Internet-facing device identification
Abstract
Technology described herein determines whether a device is Internet facing. An Internet facing device is a device where traffic coming from the Internet is routable to the device. The technology described herein may comprise two components that work together to identify Internet-facing devices. The first component is a monitoring agent installed on organizational devices. The second component is an Internet-facing management service, which may be cloud based. The monitoring agent communicates connection-event notices to the Internet-facing management service. The source IP address in the connection-event notice is compared to a list of organizational IP addresses. If the source IP address is not on the list, then the computing device associated with the notice is added to a list of Internet-facing devices because the connection originated from the Internet. Software listed in the connection-event notice may be added to a list of internet-facing software instances.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . One or more computer storage media having computer-executable instructions embodied thereon that, when executed, by one or more processors, causes the one or more processors to perform a method of identifying Internet facing computing devices in an organization, the method comprising:
receiving, over a network, an IP address for a computing device from a monitoring agent running on the computing device; adding the IP address to a store of organization IP addresses; receiving, over the network, a connection-event notice from the monitoring agent describing a connection between the computing device and a second computing device, the connection-event notice comprising identification information for the computing device and connection information comprising a source IP address associated with the second computing device; determining the computing device is Internet facing by determining the source IP address is not in the store of organization IP addresses; and adding an indication for the computing device described in the identification information to a store of Internet-facing computing devices.
2 . The media of claim 1 , wherein the connection information comprises identification of a software application that participated in the connection.
3 . The media of claim 2 , wherein the method further comprises adding an instance of the software application running on the computing device to a store of Internet-facing instances of the software application.
4 . The media of claim 3 , wherein the method further comprises:
receiving a security patch for the software application; identifying instances of the software application within the organization that are Internet facing by analyzing the store of Internet-facing instances of the software application; and installing the security patch on instances of the software application within the organization that are Internet facing before installing the security patch on instances of the software application that are not Internet facing.
5 . The media of claim 1 , wherein the identification information comprises a Globally Unique Identifier (“GUID”) or Universally Unique Identifier (“UUID”).
6 . The media of claim 1 , wherein the connection information comprises a port on the computing device through which the connection was made.
7 . The media of claim 1 , wherein the one or more IP addresses associated with the computing device on which the monitoring agent is running comprises a subnet address.
8 . The media of claim 1 , wherein the identification information comprises a MAC address for the computing device.
9 . The media of claim 1 , wherein the connection information comprises identification of a command line that is listening on the connection.
10 . The media of claim 1 , wherein the connection information also comprises a subnet address.
11 . A method of identifying Internet facing computing devices in an organization, the method comprising:
receiving, over a network, an IP address for a computing device from a monitoring agent running on the computing device; adding the IP address to a store of organization IP addresses; receiving, over the network, a connection-event notice from the monitoring agent describing a connection between the computing device and a second computing device, the connection-event notice comprising connection information comprising a source IP address associated with the second computing device; determining the computing device is Internet facing by determining the source IP address is not in the store of organization IP addresses; and adding an indication for the computing device described in the identification information to a store of Internet-facing computing devices.
12 . The method of claim 1 , wherein the connection information comprises identification of a software application that participated in the connection.
13 . The method of claim 2 , wherein the method further comprises adding an instance of the software application running on the computing device to a store of Internet-facing instances of the software application.
14 . The method of claim 3 , wherein the method further comprises:
receiving a security patch for the software application; identifying instances of the software application within the organization that are Internet facing by analyzing the store of Internet-facing instances of the software application; and installing the security patch on instances of the software application within the organization that are Internet facing before installing the security patch on instances of the software application that are not Internet facing.
15 . The method of claim 1 , wherein the identification information comprises a Globally Unique Identifier (“GUID”) or Universally Unique Identifier (“UUID”).
16 . One or more computer storage media having computer-executable instructions embodied thereon that, when executed, by one or more processors, causes the one or more processors to perform a method of identifying Internet facing computing devices in an organization, the method comprising:
receiving, over the network, a connection-event notice from the monitoring agent describing a connection between the computing device and a second computing device, the connection-event notice comprising connection information comprising a source IP address associated with the second computing device; determining the computing device is Internet facing by determining the source IP address is not in a store of organization IP addresses; and adding an indication for the computing device described in the identification information to a store of Internet-facing computing devices.
17 . The media of claim 16 , wherein the connection information comprises identification of a software application that participated in the connection.
18 . The media of claim 17 , wherein the method further comprises adding an instance of the software application running on the computing device to a store of Internet-facing instances of the software application.
19 . The media of claim 18 , wherein the method further comprises:
receiving a security patch for the software application; identifying instances of the software application within the organization that are Internet facing by analyzing the store of Internet-facing instances of the software application; and installing the security patch on instances of the software application within the organization that are Internet facing before installing the security patch on instances of the software application that are not Internet facing.
20 . The media of claim 16 , wherein the connection information comprises identification of a command line that is listening on the connection.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.