Patents by Inventor Yair SADE
Yair SADE has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10567438Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.Type: GrantFiled: February 25, 2019Date of Patent: February 18, 2020Assignee: CYBERARK SOFTWARE LTD.Inventors: Dima Barboi, Boris Spivak, Yair Sade
-
Publication number: 20190190957Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.Type: ApplicationFiled: February 25, 2019Publication date: June 20, 2019Applicant: CyberArk Software Ltd.Inventors: Dima BARBOI, Boris SPIVAK, Yair SADE
-
Patent number: 10264026Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.Type: GrantFiled: July 24, 2017Date of Patent: April 16, 2019Assignee: CyberArk Software Ltd.Inventors: Dima Barboi, Boris Spivak, Yair Sade
-
Patent number: 10250609Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.Type: GrantFiled: September 26, 2018Date of Patent: April 2, 2019Assignee: CyberArk Software Ltd.Inventors: Yair Sade, Andrey Dulkin
-
Publication number: 20190028477Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.Type: ApplicationFiled: September 26, 2018Publication date: January 24, 2019Inventors: Yair Sade, Andrey Dulkin
-
Publication number: 20190028514Abstract: The disclosed embodiments include systems and methods for dynamically managing privileged access for non-privileged accounts. Operations may include receiving a request from a computer device associated with a network account to access a privileged resource, wherein the network account lacks any privileged account membership enabling the network account to access the privileged resource. Operations may include authenticating the network account, and assigning, based on the authentication, privileged on-demand membership for the network account, wherein the privileged on-demand membership enables the network account to access the privileged resource. Operations may also include identifying that the network account should no longer have access to the privileged resource, and removing, based on the identification, the privileged on-demand membership for the network account.Type: ApplicationFiled: July 24, 2017Publication date: January 24, 2019Inventors: Dima BARBOI, Boris SPIVAK, Yair SADE
-
Patent number: 10116658Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.Type: GrantFiled: April 29, 2015Date of Patent: October 30, 2018Assignee: CyberArk Software Ltd.Inventors: Yair Sade, Andrey Dulkin
-
Patent number: 9876804Abstract: Methods and systems are disclosed for detecting unauthorized actions associated with network resources, the actions including access to the resource and activity associated with the resource. The unauthorized actions are detected by analyzing action data of a client action associated with the network resource against credential retrieval data including records of authorized actions and/or procedures for performing an action associated with the network resource.Type: GrantFiled: October 20, 2013Date of Patent: January 23, 2018Assignee: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Yair Sade, Roy Adar
-
Patent number: 9866567Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.Type: GrantFiled: May 23, 2017Date of Patent: January 9, 2018Assignee: CyberArk Software Ltd.Inventors: Andrey Dulkin, Yair Sade, Omer Benedict, Jessica Stanford, Lavi Lazarovitz
-
Patent number: 9860249Abstract: A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.Type: GrantFiled: June 24, 2016Date of Patent: January 2, 2018Assignee: CyberArk Software Ltd.Inventors: Andrey Dulkin, Yair Sade
-
Patent number: 9781096Abstract: Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.Type: GrantFiled: June 24, 2016Date of Patent: October 3, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Yair Sade, Andrey Dulkin
-
Publication number: 20170257376Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.Type: ApplicationFiled: May 23, 2017Publication date: September 7, 2017Inventors: Andrey Dulkin, Yair Sade, Omer Benedict, Jessica Stanford, Lavi Lazarovitz
-
Patent number: 9712548Abstract: A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.Type: GrantFiled: October 27, 2014Date of Patent: July 18, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Aviram Shmueli, Andrey Dulkin, Yair Sade, Assaf Weiss
-
Patent number: 9712514Abstract: A method of establishing privileged communication sessions to target services unifies multiple sub-sessions into a single super-session. The user client requests access to target services. The request includes authentication credentials. Using the authentication credentials, privileged credentials are retrieved for target services requiring privileged access. Interactive sub-sessions are established between an intermediate element and respective target services. Required credentials are provided by the intermediate element to the target services. The interactive sub-sessions are unified into a single super-session on the intermediate element, and the super-session is established with the user client. The super-session provides the user client with interactive control of each of the interactive sub-sessions. Data communication between the user client and the target services is conducted via the intermediate element.Type: GrantFiled: February 8, 2015Date of Patent: July 18, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Erez Breiman, Eran Pinhas, Ran Deri, Yair Sade, Yaron Mazor
-
Patent number: 9712563Abstract: A method of managing a connection-specific policy for accessing a target system includes receiving a request from a user client for a connection with a target system. A unique identifier is determined for the requested connection. Connection settings for connecting to the target system are provided to the user client. The connection settings include the unique connection identifier. A corresponding access policy for the connection identifier is provided to the target system. The target system applies the corresponding access policy on the connection established with the connection settings.Type: GrantFiled: July 7, 2015Date of Patent: July 18, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Doron Shem Tov, Yair Sade, Shlomy Marom, Millie Richter
-
Patent number: 9699261Abstract: A method of monitoring a session on a target system includes receiving from a user client a user request to open a session with the target system. A session-specific transient agent for monitoring the session is installed onto the target system. The session is established between the user and the target system over a communication network. The transient agent monitors the session, collects data of events occurring on the target system during the session. The transient agent is terminated when the session ends.Type: GrantFiled: January 14, 2014Date of Patent: July 4, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Yair Sade, Erez Breiman, Ran Stotsky, Andrey Dulkin
-
Patent number: 9680813Abstract: A method of credential provisioning on a target service utilizes three credential sets: authentication credentials, privileged credentials and provisioned credentials. An intermediate element receives a request from a user client to establish a session with a target service. The request includes authentication credentials. The intermediate element creates provisioned credentials using privileged credentials which are authorized for creating provisioned credentials for accessing the target service. Once provisioned credentials have been created, a dual session communication channel is established between the user client and the target service. The session between the user client and intermediate element is established using the authentication credentials and the session between the intermediate element and the target service is established using the provisioned credentials. Optionally, user authorization to establish a session with the target service is determined prior to creating the provisioned credentials.Type: GrantFiled: September 8, 2014Date of Patent: June 13, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Yair Sade, Roy Adar, Yossi Dantes, Tzippi Yitzhack, Andrey Dulkin
-
Patent number: 9560067Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: GrantFiled: June 9, 2016Date of Patent: January 31, 2017Assignee: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Denis Kamanovsky, Yoel Eilat, Yair Sade
-
Publication number: 20160330221Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.Type: ApplicationFiled: May 5, 2016Publication date: November 10, 2016Inventors: Andrey Dulkin, Yair Sade, Omer Benedict, Jessica Stanford, Lavi Lazarovitz
-
Publication number: 20160323280Abstract: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.Type: ApplicationFiled: April 29, 2015Publication date: November 3, 2016Inventors: Yair SADE, Andrey DULKIN