Abstract: A method performed by a Cloud Access Security Broker (CASB) service includes scanning data stored in one of a cloud provider and a Software-as-a-Service (SaaS) application, wherein the data is for a user associated with a company of a plurality of companies; detecting an incident in a file or email in the data during the scanning; maintaining details of the incident in an in-memory data store, including a current snapshot of the file or email; and providing a notification to the tenant of the incident. The method can further include, subsequent to the incident and while the file or email is being updated, updating the details of the incident in the in-memory data store.

Abstract: Systems and methods of Exact Data Matching (EDM) include receiving customer specific sensitive data for a customer, wherein the customer specific sensitive data are converted into a plurality of tokens; receiving a configuration for exact data matching of the plurality of tokens; performing inline monitoring of a user associated with the customer; detecting a presence of one or more tokens of the plurality of tokens based on the inline monitoring; and, responsive to the detecting, performing an action based on the configuration.

Abstract: Systems and methods include, responsive to a request to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet, determining if a user of the user device is permitted to access the application and whether the application should be provided in an isolated browser; responsive to the determining, creating secure tunnels between the user device, an isolation service operating the isolated browser, and the application based on connection information; loading the application in the isolated browser, via the secure tunnels; and providing image content for the application to the user device, via the secure tunnels.

Abstract: Systems and methods include intercepting traffic on the user device; forwarding the traffic to a cloud-based system for security processing therein; and, responsive to unavailability of the cloud-based system preventing the forwarding, performing local security processing of the traffic at the user device including determining whether the traffic is allowed based on a cache at the user device, forwarding the traffic separate from the cloud-based system when it is allowed, and blocking the traffic when it is not allowed.

Abstract: Systems and methods include responsive to a user initiating a session with a resource, determining a master fingerprint of a device associated with the user; collecting, at predefined time intervals, one or more additional fingerprints during the session; comparing the one or more additional fingerprints with the master fingerprint; and performing one or more actions based on the comparing.

Abstract: Systems and methods include obtaining criteria for selecting connectors for private application access in a cloud-based system; responsive to a request to access an application, by a user device, located in any of a public cloud, a private cloud, and an enterprise network, wherein the user device is remote over the Internet, determining a connector coupled to the application based on the criteria; and, responsive to a user of the user device being permitted to access the application, stitching together connections between the cloud-based system, the application, and the user device to provide access to the application.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods provide adaptive probing of a service path in a network, wherein the service path includes a plurality of legs. The systems and methods include, for one or more legs of the plurality of legs, sending a number of probes using one of a plurality of protocols; responsive to receiving a response from the number of probes, determining the one of the plurality of protocols is successful and storing this protocol the one or more legs; and, responsive to failure to receive the response, sending a number of probes using another one of the plurality of protocols and continuing until a successful protocol is determined or all of the plurality of protocols fail.

Abstract: Techniques for determining the path of User Datagram Protocol (UDP) traceroute probes using Transmission Control Protocol (TCP) and Internet Control Message Protocol (ICMP). Various embodiments include sending a plurality of probes to one or more legs in a network path; obtaining measurements from each of the plurality of probes for each of the one or more legs in the network path; and performing one or more actions based on the measurements from each of the plurality of probes. The steps further include overlapping the measurements to determine latency to a destination and identifying throttling of UDP traffic based on the overlapping of measurements from the plurality of probes.

Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: Systems and methods include obtaining for a tenant a definition of a sub-cloud in a cloud-based system, wherein the cloud-based system includes a plurality of data centers geographically distributed, and wherein the sub-cloud includes a subset of the plurality of data centers; receiving a request, in a cloud system from a user device, to access an application for the tenant, wherein the application is constrained to the sub-cloud, and wherein the user device is remote over the Internet; determining if the user device is permitted to access the application; if the user device is not permitted to access the application, notifying the user device the application does not exist; and if the user device is permitted to access the application, stitching together connections between the sub-cloud, the application, and the user device to provide access to the application.

Abstract: Systems and methods for visualization monitoring data from a cloud-based system include obtaining monitoring data from a cloud-based system, wherein the monitoring data is based on transactions associated with a plurality of users of a cloud environment; providing a Graphical User Interface (GUI) comprising a plurality of columns wherein each column comprises a plurality of filter cards; obtaining a plurality of filter card selections as inputs from the GUI; and displaying log data based on the plurality of filter card selections. The monitoring data can be for one or more of cloud security service transactions, application access via a Zero Trust Network Access (ZTNA) service, user experience metrics, and files accessed via the cloud environment.

Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: Systems and methods include receiving network communication information about hosts in a network and applications executed on the hosts; automatically generating one or more microsegments in the network based on analysis of the obtained network communication information, wherein each microsegment of the one or more microsegments is a grouping of resources including the hosts and the applications executed on the hosts that have rules for network communication; and providing the one or more microsegments to one or more hosts of the hosts, for use by the one or more hosts to allow or block communications locally based on the one or more microsegments. Each of the one or more microsegments can be a grouping of workloads inside a data center.

Abstract: The methods described herein include receiving a plurality of packets associated with a file, each of the plurality of packets comprising content, and a source domain; extracting one or more features from content of a first packet of the plurality of packets; applying a trained machine learning model to the extracted one or more features to determine a probability of maliciousness associated with the first packet; responsive to determining that the probability maliciousness of the first packet is between a first threshold value and a second threshold value, labeling the first packet as having an uncertain maliciousness; extracting one or more features from content of a second packet of the plurality of packets; and applying the trained machine learning model to the extracted one or more features of the first packet and the second packet to determine a probability of maliciousness associated with the second packet.

Abstract: Systems and methods for troubleshooting and performance analysis of a cloud-based service include receiving metrics over time from a plurality of analyzers, wherein the metrics include service-related metrics and network-related metrics related to a cloud-based service, wherein each analyzer of the plurality of analyzers is executed at one of a user device accessing the cloud-based service and in the cloud-based service, and wherein at least one analyzer is executed in the cloud-based service; analyzing the metrics to determine a status of the cloud-based service over the time; and identifying issues related to the cloud-based service utilizing the analyzed metrics over the time, wherein the issues include any of an issue on a particular user device, an issue in a network between a particular user device and the cloud service, and an issue within the cloud service.

Abstract: Systems and methods for in-memory malware unpacking and deobfuscation in a sandbox include, responsive to receiving unknown content, scanning an image of the unknown content for packed, obfuscated, or encrypted code; responsive to detecting the packed, obfuscated, or encrypted code performing steps of unpacking, deobfuscating, or decrypting the packed, obfuscated, or encrypted code; executing the unpacked, deobfuscated, or decrypted code; monitoring execution of the unpacked, deobfuscated, or decrypted code; obtaining events during the scanning and the execution; and providing the obtained events to the sandbox for use in a sandbox analysis for classifying the content as one of malware and clean.

Abstract: Systems and methods for alerting administrators of a monitored digital user experience include performing inline monitoring of network access between one or more users each with an associated user device executing an agent application, the Internet, and one or more cloud applications and private applications. The systems and methods also include obtaining device, application, and network metrics related to the inline monitoring from a cloud system and a logging and analytics system. The systems and methods further include comparing the metrics to one or more alerts comprising alert rules. The systems and methods yet further include sending a notification to one or more administrators when the metrics include data that satisfies the alert rules of the one or more alerts.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: Systems and methods of Exact Data Matching (EDM) for identifying related tokens in data content using structured signature data implemented in a cloud-based system receiving data sets and customer configuration from a customer, wherein the data sets include customer specific sensitive data from a structured data source with each token represented by a hash value and the customer configuration includes one or more primary keys for a plurality of records in the data sets; distributing the data sets and the customer configuration to a plurality of nodes in the cloud-based system; performing monitoring of content between a client of the customer and an external network; detecting a presence of a plurality of tokens associated with a record in the customer specific sensitive data based on the monitoring; and performing a policy-based action in the cloud-based system based on the detecting.

Abstract: Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. In an embodiment, a method includes determining a client application is being executed; determining an endpoint associated with the client application, based on any of monitoring application logs associated with the client application and network flows associated with the client application; and causing one or more probes to the determined endpoint and deriving metrics based on the one or more probes for determining performance of the client application.