Patents by Inventor Tal Joseph MAOR
Tal Joseph MAOR has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11818157Abstract: The detection of a risky edge in a lateral movement path is detected by determining the weakest point in the configuration of the user accounts, groups, and devices having access to the resources of a tenant of the cloud service. A lateral movement graph having nodes of user accounts, devices, and groups and edges representing relationships between the nodes is used to compute a risk score for each edge in the graph. The risk score of an edge is used to identify a weak connection and potential target for a lateral movement attack.Type: GrantFiled: December 31, 2019Date of Patent: November 14, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Tal Joseph Maor, Shahar Nussbaum, Or Tsemah, Dan Yaari
-
Patent number: 11550902Abstract: Techniques are described herein that are capable of using security event correlation to describe an authentication process. Multiple events may describe a common (i.e., same) attempt to authenticate the user. For instance, a first event may include a first description of the attempt, a second event may include a second description of the attempt, and a third event may include a third description of the attempt. The first, second, and third events may be correlated based at least in part on the first, second, and third descriptions. The first, second, and third events may be aggregated to provide an aggregated event that includes an aggregation of the first, second, and third descriptions. An authentication report may be generated to include the aggregation of the first, second, and third descriptions to describe the authentication process.Type: GrantFiled: January 2, 2020Date of Patent: January 10, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Tal Joseph Maor, Mor Rubin, Noa Goren, Yaron Kaner
-
Publication number: 20220417265Abstract: Aspects of the technology described herein detect potential security breaches in delegate applications by monitoring communications received from a delegate application. Anomalies in the delegate application communications can indicate that the delegate application has been breached and is now being controlled by an entity other than an authorized entity. An anomaly may be a new or unusual attribute value within the delegate-application's communication. Initially, the anomaly detection system may a build a baseline of attribute values for a single delegate application within a single tenant and separate baseline for the tenant. If the attribute value is anomalous to both the application-specific baseline and the tenant-specific baseline then the message may be designated as anomalous. Mitigation can then be undertaken.Type: ApplicationFiled: June 29, 2021Publication date: December 29, 2022Inventors: Tal Joseph MAOR, Idan BRUSILOVSKY, Amir Ben AMI, Amos Avraham RIMON, Adi Rose LEFKOWITZ
-
Patent number: 11397805Abstract: A lateral movement path detector is disclosed. Data is gathered via programmatic access to a management service director through a REST API endpoint. The data is grouped into a graph having nodes of users, groups, and devices. The nodes coupled together via edges. A visualization of the graph is provided to illustrate lateral paths of the management service directory.Type: GrantFiled: May 9, 2019Date of Patent: July 26, 2022Assignee: Microsoft Technology Licensing, LLCInventor: Tal Joseph Maor
-
Publication number: 20220150277Abstract: A system to detonate malware received from a delegated access link provided to a user is disclosed. An application is received via a delegated access link provided to the user. A verdict is determined on the delegated access link. If the verdict on the delegated access link is unknown the application is opened in a laboratory user based on the user, and activities of the application are monitored. A verdict on the delegated access link is determined based on whether monitored activities include suspicious activities.Type: ApplicationFiled: November 11, 2020Publication date: May 12, 2022Applicant: Microsoft Technology Licensing, LLCInventors: Tal Joseph Maor, Guy Pergal, Moshe Ben Nehemia
-
Patent number: 11108818Abstract: Cybersecurity is enhanced to detect credential spray attacks. Accounts with access failure events are divided into buckets B1 . . . BN based on access failure count ranges R1 . . . RN. For instance, accounts with one logon failure may go in B1, accounts with two failures in B2, etc. Buckets will thus have account involvement extents E1 . . . EN, which are compared to thresholds T1 . . . TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection may spot any credential sprays, not merely password sprays. False positives may be reduced by excluding items from consideration, such as logon attempts using old passwords. False positives and false negatives may be balanced by tuning threshold parameters. Breached accounts may be found. Detection may also permit other responses, such as attack disruption, harm mitigation, and attacker identification. Credential spray attack detection may be combined with other security mechanisms for defense in depth of cloud and other network accounts.Type: GrantFiled: February 17, 2019Date of Patent: August 31, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Tal Joseph Maor, Gal Zeev Bruchim, Igal Gofman, Itai Grady Ashkenazy
-
Publication number: 20210209228Abstract: Techniques are described herein that are capable of using security event correlation to describe an authentication process. Multiple events may describe a common (i.e., same) attempt to authenticate the user. For instance, a first event may include a first description of the attempt, a second event may include a second description of the attempt, and a third event may include a third description of the attempt. The first, second, and third events may be correlated based at least in part on the first, second, and third descriptions. The first, second, and third events may be aggregated to provide an aggregated event that includes an aggregation of the first, second, and third descriptions. An authentication report may be generated to include the aggregation of the first, second, and third descriptions to describe the authentication process.Type: ApplicationFiled: January 2, 2020Publication date: July 8, 2021Inventors: Tal Joseph Maor, Mor Rubin, Noa Goren, Yaron Kaner
-
Publication number: 20210203684Abstract: The detection of a risky edge in a lateral movement path is detected by determining the weakest point in the configuration of the user accounts, groups, and devices having access to the resources of a tenant of the cloud service. A lateral movement graph having nodes of user accounts, devices, and groups and edges representing relationships between the nodes is used to compute a risk score for each edge in the graph. The risk score of an edge is used to identify a weak connection and potential target for a lateral movement attack.Type: ApplicationFiled: December 31, 2019Publication date: July 1, 2021Inventors: TAL JOSEPH MAOR, SHAHAR NUSSBAUM, OR TSEMAH, DAN YAARI
-
Patent number: 10915622Abstract: Embodiments are directed to monitoring local users' activity without installing an agent on a monitored machine. Periodic scans of the local users' directory using the standard protocol messages and APIs of a remote admin interface provide access to local machine data. Using the remote admin interface, defenders gain visibility to local users' logons, group membership, password changes, and other parameters. Security applications enabled by this visibility include, but are not limited to, abnormal logons detection, abnormal group addition and removal detection, and abnormal password changes detection.Type: GrantFiled: June 20, 2017Date of Patent: February 9, 2021Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Marina Simakov, Tal Be'ery, Itai Grady Ashkenazy, Chaim Menachem Hoch, Tal Joseph Maor
-
Publication number: 20200356664Abstract: A lateral movement path detector is disclosed. Data is gathered via programmatic access to a management service director through a REST API endpoint. The data is grouped into a graph having nodes of users, groups, and devices. The nodes coupled together via edges. A visualization of the graph is provided to illustrate lateral paths of the management service directory.Type: ApplicationFiled: May 9, 2019Publication date: November 12, 2020Applicant: Microsoft Technology Licensing, LLCInventor: Tal Joseph Maor
-
Publication number: 20200267178Abstract: Cybersecurity is enhanced to detect credential spray attacks. Accounts with access failure events are divided into buckets B1 . . . BN based on access failure count ranges R1 . . . RN. For instance, accounts with one logon failure may go in B1, accounts with two failures in B2, etc. Buckets will thus have account involvement extents E1 . . . EN, which are compared to thresholds T1 . . . TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection may spot any credential sprays, not merely password sprays. False positives may be reduced by excluding items from consideration, such as logon attempts using old passwords. False positives and false negatives may be balanced by tuning threshold parameters. Breached accounts may be found. Detection may also permit other responses, such as attack disruption, harm mitigation, and attacker identification. Credential spray attack detection may be combined with other security mechanisms for defense in depth of cloud and other network accounts.Type: ApplicationFiled: February 17, 2019Publication date: August 20, 2020Inventors: Tal Joseph MAOR, Gal Zeev BRUCHIM, Igal GOFMAN, Itai GRADY ASHKENAZY
-
Patent number: 10587611Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.Type: GrantFiled: August 29, 2017Date of Patent: March 10, 2020Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Tal Joseph Maor, Itai Grady Ashkenazy, Michael Dubinsky, Marina Simakov
-
Publication number: 20190068573Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.Type: ApplicationFiled: August 29, 2017Publication date: February 28, 2019Inventors: TAL JOSEPH MAOR, ITAI GRADY ASHKENAZY, MICHAEL DUBINSKY, MARINA SIMAKOV
-
Publication number: 20180107820Abstract: Embodiments are directed to monitoring local users' activity without installing an agent on a monitored machine. Periodic scans of the local users' directory using the standard protocol messages and APIs of a remote admin interface provide access to local machine data. Using the remote admin interface, defenders gain visibility to local users' logons, group membership, password changes, and other parameters. Security applications enabled by this visibility include, but are not limited to, abnormal logons detection, abnormal group addition and removal detection, and abnormal password changes detection.Type: ApplicationFiled: June 20, 2017Publication date: April 19, 2018Inventors: Marina SIMAKOV, Tal BE'ERY, Itali Grady ASHKENAZY, Chaim Menachem HOCH, Tal Joseph MAOR