Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.

Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.

Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.

Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.

Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.

Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.

Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.

Abstract: Methods and systems are disclosed for detecting unauthorized actions associated with network resources, the actions including access to the resource and activity associated with the resource. The unauthorized actions are detected by analyzing action data of a client action associated with the network resource against credential retrieval data including records of authorized actions and/or procedures for performing an action associated with the network resource.

Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.

Abstract: A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.

Abstract: Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.

Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.

Abstract: A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.

Abstract: A method of establishing privileged communication sessions to target services unifies multiple sub-sessions into a single super-session. The user client requests access to target services. The request includes authentication credentials. Using the authentication credentials, privileged credentials are retrieved for target services requiring privileged access. Interactive sub-sessions are established between an intermediate element and respective target services. Required credentials are provided by the intermediate element to the target services. The interactive sub-sessions are unified into a single super-session on the intermediate element, and the super-session is established with the user client. The super-session provides the user client with interactive control of each of the interactive sub-sessions. Data communication between the user client and the target services is conducted via the intermediate element.

Abstract: A method of managing a connection-specific policy for accessing a target system includes receiving a request from a user client for a connection with a target system. A unique identifier is determined for the requested connection. Connection settings for connecting to the target system are provided to the user client. The connection settings include the unique connection identifier. A corresponding access policy for the connection identifier is provided to the target system. The target system applies the corresponding access policy on the connection established with the connection settings.

Abstract: A method of monitoring a session on a target system includes receiving from a user client a user request to open a session with the target system. A session-specific transient agent for monitoring the session is installed onto the target system. The session is established between the user and the target system over a communication network. The transient agent monitors the session, collects data of events occurring on the target system during the session. The transient agent is terminated when the session ends.

Abstract: A method of credential provisioning on a target service utilizes three credential sets: authentication credentials, privileged credentials and provisioned credentials. An intermediate element receives a request from a user client to establish a session with a target service. The request includes authentication credentials. The intermediate element creates provisioned credentials using privileged credentials which are authorized for creating provisioned credentials for accessing the target service. Once provisioned credentials have been created, a dual session communication channel is established between the user client and the target service. The session between the user client and intermediate element is established using the authentication credentials and the session between the intermediate element and the target service is established using the provisioned credentials. Optionally, user authorization to establish a session with the target service is determined prior to creating the provisioned credentials.

Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.

Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.

Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.