Abstract: A data network is configured to pass data messages between hosted devices. A plurality of network sensors are configured to: sense operations of the data network; generate event objects that record the operations of the data network; and store an event-timestamp that records a first time at which the operations were sensed. A datastore is configured to: store the event objects in a bulk-memory; and store a reception-timestamp that records a second time at which the event object was received for storage. A rules-scheduler is configured to: identify at least one security-rule to be run, the security-rule specifying a time-length; identify a time-window having a beginning-time before the event-timestamp and an end-time after the event-timestamp; and cause the security rule to be run on the matching event objects.

Abstract: Systems and methods are provided for automatically analyzing emails that have been flagged as being potentially malicious (e.g., phishing attempts) to determine whether the permit or block the email. The systems and methods can use a scoring framework to determine whether the email is part of a phishing attempt. A set of rules are provided, and points are awarded to the email based on which of a set of rules are satisfied for the email. An email that exceeds a scoring threshold can be identified as a phishing attempt for potential evaluation, and can be routed to a security analyst for further analysis and process. After a predetermined period of time, the system can rerun analysis of emails which have not been identified as phishing attempts and determine if such emails now exceed the scoring threshold.

Abstract: A computer-implemented method includes monitoring, by a power monitor on a computer device, for a peripheral device connection. The peripheral device connection connecting a peripheral device to an input/output port of the computer device. The input/output port is configured to provide power from a power supply of the computer device to the peripheral device. In response to the monitoring for the peripheral device connection identifying the peripheral device connection, the method includes determining, by the power monitor, a device type and a negotiated power of the peripheral device as connected. The power monitor determines whether the negotiated power of the peripheral device as connected matches expected power information. In response to determining the negotiated power of the peripheral device does not match the expected power information, the power monitor takes action on the computer device.

Abstract: This document generally describes computer systems, processes, program products, and devices for the rapid and automated collection, storage, and analysis of network events to provide improved and enhanced security analysis. The system can include an extensible framework for pipelines to process, normalize, and decorate network events created in response to network activity, which can permit the system to readily scale up and down to ingest large volumes and variations in network activity. For example, pipeline can match data in the network events with stored Indicators of Compromise (IoCs) and decorate the network events with the IoCs before the network events are stored and subsequently analyzed.

Abstract: A network security system centrally manages security packages and deploy them to a network host that is identified as potentially compromised. A security package is selected or assembled to be targeted to the identified host. Security packages are designed to isolate identified hosts from other network resources and collect forensic information from the hosts without interfering with operations of the hosts. Once forensic information is collected, software packages can be dissolved from hosts. Collected forensic information can be used to analyze and mitigate threats on hosts.

Abstract: A plurality of network sensors are configured to sense the operations of a data network and, responsive to sensing the operations of the data network, generate event data objects that record the operations of the data network. One or more decorator pipelines are configured to decorate the event data objects with data other than from operations of the data network. A security frontend is configured to generate a graphical user interface (GUI) configured to provide, to a user, query-authoring tools, receiving a query in a structured language, provide responsive to receiving the query, results to the query from historic event data that was decorated before the query was received, receive approval for the query, and later execute the query on new event data that has been decorated after the approval for the query is received.

Abstract: A computer-implemented method includes monitoring, by a power monitor on a computer device, for a peripheral device connection. The peripheral device connection connecting a peripheral device to an input/output port of the computer device. The input/output port is configured to provide power from a power supply of the computer device to the peripheral device. In response to the monitoring for the peripheral device connection identifying the peripheral device connection, the method includes determining, by the power monitor, a device type and a negotiated power of the peripheral device as connected. The power monitor determines whether the negotiated power of the peripheral device as connected matches expected power information. In response to determining the negotiated power of the peripheral device does not match the expected power information, the power monitor takes action on the computer device.

Abstract: Systems and methods are provided for automatically analyzing emails that have been flagged as being potentially malicious (e.g., phishing attempts) to determine whether the permit or block the email. The systems and methods can use a scoring framework to determine whether the email is part of a phishing attempt. A set of rules are provided, and points are awarded to the email based on which of a set of rules are satisfied for the email. An email that exceeds a scoring threshold can be identified as a phishing attempt for potential evaluation, and can be routed to a security analyst for further analysis and process. After a predetermined period of time, the system can rerun analysis of emails which have not been identified as phishing attempts and determine if such emails now exceed the scoring threshold.

Abstract: This document generally describes computer systems, processes, program products, and devices for the rapid and automated collection, storage, and analysis of network events to provide improved and enhanced security analysis. The system can include an extensible framework for pipelines to process, normalize, and decorate network events created in response to network activity, which can permit the system to readily scale up and down to ingest large volumes and variations in network activity. For example, pipeline can match data in the network events with stored Indicators of Compromise (IoCs) and decorate the network events with the IoCs before the network events are stored and subsequently analyzed.

Abstract: A network security system centrally manages security pacakges and deploy them to a network host that is identified as potentially compromised. A security package is selected or assembled to be targeted to the identified host. Security packages are designed to isolate identified hosts from other network resources and collect forensic information from the hosts without interfering with operations of the hosts. Once forensic information is collected, software packages can be dissolved from hosts. Collected forensic information can be used to analyze and mitigate threats on hosts.

Abstract: A plurality of network sensors are configured to sense the operations of a data network and, responsive to sensing the operations of the data network, generate event data objects that record the operations of the data network. One or more decorator pipelines are configured to decorate the event data objects with data other than from operations of the data network. A security frontend is configured to generate a graphical user interface (GUI) configured to provide, to a user, query-authoring tools, receiving a query in a structured language, provide responsive to receiving the query, results to the query from historic event data that was decorated before the query was received, receive approval for the query, and later execute the query on new event data that has been decorated after the approval for the query is received.