1. Patent Search
  2. Details

METHOD OF IMPLEMENTING ENTERPRISE CYBER REPORTS

20220377092 · 2022-11-24

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for generating enterprise cyber reports through linking IP access control logic with error handler and audits compartmentalized by web application for different user groups with multiple monitoring tools data. Business logic may be defined in access control tables for multiple user groups sharing multiple different application data and programmable access control logic applied to subfolders within the website subfolders based on functional user group role permissions. A common network event field name may be used to map multiple different monitoring tools data into common field alias. The field alias mapping allows multiple networking capture tools to be included within the same cyber report. Joining multiple network events field alias with an IP location allows for groups of different IP zone reports to be created within the enterprise being monitored by different monitoring tools.

    Claims

    1. A method for implementing enterprise cyber reports for a plurality of user groups sharing web applications, the method comprises: defining a set of rules indicative of a normal event for the plurality of user groups; and linking one or more network data sets with error and audit tables to each of the web applications, wherein each of the one or more network data sets are linked to error and audit tables that are compartmentalized by web application for each of the user groups with a plurality of monitoring tools data.

    2. The method of claim 1, wherein defining the set of rules is provided through an access control table for each of the plurality of user groups.

    3. The method of claim 2, wherein the set of rules comprises an application of programmable access control logic applied to subfolders or files within the respective web application.

    4. The method of claim 3, wherein the application of programmable access control logic is based on functional user group role permissions.

    5. The method of claim 4, further comprises mapping a network event field name of each data element of each of the plurality of monitoring tools data into a common field alias.

    6. The method of claim 5, further comprises joining network traffic and event data with an IP location linked to a user.

    7. The method of claim 6, further comprises generating a cyber report comprising a normal event baseline for the plurality of user groups based on said set of rules.

    8. The method of claim 7, wherein the cyber report comprises an abnormal event baseline for the plurality of user groups based on said set of rules.

    9. The method of claim 8, wherein the cyber report comprises a definition of one or more firewall alerts based on the normal and abnormal event baselines.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0020] FIG. 1 is an enterprise relationship diagram (ERD) illustrating defining the Server Environment, Apps, Roles and IP Zones to Restrict Folder and File Access, and Network Monitoring Tool Attribute Mapping to Error and Audit Table Fields for Cyber Reports. In this ERD example, with approved IP zones and zero trust lockdown to a user's workstation, views may be created to improve process performance. For instance, using a loose IP zone (FIPS IP, VPN, or Subnets) with IP ranges or a workstation zero trust model, enables clients to create different access controls per their security policies.

    [0021] FIG. 2 is a workflow diagram illustrating a new method to define IP zone roles, server & app setup, and day/time logic—AppRoleZones & AppFolderFileRoles.

    [0022] FIG. 3 is a workflow diagram illustrating a normal HR onboarding process with an app role(s) request.

    [0023] FIG. 4 is a workflow diagram illustrating new method employee request app access for each role zone.

    [0024] FIG. 5 is a workflow diagram illustrating the new method for login and page security checks—AppRoleZones & AppFolderFileRoles.

    DETAILED DESCRIPTION OF THE INVENTION

    [0025] The following detailed description is of the best currently contemplated modes of carrying out exemplary embodiments of the invention. The description is not to be taken in a limiting sense but is made merely to illustrate the general principles of the invention since the scope of the invention is best defined by the appended claims.

    [0026] By defining functional group logic (ex., Server, Admin, Power Users, Developers, and Testing teams) as opposed to the standard user's actions, one may be able to see the different IP/port endpoints, traffic patterns, and defined approved traffic for each user group.

    [0027] With the error and audit reports, normal and abnormal behavior can be defined for different user groups. Reports can be created to display different group usage or errors per application.

    [0028] Network monitoring tools may be configured to output to XML, JSON, or other file formats for other programs to import and read. Simple output logs and/or ELK may be used by the Cyber Teams to look for issues. Additionally, normal and abnormal actions need to be defined for the rules to work correctly.

    [0029] The development team can add new developers or users with special access needs to the Frameworks Users tables and assign group roles per their job duties. The cyber team can be emailed when the form is submitted to update the cyber team to allow access from a new workstation to any current firewall rules. The cyber team can also run reports to confirm that their firewall rules match the business logic within the framework embodied in the present invention. Also, more frequent compliance reports can be run for users with elevated privileges by checking business logic against IP Zone and allowed working time logic for each of the user groups.

    [0030] The inventive framework stores the business logic for each user group. Those reports can be viewed by both the cyber and development teams for compliance, and the reports create an audit trail for changes. This allows cyber teams to check their configuration rules of network resources for any compromise of information assurance and help identify network issues.

    [0031] The addition of the defining IP range information for user groups with approved program ports can clearly define the approved network traffic. Those reports can be used to define the business logic for network and firewall configuration and for business compliance and policy reviews by all parties involved in systems security.

    [0032] Each user group will have a defined set of actions and a subset of actions that indicate normal behavior. By linking Error Handling and Audits tables to those cyber rules for each user group, normal and abnormal events can be queried in reports.

    [0033] Again, too many times, people think Al will define and catch abnormal actions; the grouping of different user types and event actions within the model can assist with defining accepted traffic logic and creates a baseline for abnormal and normal usage. Those cyber event trends and reports can be reviewed and allow for defining firewall rules, and network alerts with user-group-defined baseline data to improve the firewall rules and alerts.

    [0034] Defining user types, IP zones, port protocols, and other variables for different web applications and user groups to limit access to functional folders and files creates business logic for admin pages, data modeler folders, etc., and defines access controls. This applies access controls using IP zones and VPN IP ranges or workstation lockdown for different groups, protecting sensitive folders and/or files by limiting access to approved IPs. For example, a developer's office workstation during normal working hours.

    [0035] ColdFusion™ allows one to lock the server admin pages by restricting them to specific IP addresses. This framework expands that and provides an extra check within the application scope of each of the application's functional folders and allows for an additional time check for working hours. This extra check can be added on the pages or folder scope to restrict access to approved roles and the approved IP bypassing the user information into queries on page load. The framework tables store the business logic used within the security tables in the framework and address different functional subfolders, approved users, and group access logic with approved IP/port information.

    [0036] The following is an example of restricting access to the same users, such as employees checking their own HR information from home. One may not want them to have access to the HR admin pages unless they are logged into the site using a VPN or at their desk. Another example may be having a rule that limits report developers to only work from a VPN group with a defined IP range or computers located at the office from their assigned desk. By linking the network events log files or a network event data repository to error and audits data, the framework can create reports for normal and abnormal usage.

    [0037] Those reports use the business logic defined in the access control tables for approved traffic per user group and application. The reports can filter on approved users and/or matched IP addresses versus out of range IP addresses and ports trying to access the web or database servers.

    [0038] In sum, by linking application logging to another network event data source, the framework can provide insight into issues across different environments, and network objects that the application relies on for the website to load successfully. This framework provides a more complete cyber event report by linking the data in the Error and Audit tables compartmentalized and grouped by application team. The cyber reports can help identify and pinpoint what happened, how it happened, and pinpoint any access control issues with applications with sensitive data used by multiple user groups with different network traffic logic.

    Forms and Tables

    [0039] Forms are used to capture and load tables that define the business logic for each different application's user group. Security files are programmatically created, setting variables used to query the security logics tables and control access to folders and files based on functional permission groups.

    [0040] Those tables allow for the creation of predefined reports that can be customized by each client creating reports linking network-cyber event data to the Error and Audit reports. Clients will be able to pick from multiple network event data sources for a flexible reporting solution.

    [0041] The core tables that define the business logic and access controls for the framework are described at a high level without primary and foreign keys, and the table name and fields, and data are examples to demonstrate the disclosure:

    TABLE-US-00001 Program Ports Table Program Name Port FTPS 22 HTTPS 443 HTTPS 8443 MSSQL 1433 mySQL 3306 Oracle 1521 Windows Remote Desktop 3389
    This table stores the approved programs and port numbers used by the enterprise. This is a custom table the Server Admin needs to enter per the approved software allowed on the network.

    TABLE-US-00002 Server Roles Table Server Role Program Name Port WebServer FTPS 22 WebServer HTTPS 443 WebServer HTTPS 8443 WebServer Windows Remote Desktop 3389 Database -MSSQL MSSQL 1433 Database -MSSQL Windows Remote Desktop 3389 Database -mySQL mySQL 3306 Database -mySQL Windows Remote Desktop 3389 Database -Oracle Oracle 1521 Database -Oracle Windows Remote Desktop 3389
    There is a form that updates this table that includes the approved programs. The Server Admin defines the roles and approved software allowed with a form based on the policy of the enterprise. This table stores the generic ports with the server's primary role. Examples can include web or database, or file server.

    TABLE-US-00003 Server Info Table IP Server Allowed Server Name Address Role Ports (Custom) Server01 10.XXX.XXX Web Server 22, 443, 3389 Server02 10.XXX.XXX Database - Oracle 1521, 3389
    A form updates this table data, which includes the server hostname, primary role, IP address, and custom ports. Server Admins can remove programs or ports once they select the server's primary role.

    TABLE-US-00004 IP FIPS FIPS (Country, IP State, City Code) Range US  .sub. 63.XXX.XXX to XXX.XXX.XXX FR 103.XXX.XXX to 104.XXX.XXX

    TABLE-US-00005 IP VPN Groups VPN Group Name IP Range US - Server Admins 68.10.XXX US - Developer 68.20.XXX FR - Developer 68.22.XXX FR - Managers 68.32.XXX US - Employees 68.30.XXX FR - Employees 68.33.XXX

    TABLE-US-00006 IP SubNets SubNet Name IP Range Tech Building 10.XXX.100-125 HR Building 10.XXX.130-140

    TABLE-US-00007 IP WorkStations WorkStation Name IP Range DBA WorkStation 10.XXX.111 Data Modeler WorkStation 10.XXX.112

    TABLE-US-00008 Server Apps Table App Allowed Ports Server Name Name (Custom) Server01 HR Time Tracking 22, 443, 3389 Server02 HR Time Tracking 1521, 3389
    There is a form that updates this table data, which includes the allowed ports on the server, but also lists each application with a custom port to further restrict access to each custom application with a custom port list.

    TABLE-US-00009 AppRoleZones Table IP Zones (FIPS Allowed Time Time Country/VPN IP Ports AppName AppRole WorkDays Start End Group Etc) Range (Custom) Time Server M, T, W, T, F 6 am 9 pm US - Tech 10.XXX.100-105 22, 443, 3389 Admin Building On-Site Time Server S, M, T, W, T, F, S 12 am 12 pm US Off 68.10.XXX 443, 3389 Admin Site Off-Site Time DBA M, T, W, T, F 6 am 9 pm US - Tech 10.XXX.111 1521, 3389  On- Building Site Time Data M, T, W, T, F 6 am 9 pm US - Tech 10.XXX.112 443 Modeler Building On-Site Time Developer M, T, W, T, F 6 am 9 pm US - Tech 10.XXX.120-125 443, 3389 On-Site Building Time Developer S, M, T, W, T, F, S 12 am 12 pm US - 68.20.XXX 443 Off-Site Developer Off Site Time Developer S, M, T, W, T, F, S 12 am 12 pm FR - 68.22.XXX 443 Off-Site Developer (FR) Off Site Time Power S, M, T, W, T, F, S 12 am 12 pm US - HR 10.XXX.130-140 443 User Building (Manager) Time Power S, M, T, W, T, F, S 12 am 12 pm FR - VPN 68.32.XXX 443 User Managers (Manager) (FR) Time Employee S, M, T, W, T, F, S 12 am 12 pm US - VPN 68.30.XXX 443 Employees Time Employee S, M, T, W, T, F, S 12 am 12 pm FR - VPN 68.33.XXX 443 (FR) Employees

    [0042] This expands the Server and Application Table with user groups and IP or IP ranges, allowing for custom IP and Port controls for different user groups. An example may be an On-Site or Off-Site role with work time checks for admin or developers.

    TABLE-US-00010 App Folder File Roles Table Root Sub AppName AppRoles Folder Folder Files HR Time Server Admin HR-Time HR-Time/ADMIN AddUser.cfm Tracking On-Site HR Time Server Admin HR-Time HR-Time/ADMIN ReviewUser.cfm Tracking Off-Site HR Time Data Modeler HR-Time HR-Time/DATAMODELS CreateModel.cfm Tracking On-Site HR Time Developer HR-Time HR-Time/DATAMODELS ReviewModel.cfm Tracking On-Site HR Time Developer HR-Time HR-Time/REPORTS CreateReport.cfm Tracking On-Site HR Time Developer HR-Time HR-Time/DASHBOARDS CreateDashboard.cfm Tracking On-Site HR Time Developer HR-Time HR-Time/REPORTS ViewReport.cfm Tracking Off-Site HR Time Developer HR-Time HR-Time/DASHBOARDS ViewDashboardLayout.cfm Tracking Off-Site HR Time Developer HR-Time HR-Time/DASHBOARDS EditDashboardLayout.cfm Tracking Off-Site (FR) HR Time Power User HR-Time HR-Time/DASHBOARDS ViewDashboard.cfm Tracking (Manager) HR Time Power User HR-Time HR-Time/DASHBOARDS ViewDashboard.cfm Tracking (Manager) (FR) HR Time Employee HR-Time HR-Time/DASHBOARDS ViewDashboard.cfm Tracking HR Time Employee (FR) HR-Time HR-Time/DASHBOARDS ViewDashboard.cfm Tracking
    A form updates this table data, which includes the application folders and allowed App Roles. This table is used to create the extra security logic and checks for IP zones or IP ranges, custom-allowed web ports, and allows for access checks for each folder. A security file is used to query the current remote host's IP and access method, along with checking day and time restrictions.

    TABLE-US-00011 UsersRoles Table Fields (High Level) Field Name Description USERID This field stores the custom defined userid assigned by the organization CERT_SUBJECT This field stores cert that is in the CGI CERT_SUBJECT VPN Group Name This field stores the VPN group the user should use SubNet Name This field Stores the SubNet location for the user's workstation WorkStation Name This field stores the workstation name, which is assigned to a SubNet AppRole This field stores the AppRole(s) name that is assigned to the user. AppRoleStartDate This field stores the AppRole Start Date that is assigned to the user. AppRoleEndDate This field stores the AppRole End Date that is assigned to the user.

    [0043] The connection method for each user is gathered during the approval process based on what connection permissions are assigned to each role. Some fields may be blank examples, VPN, or CERT_SUBJECT based on the role requirements defined by the organization.

    Network Event Attributes Mapping

    [0044]

    TABLE-US-00012 ColdFusion CGI Server - Source and Target DNS or IP Address and Port SERVER_NAME Server's hostname, DNS alias, or IP address as it appears in self-referencing URLs. SERVER_PORT Port number to which the request was sent. REMOTE_HOST Hostname making the request. If the server does not have this information, it sets REMOTE_ADDR and does not set REMOTE_HOST. REMOTE_ADDR IP address of the remote host making the request.
    CGI variables are used in the Error and Audit tables of the disclosure, and the variable and field names do not match for different monitoring tools. Each network monitoring tool has different names for some of the CGI variables used to capture network event data. Some common attributes are the source and target IP addresses and ports. Snort breaks the protocol for the ports into two different tables; other tools store this as a simple protocol column with the value of TCP or UDP.

    TABLE-US-00013 Snort-mySQL Table.Field sensor.hostname iphdr.ipsrc iphdr.ipdst tcphdr.tcp_sport tcphdr.tcp_dport udphdr.udp_sport udphdr.udp_dport
    Nmap uses a simple one line of data in a row, and the fields are as in the next figure.

    TABLE-US-00014 Nmap Destination Source Protocol

    [0045] By mapping the attributes into a table with a common field alias, multiple networking tools can be mapped to join to the ColdFusion variables. This example is just a high level of some of the data that ColdFusion can capture. While a few more variables can be used, but to explain this mapping, I will use the SERVER_NAME and REMOTE variables.

    [0046] In ColdFusion, the CGI variables put DNS and IP address in the same variable called CGI SERVER_NAME. This application uses a logic check to split and store this variable into different columns. The ERRORS and AUDITS tables will be modified to separate a valid DNS and valid IP with SERVER_NAME, catching what does not pass the valid DNS or IP checks. The ERRORS and AUDITS tables will then have the SERVER_DSN and SERVER_IP fields that the cyber reports can use for joining data to create reports using the mapping model. Those mapping joins will easily be grouped to create IP Zone views that can be filtered and grouped based on DSN names or IP ranges for both developers and cyber teams to support the web application.

    Logic Checks on Some CGI Variables Allows for Custom Mapping of Different Monitoring Tools

    [0047]

    TABLE-US-00015 CGI Variables Used Error and New Reporting Columns For Audit Table DSN or IP Zone Reporting Nmap Snort SERVER_NAME SERVER_NAME SERVER_DSN sensor.hostname SERVER_IP Destination iphdr.ipdst REMOTE_HOST REMOTE_ADDR Source iphdr.ipsrc

    [0048] This mapping table also allows multiple monitoring tools to be used in the same report without linking to the Error or Audit tables if the cyber team needs any custom reports.

    Cyber Event Data—File Version ETL

    [0049] The cyber team needs to grant access to logs or output data filtering by to the application network objects. Let's say we are still talking about an HR system with an HR Time application.

    [0050] Step 1

    [0051] The cyber team would start NMap, WireShark, or Snort filtering and monitoring on the Web Server and the HR Time application with the output flag set to a readable format by ColdFusion.

    [0052] The cyber team would start NMap, WireShark, or Snort filtering and monitoring the HR Time Server database and any other application resources with the output flag set to a readable format by ColdFusion

    [0053] *Note: if multiple applications use the same network resources, there is only a need to pull that data in once.

    [0054] Step 2

    [0055] The output files can be copied into a folder with permissions so the ColdFusion server can read, copy, or rename and move the files to an archive folder as it processes the log files.

    [0056] Step 3

    [0057] The application or cyber team would use the network file form within the framework to define the XML, JSON, or other readable files to map the data file field names to the standard field names used within the framework. Each tool may use a different field naming for common fields, so the framework field names need to be mapped for the reports to work correctly.

    [0058] Step 4

    [0059] A scheduled task can be created in ColdFusion to run the framework files that process the data and load the data stored in a database table. Views are created to join the Network events and Error and Audits with the business logic tables looking for trends between Errors and Audits issues and gathering information pinpointing issues with information assurance and troubleshooting network issues more proactively.

    Cyber Event Data—Database or API ETL

    [0060] Step 1

    [0061] The cyber team would grant access to the database, for example, Snort, or provide the API login information for ELK, Splunk, CrowdStrike, or other monitoring tools. The API can be filtered to provide limited output to only the network objects required for each application.

    [0062] Step 2

    [0063] The cyber team and developers for each application team need to confirm the output from the API or database queries to confirm the data pulled is limited to the network objects for each Application.

    [0064] *Note: if multiple applications use the same network object, there is only a need to pull that data in once.

    [0065] Step 3

    [0066] The cyber team and developers would use the network natabase or API form in the Framework to define the database fields, API, or JSON return field mapping the standard field names within the framework. Each tool may use a different field naming for common fields, so the framework fields need to be mapped for the reports to work correctly.

    [0067] Step 4

    [0068] A scheduled task can be created for a ColdFusion™ to run the framework files that process the data that can be stored in a database table within the Framework to look for trends between errors and audits. This allows for troubleshooting network issues in a more proactive manner.

    [0069] Website logs are limited and include error and audit events from the enterprise's endpoints monitoring tools. Those cyber reports can help define business logic used by both development and cyber teams to secure applications with sensitive data. Those reports can create a baseline report for normal (audits) and abnormal (error) reports when linked to the network/cyber event data. They also can assist with compliance audits and firewall rules and alerts for the cyber teams.

    [0070] By linking the cyber event time reports to the error handling and audits reports, one will see actions outside the scope of just the web server logs. The reports use defined, approved business logic for different group usage allowing the cyber team to create more detailed firewall alerts. The reports also create an abnormal and normal usage baseline for multiple user groups that share multiple applications on the same web server, database, or file servers.

    [0071] Business logic is defined in access control tables for multiple user groups sharing multiple different application data and programmable access control logic applied to subfolders within the website subfolders based on functional user group role permissions, with IP zones and logic checks and allows for web items access to be controlled. Examples can include menu items, dashboard panels, page sections but are not limited to those web page items but any object that can be inside a security container that checks tables for role access.

    [0072] The ordered combination of various ad hoc and automated tasks in the presently disclosed platform necessarily achieves technological improvements through the specific processes described in more detail below. In addition, the unconventional and unique aspects of these specific automation processes represent a sharp contrast to merely providing a well-known or routine environment for performing a manual or mental task.

    [0073] It should be understood, of course, that the foregoing relates to exemplary embodiments of the invention and that modifications may be made without departing from the spirit and scope of the invention as set forth in the following claims.