the endpoint and a recipient.

Perimeter enforcement of encryption rules

A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Portable encryption format

Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

Behavioral-based control of access to encrypted content by a process

An endpoint encrypts local files with a key to protect file contents. If the endpoint or processes on the endpoint becomes exposed to potentially harmful locations or resources, the key can be revoked to prevent access to encrypted files on the endpoint. In order to facilitate continued operation of the endpoint, files that are currently open can be encrypted with a second key so that the corresponding data is isolated from the other encrypted files while remaining accessible to current users.

Intermediate encryption for exposed content

Securing an endpoint against malicious activity includes encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files, receiving a request to access a file from a process executing on the endpoint, decrypting the file for the process, and monitoring a security state of the process. If the security state becomes a compromised state, a technique involves maintaining access to any open files (including the file decrypted for the process), prohibiting access to other files, and initiating a remediation of the process by facilitating a restart of the process. If the remediation is successful, access by the process to the plurality of files may be restored.

Process-level control of encrypted content

On an endpoint that encrypts local files to protect against data leakage and other harmful malware events, newly detected files are dynamically encrypted when they are detected as long as the endpoint is not compromised. If a compromised state is detected, the newly detected file will not be added to the encrypted files until the endpoint can be remediated and the compromised state resolved.

Growing community of inventors

Linz, Austria

Andreas Berger