Abstract: A method includes generating, by a processing device, at least one security zone comprising a set of objects of a computing environment using at least one identity system, and identifying, by the processing device, a set of attack paths leading to the at least one security zone. Each attack path of the set of attack paths includes a respective target object accessible via a respective source object through at least one control relationship, and each target object is included within the set of objects of the at least one security zone. The method further includes performing, by the processing device based on the set of attack paths, attack path monitoring and risk mitigation.

Abstract: A method of explaining the reasons for a prediction made by a machine learning ensemble prediction process as to the probability of an outcome for a target observation following training on a plurality of training observations determines the similarity between the target observation and each training observation of a set of said training observations; selects a fraction of the training observations that are most similar to said target observation; ranks the training observations by similarity of each training observation to the target observation; and determines the significance of the features of the ranked training observations to the prediction based upon the increase in variance in a local prediction model when a feature is removed from the local model.

Abstract: A method of explaining the reasons for a prediction made by a machine learning ensemble prediction process as to the probability of an outcome for a target observation following training on a plurality of training observations determines the similarity between the target observation and each training observation of a set of said training observations; selects a fraction of the training observations that are most similar to said target observation; ranks the training observations by similarity of each training observation to the target observation; and determines the significance of the features of the ranked training observations to the prediction based upon the increase in variance in a local prediction model when a feature is removed from the local model.

Abstract: Embodiments of the invention relate to systems, methods, and computer program products that provide for an employee security risk score. The security risk score is presented as an extensible composite vector that supports an arbitrary number of risk categories. The risk categories can be aggregated at any level in the business hierarchy or according to any employee parameter. The simplistic, highly normalized approach to employee security risk scoring reduces redundancies and dependencies and provides for real-time updates, As such, the employee security risk scoring system provides for easily identifiable recognition of employees who pose security threats and for a means to track and monitor security risks posed by the employee based on their security risk score.

Abstract: A computing platform may receive, from a plurality of computing systems, data identifying permissions of a plurality of users to access one or more resources of the plurality of computing systems. The computing platform may identify, from amongst the plurality of users, a plurality of groups of users. The computing platform may identify, from amongst the permissions, a plurality of sets of permissions. Each set of permissions may include permissions shared by each user of a group of users of the plurality of groups of users. The computing platform may generate a graphical depiction of the plurality of groups of users and the plurality of sets of permissions. The graphical depiction may graphically depict, for each group of the plurality of groups, one or more sets of permissions, of the plurality of sets of permissions, shared by each user of the group.

Abstract: Threat risks to an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple domains, and to amplify risks along kill chains of known attacks for early detection. Composite threat risk scores are computed from risk scores of singular threats to exponentially increase with the number of events observed along the kill chain. Composite threats are combined with normalized values of static risk and inherent risk for an entity of the enterprise to produce an entity risk score representative of the overall risk to the entity.

Abstract: Systems, methods, and devices for predicting entitlements to computing resources are described. An entitlement associated with a user of a computer system may be identified. The entitlement may indicate a computing resource of the computer system that is accessible to the user. A set of attributes associated with the user may be selected, and an entitlement probability value may be obtained. The entitlement probability value may be based on the set of attributes and indicate a probability that the user is authorized to have the entitlement. The entitlement probability value may be used to determine whether to include the entitlement in an access review. Depending on the entitlement probability value the entitlement may be included in the access review or excluded from the access review.

Abstract: Anomalous activities in a computer network are detected using adaptive behavioral profiles that are created by measuring at a plurality of points and over a period of time observables corresponding to behavioral indicators related to an activity. Normal kernel distributions are created about each point, and the behavioral profiles are created automatically by combining the distributions using the measured values and a Gaussian kernel density estimation process that estimates values between measurement points. Behavioral profiles are adapted periodically using data aging to de-emphasize older data in favor of current data. The process creates behavioral profiles without regard to the data distribution. An anomaly probability profile is created as a normalized inverse of the behavioral profile, and is used to determine the probability that a behavior indicator is indicative of a threat. The anomaly detection process has a low false positive rate.

Abstract: Systems and methods are disclosed for responding to security events in real time. The disclosed systems and methods utilize the vast amount of risk and asset knowledge collected in a security data warehouse and aggregated in a security information manager, without the expense and latency associated with performing such calculations in real time. The disclosed systems and methods, thereby, significantly extend the time intervals feasible for temporal analysis.

Abstract: Anomalous activities in a computer network are detected using adaptive behavioral profiles that are created by measuring at a plurality of points and over a period of time observables corresponding to behavioral indicators related to an activity. Normal kernel distributions are created about each point, and the behavioral profiles are created automatically by combining the distributions using the measured values and a Gaussian kernel density estimation process that estimates values between measurement points. Behavioral profiles are adapted periodically using data aging to de-emphasize older data in favor of current data. The process creates behavioral profiles without regard to the data distribution. An anomaly probability profile is created as a normalized inverse of the behavioral profile, and is used to determine the probability that a behavior indicator is indicative of a threat. The anomaly detection process has a low false positive rate.

Abstract: Threat risks to an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple domains, and to amplify risks along kill chains of known attacks for early detection. Composite threat risk scores are computed from risk scores of singular threats to exponentially increase with the number of events observed along the kill chain. Composite threats are combined with normalized values of static risk and inherent risk for an entity of the enterprise to produce an entity risk score representative of the overall risk to the entity.

Abstract: A computing platform may receive, from a plurality of computing systems, data identifying permissions of a plurality of users to access one or more resources of the plurality of computing systems. The computing platform may identify, from amongst the plurality of users, a plurality of groups of users. The computing platform may identify, from amongst the permissions, a plurality of sets of permissions. Each set of permissions may include permissions shared by each user of a group of users of the plurality of groups of users. The computing platform may generate a graphical depiction of the plurality of groups of users and the plurality of sets of permissions. The graphical depiction may graphically depict, for each group of the plurality of groups, one or more sets of permissions, of the plurality of sets of permissions, shared by each user of the group.

Abstract: Systems, methods, and devices for predicting entitlements to computing resources are described. An entitlement associated with a user of a computer system may be identified. The entitlement may indicate a computing resource of the computer system that is accessible to the user. A set of attributes associated with the user may be selected, and an entitlement probability value may be obtained. The entitlement probability value may be based on the set of attributes and indicate a probability that the user is authorized to have the entitlement. The entitlement probability value may be used to determine whether to include the entitlement in an access review. Depending on the entitlement probability value the entitlement may be included in the access review or excluded from the access review.

Abstract: Automated site scans are often seen as precursors to a cyber attack, from URI enumeration and version mapping to timing scans used to identify the most valuable DDoS targets. Disclosed are methods and apparatuses for detecting automated site scans and identifying the source of cyber attacks. Honeypot links are provided on a web page via a server. If multiple honeypot links are selected by a visitor of the web page, the server may identify the visitor as an automated system and generate a session ID. The server induces an artificial delay prior to displaying the data associated with the selected honeypot link. After a subsequent attack, the server is able to identify the attacker by association with the stored session ID of an automated site scan.

Abstract: Systems, methods, and devices for predicting entitlements to computing resources. An entitlement associated with a user of a computer system may be identified. The entitlement may indicate a computing resource of the computer system that is accessible to the user. A set of attributes associated with the user may be selected, and an entitlement probability value may be obtained. The entitlement probability value may be based on the set of attributes and indicate a probability that the user is authorized to have the entitlement. The entitlement probability value may be used to determine whether to include the entitlement in an access review. Depending on the entitlement probability value the entitlement may be included in the access review or excluded from the access review.

Abstract: Methods and apparatus for detecting a network attack are disclosed. A sensor grid may be established in a network (e.g., an enterprise network). The sensors may monitor network assets across various network layers and transmit to a server signals that indicate the probability of an attack on the network. The server may apply an amplification algorithm to combine and amplify all of the received signals into a single signal that more accurately displays the probability of an attack on the network.

Abstract: Methods and apparatus are disclosed for assessing risk in an enterprise. A server may receive risk scores indicating an asset's risk level across various risk vectors. The server may aggregate the risk scores and assess score ranges for each risk vector. For each risk vector, the server may then segregate the risk scores based on their rank amongst the other risk scores within the range (e.g., top 10%, bottom 60%, and the like). Next, the server may apply a grading rubric to assign grades for each percentage (e.g., top 10% is an F grade, bottom 60% is an A grade and the like) assign grade points (e.g., an F grade is a 0.0, an A grade is a 4.0, and the like). By calculating a grade point average, the server may be able to provide a uniform system of assessing and evaluating risk across all assets in the enterprise.

Abstract: Methods and apparatus for detecting a network attack are disclosed. A sensor grid may be established in a network (e.g., an enterprise network). The sensors may monitor network assets across various network layers and transmit to a server signals that indicate the probability of an attack on the network. The server may apply an amplification algorithm to combine and amplify all of the received signals into a single signal that more accurately displays the probability of an attack on the network.

Abstract: Systems, methods, and devices for predicting entitlements to computing resources. An entitlement associated with a user of a computer system may be identified. The entitlement may indicate a computing resource of the computer system that is accessible to the user. A set of attributes associated with the user may be selected, and an entitlement probability value may be obtained. The entitlement probability value may be based on the set of attributes and indicate a probability that the user is authorized to have the entitlement. The entitlement probability value may be used to determine whether to include the entitlement in an access review. Depending on the entitlement probability value the entitlement may be included in the access review or excluded from the access review.

Abstract: Automated site scans are often seen as precursors to a cyber attack, from URI enumeration and version mapping to timing scans used to identify the most valuable DDoS targets. Disclosed are methods and apparatuses for detecting automated site scans and identifying the source of cyber attacks. Honeypot links are provided on a web page via a server. If multiple honeypot links are selected by a visitor of the web page, the server may identify the visitor as an automated system and generate a session ID. The server induces an artificial delay prior to displaying the data associated with the selected honeypot link. After a subsequent attack, the server is able to identify the attacker by association with the stored session ID of an automated site scan.