Abstract: Systems, methods, and software described herein provide for identifying recommended feature sets for new security applications. In one example, a method of providing recommended feature sets for a new security application includes identifying a request for the new security application, and determining a classification for the new security application. The method further provides identifying related applications to the new security application based on the classification, and identifying a feature set for the new security application based on features provided in the related applications.

Abstract: Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Abstract: Systems, methods, and software described herein provide security action recommendations to administrators of a computing environment. In one example, a method of operating an advisement system to provide action recommendations in a computing environment includes identifying a security incident for an asset in the computing environment. The method further includes, in response to identifying the security incident, gathering enrichment information about the security incident, and determining a rule set for the security incident based on the enrichment information. The method also provides recommending one or more actions to an administrator based on the rule set.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

Abstract: Systems, methods, and software described herein provide action recommendations to administrators of a computing environment based on effectiveness of previously implemented actions. In one example, an advisement system identifies a security incident for an asset in the computing environment, and obtains enrichment information for the incident. Based on the enrichment information a rule set and associated recommended security actions are identified for the incident. Once the recommended security actions are identified, a subset of the action recommendations are organized based on previous action implementations in the computing environment, and the subset is provided to an administrator for selection.

Abstract: Systems, methods, and software described herein provide for identifying and implementing security actions within a computing environment. In one example, a method of operating an advisement system to provide security actions in a computing environment includes identifying communication interactions between a plurality of computing assets and, after identifying the communication interactions, identifying a security incident in a first computing asset. The method further provides identifying at least one related computing asset to the first asset based on the communication interactions, and determining the security actions to be taken in the first computing asset and the related computing asset.

Abstract: Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Techniques are provided for the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files.

Abstract: The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed.

Abstract: Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, we describe methods, components, and systems that leverage important contextual information from a client system (such as recent history of events on that system) to detect malicious software that might have otherwise gone ignored. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.

Abstract: Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.

Abstract: Novel methods, components, and systems for automatically detecting malicious software are presented. More specifically, methods, components, and systems for the automated deployment of generic signatures to detect malicious software. Even more specifically, computer implemented methods for determining whether a software application is likely malicious including computing at a client component a generic fingerprint for a software application, transmitting the generic fingerprint data to a server component, receiving at the client component information from the server component relating to the generic fingerprint of the software application, and following a prescribed set of actions based on the information received from the server.

Abstract: A system retroactively detects malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy in found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information.

Abstract: Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.

Abstract: A system for retroactively detecting malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information.