| CPC H04L 63/0414 (2013.01) [H04L 63/0435 (2013.01); H04L 63/102 (2013.01); H04L 63/105 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
instrumenting a data protection application programming interface for an operating system on an endpoint to detect access to a decryption service used by the operating system to encrypt and decrypt data blobs using a master key derived from user credentials for the endpoint;
detecting a call from a process executing on the endpoint to the data protection application programming interface to unprotect a symmetric key used to cryptographically secure a web browser session cookie stored by a web browser application on the endpoint;
comparing first process information for the process to second process information for the web browser application that stored the web browser session cookie; and
in response to determining that the process is not associated with the web browser application, preventing the process from accessing the web browser session cookie with the symmetric key and initiating a remediation of the endpoint.
|