Abstract: Provided herein are systems and methods of tracing data. A tracing engine may receive, via the user interface, a selection of a target file or an event involving the target file. The tracing engine may generate, responsive to receiving the selection, a trace of first data in the target file to a plurality of file instances in a network each having at least one version of the first data. Each of the plurality of file instances may be related to at least the target file or another of the plurality of file instances via at least one file operation or data operation. The tracing engine may render, via a user interface, the generated trace.

Abstract: The present disclosure pertains to methods and systems for protecting data or other resources from malware. A driver executing in kernel mode of an operating system on a computing device may monitor one or more processes allowed to execute on the computing device. The one or more processes may include a first executing process. The driver may detect an attempt by a first thread of execution of the first executing process to access a protected file. The driver, responsive to the detection may identify a file type of the protected file. The driver, responsive to the identification of the file type, may determine whether the process is in a list of processes allowed for the file type. The drive may, responsive to determination, determine whether to deny or allow the first thread to access the protected file while allowing another thread of the executing process to execute on the computing device.

Abstract: Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Abstract: Provided herein are systems and methods for risk tracking. A tracker engine executable on servers may provide, in a user interface, a plurality of categories of locations for files in a networked environment. The tracker engine may identify in the user interface risk categories of the files in each of the categories of the locations. The tracker engine may provide, in the user interface, types of egress points for the files. The tracker engine may generate links between the categories of the locations of the files, the risk categories of the files and the types of egress points for the files. Details about each of the files may be navigable from the user interface via a corresponding category of a location of the file, a corresponding risk category of the file or a corresponding type of egress point for the file.

Abstract: Provided herein are systems and methods for multi-event correlation. Receiving a stream of events, each leaf rule engine may detect a plurality of events from the stream that matches a characteristic for the leaf rule engine. Each leaf rule engine may identify, from the plurality of events and within a time window, a group of events that satisfies a condition for the respective leaf rule engine. A root conditions engine may receive a stream of leaf events corresponding to the group of events identified by each leaf rule engine. The root conditions engine may identify, from the received stream of leaf events and within a root time window, a collection of events that satisfies a condition for the root conditions engine. A trigger may execute an action according to the collection of events identified within the root time window.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

Abstract: Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

Abstract: Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

Abstract: Systems and methods for enhanced DOM and event mirroring and security in web applications provides an intermediate Master Browser between web content and client devices to improve security and other enhancements.

Abstract: Systems and methods for enhanced DOM and event mirroring and security in web applications provides an intermediate Master Browser between web content and client devices to improve security and other enhancements.