Patents by Inventor Yair SADE
Yair SADE has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20160308868Abstract: A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.Type: ApplicationFiled: June 24, 2016Publication date: October 20, 2016Inventors: Andrey Dulkin, Yair SADE
-
Publication number: 20160308849Abstract: Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.Type: ApplicationFiled: June 24, 2016Publication date: October 20, 2016Inventors: Yair Sade, Andrey Dulkin
-
Publication number: 20160294863Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: ApplicationFiled: June 9, 2016Publication date: October 6, 2016Applicant: Cyber-Ark Software Ltd.Inventors: Andrey DULKIN, Denis KAMANOVSKY, Yoel EILAT, Yair SADE
-
Publication number: 20160234198Abstract: A method of establishing privileged communication sessions to target services unifies multiple sub-sessions into a single super-session. The user client requests access to target services. The request includes authentication credentials. Using the authentication credentials, privileged credentials are retrieved for target services requiring privileged access. Interactive sub-sessions are established between an intermediate element and respective target services. Required credentials are provided by the intermediate element to the target services. The interactive sub-sessions are unified into a single super-session on the intermediate element, and the super-session is established with the user client. The super-session provides the user client with interactive control of each of the interactive sub-sessions. Data communication between the user client and the target services is conducted via the intermediate element.Type: ApplicationFiled: February 8, 2015Publication date: August 11, 2016Inventors: Erez BREIMAN, Eran PINHAS, Ran DERI, Yair SADE, Yaron Mazor
-
Patent number: 9386044Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: GrantFiled: August 13, 2015Date of Patent: July 5, 2016Assignee: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Denis Kamanovsky, Yoel Eilat, Yair Sade
-
Publication number: 20160006765Abstract: A method of managing a connection-specific policy for accessing a target system includes receiving a request from a user client for a connection with a target system. A unique identifier is determined for the requested connection. Connection settings for connecting to the target system are provided to the user client. The connection settings include the unique connection identifier. A corresponding access policy for the connection identifier is provided to the target system. The target system applies the corresponding access policy on the connection established with the connection settings.Type: ApplicationFiled: July 7, 2015Publication date: January 7, 2016Inventors: Doron SHEM TOV, Yair SADE, Shlomy MAROM, Millie RICHTER
-
Publication number: 20160006712Abstract: A method of credential provisioning on a target service utilizes three credential sets: authentication credentials, privileged credentials and provisioned credentials. An intermediate element receives a request from a user client to establish a session with a target service. The request includes authentication credentials. The intermediate element creates provisioned credentials using privileged credentials which are authorized for creating provisioned credentials for accessing the target service. Once provisioned credentials have been created, a dual session communication channel is established between the user client and the target service. The session between the user client and intermediate element is established using the authentication credentials and the session between the intermediate element and the target service is established using the provisioned credentials. Optionally, user authorization to establish a session with the target service is determined prior to creating the provisioned credentials.Type: ApplicationFiled: September 8, 2014Publication date: January 7, 2016Inventors: Yair SADE, Roy ADAR, Yossi DANTES, Tzippi YITZHACK, Andrey DULKIN
-
Publication number: 20150350238Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: ApplicationFiled: August 13, 2015Publication date: December 3, 2015Applicant: Cyber-Ark Software LtdInventors: Andrey DULKIN, Denis Kamanovsky, Yoel Eilat, Yair Sade
-
Patent number: 9185136Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: GrantFiled: November 28, 2013Date of Patent: November 10, 2015Assignee: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Denis Kamanovsky, Yoel Eilat, Yair Sade
-
Publication number: 20150304292Abstract: A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged, access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.Type: ApplicationFiled: October 22, 2013Publication date: October 22, 2015Applicant: CYBER-ARK SOFTWARE LTD.Inventors: Andrey DULKIN, Yair SADE
-
Publication number: 20150271162Abstract: A method and system is provided for controlling a remote target application, including sensitive and privileged applications, via a remote application connection. The target application is executed with a set of credentials, different than those credentials submitted by the user to access the target application. The user, via a local client terminal, accesses the target application over the remote application connection, such that the user experience of interaction with the target application is similar to that of the target application running locally, while the target application is actually being run remotely. The execution is protected by the second set of credentials unknown to the user, thus preventing credential hijacking and various other threats to the sensitive application.Type: ApplicationFiled: March 18, 2014Publication date: September 24, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Erez Breiman, Yair Sade
-
Publication number: 20150222639Abstract: A system and method for maintaining continuous operational access augmented with user authentication and action attribution in shared environments. Multiple users use the same machine/platform to perform their actions. The system includes an access control application and enforcement module that limit users' actions based on authentication and authority level, enabling each user to perform the user's role in the shared environment. In addition, the user's activities can be monitored, logged, and interfered with (such as terminating the session), enabling a key requirement of action attribution.Type: ApplicationFiled: October 1, 2013Publication date: August 6, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Andrey Dulkin, Yair Sade
-
Publication number: 20150200821Abstract: A method of monitoring a session on a target system includes receiving from a user client a user request to open a session with the target system. A session-specific transient agent for monitoring the session is installed onto the target system. The session is established between the user and the target system over a communication network. The transient agent monitors the session, collects data of events occurring on the target system during the session. The transient agent is terminated when the session ends.Type: ApplicationFiled: January 14, 2014Publication date: July 16, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Yair SADE, Erez BREIMAN, Ran STOTSKY, Andrey DULKIN
-
Publication number: 20150150125Abstract: Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network.Type: ApplicationFiled: November 28, 2013Publication date: May 28, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Andrey DULKIN, Denis Kamanovsky, Yoel Eilat, Yair Sade
-
Publication number: 20150121518Abstract: A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.Type: ApplicationFiled: October 27, 2014Publication date: April 30, 2015Inventors: Aviram SHMUELI, Andrey DULKIN, Yair SADE, Assaf WEISS
-
Publication number: 20150121461Abstract: Methods and systems are disclosed for detecting improper, and otherwise unauthorized actions, associated with network resources, the actions including access to the resource and activity associated with the resource. The unauthorized actions are detected by analyzing action data of user actions employing accounts managed by a privileged access management system and associated with a network resource against profiles and rules to discover anomalies and/or deviations from rules associated with the network resource or accounts.Type: ApplicationFiled: October 24, 2013Publication date: April 30, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Andrey DULKIN, Yair Sade, Roy Adar, Aviram Shmueli
-
Publication number: 20150113600Abstract: Methods and systems are disclosed for detecting unauthorized actions associated with network resources, the actions including access to the resource and activity associated with the resource. The unauthorized actions are detected by analyzing action data of a client action associated with the network resource against credential retrieval data including records of authorized actions and/or procedures for performing an action associated with the network resource.Type: ApplicationFiled: October 20, 2013Publication date: April 23, 2015Applicant: Cyber-Ark Software Ltd.Inventors: Andrey DULKIN, Yair SADE, Roy ADAR
-
Publication number: 20140013390Abstract: Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.Type: ApplicationFiled: June 6, 2013Publication date: January 9, 2014Inventors: Yair Sade, Andrey Dulkin
-
Patent number: 8468594Abstract: The present invention discloses methods, media, and systems for handling hard-coded credentials, the system including: an interception module configured for: intercepting credential usage upon receiving an application request for application credentials in order to provide access to a host application; a configuration/settings module configured for reading system configurations and settings for handling the application credentials; a credential-mapping module configured for: applying appropriate credential-mapping logic based on the system configurations and settings; and upon determining that the application credentials need to be replaced, obtaining appropriate credentials from a secured storage.Type: GrantFiled: February 12, 2008Date of Patent: June 18, 2013Assignee: Cyber-Ark Software LtdInventors: Yair Sade, Roy Adar
-
Publication number: 20080196101Abstract: The present invention discloses methods, media, and systems for handling hard-coded credentials, the system including: an interception module configured for: intercepting credential usage upon receiving an application request for application credentials in order to provide access to a host application; a configuration/settings module configured for reading system configurations and settings for handling the application credentials; a credential-mapping module configured for: applying appropriate credential-mapping logic based on the system configurations and settings; and upon determining that the application credentials need to be replaced, obtaining appropriate credentials from a secured storage.Type: ApplicationFiled: February 12, 2008Publication date: August 14, 2008Applicant: Cyber-Ark Software Ltd.Inventors: Yair SADE, Roy ADAR