Abstract: This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received. Data packets sent from a source computer may be received and be forwarded to an analysis computer that may monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set. In instances when the analysis computer identifies that the data packet set does include malware, the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer.

Abstract: Techniques are described for improving real-time application protection (RTAP) systems (e.g., web application firewalls (WAFs), runtime application self-protection (RASP) systems). In particular, a device within a trusted network may be configured to identify risks of the RTAP systems. For example, the device may compare a plurality of attack signatures, from configuration settings of an application protection system to a plurality of defects from a defect data store; determine that at least one configuration setting of the application protection system corresponding to an application does not include protections for at least one defect of the plurality of defects; and in response to determine that the at least one configuration setting of the application protection system does not include protections for the at least one defect, generate an alert corresponding to the at least one defect.

Abstract: A method for providing protection of a computing resource constrained device against cyberattacks may include collecting threat intelligence data in form of indicators of compromise (IoC). The indicators may include cyberattack chain related data. The method may also include determining a relevance of the cyberattack chain for the device, measuring a utilization of security measures in terms of their detection of the respective IoCs and their respective responses to the IoCs, measuring a resource consumption of the security measures, and determining a benefit value for at least one the security measure expressed by its utilization and a relevance value of the IoCs detected with it.

Abstract: An orchestration system is described that is configured to receive a request to monitor compliance of an enterprise infrastructure and generate an infrastructure change that is associated with the compliance of the enterprise infrastructure, based at least in part on a set of predetermined criteria. In doing so, the orchestration system may further generate one or more infrastructure change events based at least in part on instances of the infrastructure change within the enterprise infrastructure. The orchestration system may further generate a verification report for the enterprise infrastructure, based at least in part on the one or more infrastructure change events, and transmit the verification report to a registered user associated with the request.

Abstract: Mechanisms for mitigating damage resulting from a website being an intermediary in a cyberattack, comprising: detecting a domain name server query made to the website; making a request to the website; receiving a header in response to the request; inspecting the header to identify a software stack component of the website; cross-referencing the software stack component to a common vulnerabilities and exposures (CVE) database to identify a CVE that applies to the software stack component; applying a rule to determine the impact of the CVE on whether the website is a possible intermediary in a cyberattack; determining that the website is a possible intermediary in a cyberattack; and taking action on the website to mitigate damage resulting from the website being an intermediary in a cyberattack.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Systems and methods for dynamically training a threat detection system include monitoring security analyst workflow data from security analysts analyzing scans of security logs. The workflow data includes rules applied to security log scan results, rule results selected for further analysis, tags applied to rule results, filters applied to rule results, rankings applied to rule results, or actions associated with a pivot by security analysts. A tagging classifier is then trained based on tags assigned to scan results. A review classifier is trained based on scan results previously reviewed by security analysts. A filter and ranking method is trained based on filters and rankings applied to the scan results. An automated threat hunting playbook is generated including the tagging classifier, the review classifier, and the filter and ranking method. The automated threat hunting playbook generates one or more scripts to automatically analyze incoming security data.

Abstract: Systems and methods for creating and handling workspace indicators of compromise (IOC) based upon configuration drift are described. In some embodiments, a memory storage device may have program instructions stored thereon that, upon execution by one or more processors of an Information Handling System (IHS) of a workspace orchestration service, cause the IHS to: receive configuration information from a client IHS at a workspace orchestration service, where the configuration information represents a change in a configuration of a workspace executed by the client IHS, and where the workspace is instantiated based upon a workspace definition provided by the workspace orchestration service; determine, by the workspace orchestration service, that the configuration information matches an IOC; and transmit, from the workspace orchestration service to the client IHS, an instruction to perform an action responsive to the IOC.

Abstract: One embodiment of the described invention is directed to a key management module deployed within a cybersecurity system that operates as a multi-tenant Security-as-a-Service (SaaS) by relying on Infrastructure-as-a-Service (IaaS) cloud processing resources and cloud storage resources. The key management module is configured to assign a master key to a subscriber upon registration and, as requested, generate one or more virtual keys, based at least in part on the master key, for distribution to the subscriber. Each virtual key is included as part of a submission into the cybersecurity system and is used to authenticate the subscriber of the submission and verify that the subscriber is authorized to perform one or more tasks associated with the submission before the one or more tasks are performed.

Abstract: This disclosure describes techniques for identifying the criticality of an asset in a network. In an example method, a first security metric of a first asset in a network, as well as network data that identifies data flows associated with a second asset in the network are identified. The second asset is a nearest neighbor of the first asset in the network. The method includes determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period and generating a second security metric of the second asset based on the first security metric and the number of hosts. A security policy of the second asset is adjusted based on the security metric.

Abstract: A network security system centrally manages security packages and deploy them to a network host that is identified as potentially compromised. A security package is selected or assembled to be targeted to the identified host. Security packages are designed to isolate identified hosts from other network resources and collect forensic information from the hosts without interfering with operations of the hosts. Once forensic information is collected, software packages can be dissolved from hosts. Collected forensic information can be used to analyze and mitigate threats on hosts.

Abstract: A method for sharing information has an assertion associated therewith such that the receiving communication device is able to verify the assertion without the sender revealing underlying data demonstrating the validity of the assertion. The assertion is derived from underlying data input to a pre-provisioned first algorithm. The assertion is encapsulated in a first data object by a PGE that controls an environment in which the first algorithm is executed. A first proof is generated that is configured to verify that the first algorithm used the underlying data to produce the assertion when provided to a PVE along with the first data object. The underlying data is excluded from the first proof and the first data object such that privacy of the underlying data is maintained. The information, the first proof and the first data object are sent to the receiving communication device from the sending communication device.

Abstract: An apparatus to detect the presence of a user includes, in one embodiment, an infrared sensor that passively detects infrared light radiated from an observation target, a heat source arranged proximate the infrared sensor, and a determinator that determines whether the observation target is present in response to information changing along with an operational situation of the heat source and infrared data detected by the infrared sensor. A method and a computer program product also perform functions of the apparatus.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A method for cryptographic processing includes: storing an initial value as the current value; implementing a predetermined number of first steps, including one involving obtaining second data by applying a first cryptographic algorithm to first data, the others each involving the application of the first cryptographic algorithm to the current value and the storage of the result as the new current value; implementation of the predetermined number of second steps, including one involving the obtaining of fourth data by applying, to third data, a second cryptographic algorithm that is the inverse of the first cryptographic algorithm, the others each involving the application of the second cryptographic algorithm to the current value and the storage of the result as the new current value; and verification of the equality of the first data and the fourth data, and of the equality of the current value and the initial value.

Abstract: An administrator installs a key management agent on a previously approved client machine. The agent is started on the client machine, which posts requests for keys to a central key management service. The central key management service logs requests posted to it by clients, and checks for existing pre-approval records. If none are found, a message is typically sent to an approver for the requesting client machine. When a request is verified as approved, the request is flagged for further processing. The supported systems continuously or periodically look for records flagged for processing, use requests to generate keys and other appropriate elements for the requesting client machine, and post keys and other elements to the key management database. The key management agent polls the central key management service periodically until finding the expected key file, which it downloads and installs into a protected file location on the client machine.

Abstract: Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.

Abstract: Methods and systems for performing an electronic security assessment of a building automation system are provided. The building automation system includes a controller and a network of electronic devices connected in electronic communication. The method includes requesting, by the controller, an electronic security scan of the controller with a data set of the controller via a secured channel to a cloud-based service. The method also includes initiating the electronic security scan of the controller based on the data set of the controller. The method further includes electronically assessing security vulnerabilities of the building automation system. The method also includes electronically assessing, by the controller, security vulnerabilities of the network of electronic devices connected in electronic communication with the controller.

Abstract: Disclosed is a file security method for reinforcing file security. The method may include: by a first communication device, detecting an access to a file stored in a virtual drive; by the first communication device, requesting a decryption key of the file to a second communication device and receiving the decryption key; and by the first communication device, decrypting the access-detected file by using the decryption key.

Abstract: A method of cryptographically binding a secure element to a host device includes storing host key information in a host key information slot of the secure element and storing binding information in secure memory of the secure element. The binding information is correlated with the host key information. The method includes storing a second secret key within system operational code of the host device. The second secret key is cryptographically correlated with the host key information. The method includes, after storing the binding information and after storing the second secret key, operationally coupling the secure element to the host device, reading, by the host device, the binding information from the secure element, generating, by the host device, the host key information using the binding information and the second secret key, and storing, by the host device, the host key information in a host key information slot of the host device.