Abstract: There is disclosed in an example a gateway device, including a hardware computing platform, and a secure domain name system (DNS) engine having circuitry and stored instructions to-program the circuitry, the secure DNS engine to communicatively couple to an endpoint via a local network, begin a secure DNS transaction with the endpoint, determine whether the endpoint supports delegated credentials, and after determining that the endpoint supports delegated credentials, establish a secure DNS session with the endpoint using a delegated credential.

Abstract: In one embodiment, an AR/VR system includes a social-networking application installed on the AR/VR system, which allows a user to access on online social network, including communicating with the user's social connections and interacting with content objects on the online social network. The AR/VR system also includes an AR/VR application, which allows the user to interact with an AR/VR platform by providing user input to the AR/VR application via various modalities. Based on the user input, the AR/VR platform generates responses and sends the generated responses to the AR/VR application, which then presents the responses to the user at the AR/VR system via various modalities.

Abstract: There is disclosed herein a computer-implemented system and method of providing wellness detect and response (WDR) security services for an enterprise, including computing, for the enterprise, a quantitative user-centric security posture, wherein computing the quantitative user-centric security posture comprises calculating, for a user, a quantitative user risk profile according to a combination of user role, user privileges, user behavior, and digital assets assigned to a user and owned by the enterprise.

Abstract: A computer-implemented method provides security services to an enterprise. The method computes, for a plurality of enterprise users, a plurality of user health scores based on respective protection statuses for a plurality of enterprise assets owned by respective users; computes, for the enterprise, an overall enterprise security status score based on the plurality of user health scores; graphically displays to an enterprise administrator the overall enterprise security status score; and presents to the enterprise administrator a plurality of action recommendations to improve the overall enterprise security status score.

Abstract: Some embodiments provide a novel method for assessing the suitability of network links for connecting compute nodes located at different geographic sites. The method of some embodiments identifies and analyzes sample packets from a set of flows exchanged between first and second compute sites that are connected through a first network link in order to identify attributes of the sampled packets. The method also computes attributes of predicted packets between the identified samples in order to identify attributes of each flow in the set of flows. The method then uses the identified and computed attributes of each flow in the set of flows to emulate the set of flows passing between the two compute sites through the second network link in order to assess whether a second network link should be used for future flows (e.g., future flows exchanged between the first and second compute sites).

Abstract: There is disclosed in an example, a gateway apparatus, including a hardware platform having a processor and a memory; a wireless network interface; and instructions encoded within the memory to instruct the processor to: provide a first virtual access point (VAP) secured by an IEEE 802.1x extensible authentication protocol (EAP) enterprise security method; provide a second VAP secured by a WiFi protected access pre-shared key (WPA-PSK) method; onboard a device, comprising determining whether the device supports the EAP method, and enrolling the device with the EAP method if the device supports the EAP method; and if the device does not support the EAP method, enrolling the device with the WPA-PSK method.

Abstract: There is disclosed in one example a network gateway device, including: a hardware platform including a processor and a memory; a network interface, including network interface hardware; and instructions encoded within the memory to instruct the processor to: receive from an endpoint device, via the network interface, a signed security posture data structure, the signed security posture data structure including information about a security posture of the endpoint device; cryptographically verify the signed security posture data structure; and according to the signed security posture data structure, assign a network security policy to the endpoint device.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: There is disclosed in an example a gateway device, including a hardware computing platform, and a secure domain name system (DNS) engine having circuitry and stored instructions to-program the circuitry, the secure DNS engine to communicatively couple to an endpoint via a local network, begin a secure DNS transaction with the endpoint, determine whether the endpoint supports delegated credentials, and after determining that the endpoint supports delegated credentials, establish a secure DNS session with the endpoint using a delegated credential.

Abstract: The disclosed technology teaches recovering a first virtual machine or an instance with an Internet Protocol address, a first root volume and one or more data volumes that are corrupted. The first virtual machine is hosted by a first cloud server that hosts plurality of virtual machines. The disclosed technology includes instructing the first cloud server to launch a recovery virtual machine. The recovery virtual machine launches one or more new data volumes based upon captured file system images in one or more snapshots taken of corrupted data volumes of the first virtual machine prior to becoming corrupted. The recovery virtual machine detaches the corrupted data volumes and attaches the new data volumes launched to the first virtual machine. The Internet Protocol address of the first virtual machine remains unchanged.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor, a memory, and a network interface; and instructions encoded within the memory to instruct the processor to: receive an incoming packet via the network interface; extract from the incoming packet a source port and a source internet protocol (IP) address; correlate the source port and source IP to a device identifier (ID); receive a network policy for the device ID; and apply the network policy to the incoming packet.

Abstract: Methods, apparatus, systems and articles of manufacture for communicating encrypted data via a virtual private network are disclosed. An example computer system disclosed herein includes a memory including instructions that, when executed, cause one or more processors to establish a first tunnel and a second tunnel between a VPN client and a VPN server. The instructions further cause the one or more processors to access a request message to be sent via the VPN and determine, in response to a payload being formatted using a first protocol, whether a packet associated with the request message includes an encrypted server name indication (SNI). The instructions further cause the one or more processors to, in response to the packet including the encrypted SNI, encrypt the header of the request message to form an encrypted header, create an encrypted message including the encrypted header and the payload of the request message, and transmit the encrypted message through the first tunnel.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: There is disclosed in one example a gateway apparatus, including: a hardware platform including a processor and a memory; and instructions stored within the memory to instruct the processor to: provide a domain name system (DNS) server, the DNS server to provide an encrypted DNS service, and to cache resolved domain names; receive an outgoing network packet; determine a destination address of the outgoing network packet; and upon determining that the destination address was not cached, apply a security policy.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that determine a dynamic password update notification interval based on a breach risk classification and an automatic password update mechanism of an online service with which a user has an account. The disclosed methods, apparatus, systems, and articles of manufacture generate a password update suggestion and/or an automatic password update for the user at the dynamic password update notification interval determined by the processor circuitry.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to optimize telemetry collection and processing of Transport Layer Security (TLS) parameters. An example apparatus includes at least one memory, instructions, and at least one processor to execute the instructions to generate a TLS client sub-profile based on first telemetry data associated with a client device, generate a TLS server sub-profile based on second telemetry data associated with a first server, generate a hash value based on at least one of the TLS client sub-profile or the TLS server sub-profile, compare the hash value to a plurality of hash values corresponding to known TLS profiles, and, in response to identifying the at least one of the TLS client sub-profile or the TLS server sub-profile as a unique TLS profile based on the comparisons, transmit the at least one of the first or second telemetry data to a second server.

Abstract: There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to improve the inspection of network data flows. An example apparatus includes memory, and processor circuitry to execute machine readable instructions to at least identify network domains accessible by at least one client device in a geographic location of interest, associate the identified network domains with Autonomous System Numbers (ASNs), create a list of respective ones of the ASNs that include a non-malicious status corresponding to Internet protocol (IP) addresses associated with respective ones of the identified network domains, and in response to receiving a reputation request corresponding to a destination IP address, cause inspection of a data flow to be skipped when the destination IP address is associated with the list of non-malicious ASNs.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify sensitive user data stored in the memory by a first application, determine a risk exposure score for the sensitive user data, apply, based on a determination that the risk exposure score is above a threshold, a security policy to restrict access to the sensitive user data, receive a request from a second application to access the sensitive user data, determine whether the first application and the second application are similar applications, and allow access based on a determination that the first application and the second application are similar applications.