This disclosure relates to security provisioning.
The prevalence and accessibility of computer networks requires security measures to protect valuable information and to ensure that users of the computer networks are using network resources in accordance with one or more security and usage policies. An enterprise, for example, can implement such security measures by use of a layered security system. Such a layered security system can be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system can also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer device within the enterprise, content filtering software, content monitoring software, etc.
Such layered security systems are prone to processing inefficiencies and can require many resources within the enterprise to maintain the systems. For example, many layered security systems do not implement a distribution infrastructure to communicate and share content intelligence. This results in repeated processing of both good and bad content. Many layered security systems also cannot readily maintain a central data store of threat data that classifies content items such as files, uniform resource locators (URLs), and e-mails according to security classifications (e.g. virus, malware, spam mail, etc.).
Additionally, generating a consolidated security view of the enterprise is a difficult process, as this requires the collecting of data from different locations and user groups and arranging the data in a common time order before abstracting and generating reports. Due to disparity in the security products across locations, there is difficulty in capturing the information into a common format
Finally, many of the existing security solutions have limited real-time or data mining capabilities. In particular, many of the existing security solutions have limited capabilities for detecting potentially surreptitious activities of users. For example, an entity, such as an enterprise, may define a list of prohibited resource locations, e.g., a list of prohibited URLs. However, users can attempt to access the prohibited resource locations by use of anonymous proxy servers. Such proxy servers service the requests of their clients by forwarding requests to other servers, such as the servers that are prohibited by the enterprise. Thus, by using a proxy server, a user can access prohibited web sites.
Some security systems can access a list of know proxy servers, e.g., a list of IP addresses associated with proxy servers, or the URLs of the proxy servers, and block HTTP requests and responses for the proxy servers, i.e., communication to or from the proxy servers. Traffic from these servers can be blocked by the security system. However, new proxy servers may appear or an address associated with an existing proxy server can change, and thus maintaining a list of all proxy servers for blocking capabilities is time consuming and expensive, and often not possible.