Networks of computers that support business activities are often composed of a multitude of infrastructure devices (e.g., computational, storage, and network resources). These infrastructure devices may provide, for example, a cohesive system of coordinated computing devices that support many automated functions for a corporate enterprise. In some cases, these computing devices are connected to a network for communication with each other. Wireless and wired networks may be connected to each other, for example, using a device referred to as an access point (AP). Some devices connected to a network as infrastructure devices may perform network monitoring and security checks on network activities. These infrastructure devices may include, but are not limited to, firewalls, network data analyzers (sniffers), network analytics servers, network performance monitors, and access control servers. These and other types of network infrastructure devices may provide data or event information to security or performance monitoring network components.
Client devices (both wired and wireless) may perform network operations in their normal course of operation. Different types of network operations may pose different types of security and performance constraints on a system. For example, a user may inadvertently initiate a global search across a large amount of storage during a peak working hour. This unintended performance impact on one or more servers may represent an undesired condition for a corporate enterprise. In addition to inadvertent actions, some actions may be initiated that may pose an actual (or perceived) security risk to an organization.
The present disclosure may be better understood from the following detailed description when read with the accompanying Figures. It is emphasized that, in accordance with standard practice in the industry, various features are not drawn to scale. In fact, the dimensions or locations of functional attributes may be relocated or combined based on design, security, performance, or other factors known in the art of computer systems. Further, order of processing may be altered for some functions, both internally and with respect to each other. That is, some functions may not perform serial processing and therefore those functions may be performed in an order different than shown or possibly in parallel with each other. For a detailed description of various examples, reference will now be made to the accompanying drawings, in which:
Illustrative examples of the subject matter claimed below will now be disclosed. In the interest of clarity, not all features of an actual implementation are described for every example implementation in this disclosure. It will be appreciated that in the development of any such actual example, numerous implementation-specific decisions may be made to achieve the developer's specific goals, such as compliance with system-related and business-related constraints, which will vary from one implementation to another. Moreover, it will be appreciated that such a development effort, even if complex and time-consuming, would be a routine undertaking for those of ordinary skill in the art having the benefit of this disclosure.
Various network analytics servers exist and, at a high-level, may be thought of as providing intelligence and data analysis (static repository analysis and network traffic analysis) to add context and derive historical attributes about network data to assess risks (among other things). Variations of network access control (NAC) devices (NAC as mentioned above) exist and are provided by various vendors. In general, NAC systems provide challenge response authentication to identify users with respect to logging in, gaining access to data, or performing functions (with proper privileges) on a computer system.
Determining the potential security risk may rely on analysis performed by a network analytics engine. In some cases, a network analytics engine may factor in several different types of parameters when determining whether or not to let the action commence (or proceed if already started). The different types of parameters may include who the authenticated user initiating the action is (e.g., vice president versus janitor), the amount of risk associated with the action (e.g., level of security vulnerability based on type of access performed, or expected to be performed, by the action), and/or a type of authentication used by the user (e.g., two factor versus simple password). Based on analysis of these parameters, different determinations may be made by an analytics engine as to a degree of risk associated with the action.
In one or more implementations of this disclosure, integrated decision making and enforcement by a network analytics engine and authentication engine working together to analyze and allow execution of user-initiated actions. In one example, a network analytics server and a NAC may exchange information about each user and identify any anomalous activity. Once identified, it may be further determined to control data access or actions allowed on a dynamic basis, for example, prior to execution of the user-initiated action or based on a run-time determination while the user-initiated action is executing. Further, post execution (or post attempted user-initiation of actions) metrics may be collected pertaining to the user-initiated action. These metrics may be provided to a network analytics server for use when making a future determination about a repeat request for this same user-initiated action or other user-initiated actions that may be similar to the action originating the metric collection. Using disclosed techniques, manual intervention by network administrators (e.g., security administrators) may be elided and automated response events and actions may be provided by an enhanced network security system.
Disclosed techniques enhance overall network security by integrating and sharing information between two normally independent systems within an enterprise. For example, it is common for a customer network to have independent systems that independently provide a NAC and network analytics. NAC systems are more common as small enterprises will typically have a NAC, but network analytics may be more prevalent in larger enterprises with larger networks. In any case, these two systems, if present, are typically configured to provide each of their respective functions independently from each other.
In one example implementation, a NAC may extend its capability set (e.g., with respect to detecting malicious or abnormal activity), in part, by utilizing data provided by a network analytics engine. In some disclosed implementations, this data is proactively provided by the network analytics engine (executing on a network analytics server) to the NAC as opposed to analytical data passively being available upon request. Further, disclosed NAC implementations may proactively provide data regarding actions to a network analytics engine to enhance network analysis capabilities (e.g., real-time awareness of actions taken). The NAC may provide this information as part of performing actions to dynamically isolate any device or user. The data may be provided as events, alerts, messages, or other types of mechanisms. In one example, hypertext transport protocol (HTTP) messages may be used (e.g., provided via a representational state REST interface).
In general, disclosed implementations include a NAC as the entry point for users and devices into the computer network. That is, the NAC performs its standard function of authentication to “connect” a user (or guest) to obtain network access and therefore has the initial information about devices such as device category, hostname, device posture, and user's information including username, email address, role, login time, location etc. Additionally, disclosed implementations include a network analytics engine that provides a user and entity behavioral analytics solution that may be used to detect small changes in behavior of the users. Accordingly, behavioral analytics, as provided by the network analytics engine, may be used to predict attacks, identify compromised devices, identify negligent users, etc. Thus, the combination of these two capabilities, as provided in disclosed implementations, may reduce (or eliminate in some instances) manual intervention by an IT administrator, in part, because the network analytics/NAC combination may automatically act to isolate/quarantine any detected malicious (or abnormal) user or device. In a simple example, if a user moved to an office or location where that user is not authorized to be, network analytics would provide this information (about relocation) to a NAC that may create an alert or take other action.
Having an understanding of the above overview, this disclosure now explains a non-limiting example implementation (and possible variants thereof). Examples are explained with reference to the figures that include: a functional block diagram representing an example of data and event control flow between a network security server, a network analytics server, and a network controller communicatively coupled to a client device (
As mentioned above, disclosed systems may reduce manual intervention involvement in network security enforcement using automated techniques based, in part, on machine learning and deep data analysis. Accordingly, disclosed systems and techniques represent an improvement to the art of computer system administration. For example, actions initiated on client computer systems may represent fully authenticated requests initially. Based on monitoring and analysis prior to execution or while an action is executing, further determinations may be made with respect to the actions initiated on a given device (and associated with an authenticated user). These further determinations may cause termination of the executing action, quarantine/isolation of one or more client computers, event and alert generation, and/or generation of metadata that may be used for future analysis with respect to future actions by either the device or the user associated with the device and the action. Any dynamically isolated device or user may be tracked and used for reporting purposes. For example, a timeline of events may illustrate actions taken for use in post mortem analysis of a system failure (or performance degradation).
Referring now to
Continuing with
Another mechanism for network analytics server 108 to affect network controller 106 is illustrated by security actions 114 whereby network analytics server 108 may send an event (e.g., a high priority message) to NAC 107 informing NAC 107 to instruct network controller 106 (e.g., via security actions 115) to not allow further network communication from client device 105. Thus, data affecting client device 105 may not flow directly to network controller 106 from a device determining an action. In some cases, the action/information may be provided via an indirect connection and performed by an intermediary (in this example NAC 107 acts as an intermediary for network analytics server 108 based on the event follow up 116).
Completing the discussion of network segment 100, data flows 125, 126, and 127 illustrate that each of network analytics server 108, network controller 106, and NAC 107 may intermittently share information amongst each other, while, direct connections to client device 105 may be from network controller 106. In an alternative not shown, direct connections from other devices in network segment 100 to client device 105 may be possible. Event follow up 116 represents a data flow whereby messages may be sent from NAC 107 to network analytics server 108 to maintain information regarding actions taken (e.g., actions directed toward client device 105) within network analytics server 108. As mentioned above, maintaining of historical actions with respect to a device and/or user may allow a network analytics engine executing on network analytics server 108 to perform future analysis with knowledge of past actions. Note, that event traffic illustrated as bold dashed arrows may actually flow through either data flow 125 or 126 as appropriate and is not intended to indicate a separate network connection path exists, although multiple network connections may exist for any of the data or event flows illustrated.
Referring now to
Active directory 215 may represent information about users, data, and devices of a corporate network. DNS 225 represents a computer infrastructure component that assists in resolving domain names into network internet protocol (IP) addresses. Tap to switch/router 220 represents information obtained from a network infrastructure device such as a switch or a router and may be obtained by “sniffing” the network. Sniffing the network references monitoring data packets passively as they traverse the network and analyzing addressing information (and possibly content) of those data packets. Content analysis of data packets is sometimes referred to as deep packet analysis. Employee information 235 may represent password files from an operating system (possibly also available from active directory 215) or human resource database information about employees, as an example. Firewall information 240 may include whitelist information about devices, addresses, or web sites and may also include rules about permitted and blocked traffic within a corporate network. Corporate records may include information maintained by a corporation with respect to corporate policies, guidelines, etc. and may be used as an input to analytics functions performed by NAE 210. Shared security sources information 255 represents other information, potentially from other security based infrastructure devices, that may include rankings of potential security risk for certain actions or data sources within the corporate enterprise (e.g., a human resources database may have different credential requirements than a scheduling database). These types of sources are examples only to illustrate the types of data that may be used by an NAE to perform disclosed functions. Other sources of data and analysis techniques may be available as indicated within the block for functional modules 245.
Referring now to
Connection 304 indicates that network analytics server 108 may monitor and receive information about the action both at initiation of the action and while said action is being performed on behalf of the user/device pair that initiated the action. In this manner, network analytics server may monitor for anomalous (or malicious) behavior within the network that may be associated with the action and user/device pair that initiated the action. Connection 305 indicates that results of analysis may be provided from network analytics server 108 to NAC 107. This information may be provided periodically while said action is executing and/or may be provided at the completion of the action. In either event, network analytics server 108 provides information that is current to NAC 107 so that NAC 107 may perform any required actions.
For example, a suspect activity may be identified and associated with the action, however, at this point there is only suspected activity. If additional suspect activity raises to a level of concern (e.g., crosses a potential threat threshold), NAC 107 may attempt to quarantine/isolate client device 105 from performing further activities associated with the action or may prevent client device 105 (via network controller 106 and connection 306) from performing any further network activities. Connection 307 indicates that, if NAC 107 requests network controller 106 to perform any security related event with respect to client device 105, network analytics server 108 maintains correct historical information about these security related events and may associate them with the user/device pair for use in future analysis. Connection 307 may also be used to inform network analytics server 108 that no security related events were required and any associated risk level with respect to the action or user/device pair may be removed (or reduced). In this manner, constant feedback may be collected and provided across integrated systems to perform elements of the disclosed network analytics for network security enforcement system.
To summarize, a device/user (e.g., client device 105) associates with a network (e.g., via a network controller 106). NAC 107 authenticates the client device 105 (and a currently associated user). NAC 107 passes information about client device 105 (and a currently associated user) to network analytics server 108. Network analytics server 108 initiates collection of data from NAC 107 and monitors a login session. Sources of data for monitoring include network controller 106, DNS 225, active directory 215, SEIM 230, tap to switch/router 220, and other sources. Based on user alerts and risk score, network analytics server 108 generates events (using system log messages or REST application program interfaces (APIs)) that are passed to NAC 107. NAC 107 acts on events as necessary and dynamically isolates/quarantines the client device 105 (or user associated with client device 105) via network controller 106. Note, a user associated with client device 105 may also be quarantined on other devices based on a security action caused by client device 105. NAC 107, periodically or based on an event, notifies network analytics server 108 about potential future remediation action for client device 105 (or associated user) with respect to future connection attempts (e.g., login attempts, or user-initiated actions). All available information may be used by network analytics server 108 for tracking and reporting purposes.
In general, a login session associated with a user and device may be monitored by the combination of NAC 107, network analytics server 108, and network controller 106. As each user-initiated action of the login session is processed, an associated risk value for the individual action may be determined. A cumulative risk value for the login session may be maintained, for example, on NAC 107. Upon crossing a risk action threshold (e.g., as determined by NAC 107 based on cumulative scoring for user-initiated actions of the login session), NAC 107 may initiate an event (e.g., to network controller 106) to perform a security action on client device 105. The security action may include forcing a re-authentication prior to proceeding with further network communications or may include an indication to network controller 106 to quarantine/isolate client device 105. Note, upon actual isolation of client device 105, NAC 107 may inform network analytics server 108 of the action taken. In turn, network analytics server 108 may alter further risk analysis determinations for other devices that may also be associated with the user of client device 105 (e.g., user that caused the security action). In this manner, if a user is determined to be conducting anomalous (or malicious) behavior on one device, that user may be quickly terminated on other devices prior to causing a potentially greater security breach. For example, if a user's password is compromised, a malicious actor may attempt to perform user-initiated actions that each have a marginal risk value across a number of client devices concurrently (e.g., in an effort to obscure their network intrusion). By having a cumulative score and cross-device awareness, the disclosed system may reduce impact of this situation.
As part of dynamic isolation of client device 105 (or associated user), NAC 107 may have the ability to do the following example enforcement actions:
In one example of functionality that may be associated with different device authentication methods, a user-initiated action may be allowed from a device (e.g., client device 105 in the above example) where a user has supplied two-factor authentication and denied on that same device if that user has only authenticated using simple authentication (e.g., single sign on or single-factor authentication such as a password alone). Thus, the higher degree of authentication may allow additional capabilities across a computer network as opposed to standard authentication. In some implementations, the specific type of authentication provided by a user may be at the discretion of that user upon login to a computer network. As a result, if that user wishes to execute more highly sensitive actions, the user may opt (ahead of time) to login using more secure authentication methods. Otherwise, some actions may not be available to that user based on their current authentication status. In some cases, an action may request additional authentication prior to termination based on an authentication level.
Referring now to
Block 425 indicates that, at the initiation of the session and throughout the session, a network analytics server (such as network analytics server 108) may collect data from an access control device (e.g., NAC 107) to monitor the session (e.g., login session). Other data source feeds (e.g., as described for
Block 440 indicates that a NAC (e.g., NAC 107) may provide feedback to a network analytics server regarding security actions taken. These actions may be taken immediately or deferred for future application (e.g., if device has disconnected at the time of action determination). Block 445 indicates that a network analytics server (e.g., networks analytics server 108) may maintain a history of actions and event determinations that may be used for further tracking, reporting, or future use (e.g., next time a device or user attempts to authenticate to the network).
A machine-readable storage medium, such as 502 of
Referring now to
Each of these networks may contain wired or wireless programmable devices and operate using any number of network protocols (e.g., TCP/IP) and connection technologies (e.g., WiFi® networks, or Bluetooth®. In another example, customer network 602 represents an enterprise network that could include or be communicatively coupled to one or more local area networks (LANs), virtual networks, data centers (see
As shown in
Network infrastructure 600 may also include other types of devices generally referred to as Internet of Things (IoT) (e.g., edge IoT device 605) that may be configured to send and receive information via a network to access cloud computing services or interact with a remote web browser application (e.g., to receive just-in-time authentication information).
Network infrastructure 600 also includes cellular network 603 for use with mobile communication devices. Mobile cellular networks support mobile phones and many other types of mobile devices such as laptops etc. Mobile devices in network infrastructure 600 are illustrated as mobile phone 604D, laptop computer 604E, and tablet computer 604C. A mobile device such as mobile phone 604D may interact with one or more mobile provider networks as the mobile device moves, typically interacting with a plurality of mobile network towers 620, 630, and 640 for connecting to the cellular network 603.
In
As also shown in
Computing device 700 may also include communications interfaces 725, such as a network communication unit that could include a wired communication component and/or a wireless communications component, which may be communicatively coupled to processor 705. The network communication unit may utilize any of a variety of proprietary or standardized network protocols, such as Ethernet, TCP/IP, to name a few of many protocols, to effect communications between devices. Network communication units may also comprise one or more transceiver(s) that utilize the Ethernet, power line communication (PLC), WiFi, cellular, and/or other communication methods.
As illustrated in
Persons of ordinary skill in the art are aware that software programs may be developed, encoded, and compiled in a variety of computing languages for a variety of software platforms and/or operating systems and subsequently loaded and executed by processor 705. In one implementation, the compiling process of the software program may transform program code written in a programming language to another computer language such that the processor 705 is able to execute the programming code. For example, the compiling process of the software program may generate an executable program that provides encoded instructions (e.g., machine code instructions) for processor 705 to accomplish specific, non-generic, particular computing functions.
After the compiling process, the encoded instructions may then be loaded as computer executable instructions or process steps to processor 705 from storage device 720, from memory 710, and/or embedded within processor 705 (e.g., via a cache or on-board ROM). Processor 705 may be configured to execute the stored instructions or process steps in order to perform instructions or process steps to transform the computing device into a non-generic, particular, specially programmed machine or apparatus. Stored data, e.g., data stored by a storage device 720, may be accessed by processor 705 during the execution of computer executable instructions or process steps to instruct one or more components within the computing device 700.
A user interface (e.g., output devices 715 and input devices 730) can include a display, positional input device (such as a mouse, touchpad, touchscreen, or the like), keyboard, or other forms of user input and output devices. The user interface components may be communicatively coupled to processor 705. When the output device is or includes a display, the display can be implemented in various ways, including by a liquid crystal display (LCD) or a cathode-ray tube (CRT) or light emitting diode (LED) display, such as an organic light emitting diode (OLED) display. Persons of ordinary skill in the art are aware that the computing device 700 may comprise other components well known in the art, such as sensors, powers sources, and/or analog-to-digital converters, not explicitly shown in
Certain terms have been used throughout this description and claims to refer to particular system components. As one skilled in the art will appreciate, different parties may refer to a component by different names. This document does not intend to distinguish between components that differ in name but not function. In this disclosure and claims, the terms “including” and “comprising” are used in an open-ended fashion, and thus should be interpreted to mean “including, but not limited to . . . .” Also, the term “couple” or “couples” is intended to mean either an indirect or direct wired or wireless connection. Thus, if a first device couples to a second device, that connection may be through a direct connection or through an indirect connection via other devices and connections. The recitation “based on” is intended to mean “based at least in part on.” Therefore, if X is based on Y, X may be a function of Y and any number of other factors.
The above discussion is meant to be illustrative of the principles and various implementations of the present disclosure. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.