| CPC H04L 63/1416 (2013.01) [H04L 63/02 (2013.01); H04L 63/0823 (2013.01)] | 19 Claims |
|
1. A system, comprising:
a processor configured to:
detect an event associated with accessing a discovered application from recorded events;
determine target information associated with the event;
identify the discovered application from the target information, wherein to identify the discovered application from the target information comprises to:
determine a target IP address from the target information;
connect to the target IP address using transport layer security (TLS) at a predetermined port;
obtain a TLS certificate from a web server associated with the target IP address; and
parse the TLS certificate to determine identity information associated with the discovered application corresponding to the target IP address;
compare the identity information associated with the discovered application to an organization-specific registry, wherein the organization-specific registry comprises identifying information associated with one or more known applications relative to an organization and respective one or more dates at which one or more known applications were previously identified from previously determined target information for the organization;
in response to a determination that the identity information associated with the discovered application does not match any entries in the organization-specific registry, determine that the discovered application is an unknown application relative to the organization; and
in response to the determination that the discovered application is the unknown application:
apply a security measure to the discovered application; and
insert a new entry into the organization-specific registry with identifying information associated with the discovered application and a date at which the
discovered application was identified from the target information; and
a memory coupled to the processor and configured to provide the processor with instructions.
|