Abstract: Examples disclosed herein relate to associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform that enables sharing of security information among a plurality of users, an association between a first security indicator comprising a first observable and a first data record based on sightings of the first observable by at least one source entity associated with the first data record. Some examples may further enable obtaining a search query that specifies the first security indicator, and identifying a set of data records that satisfy the search query. The set of data records may include the first data record.

Abstract: A technique includes determining relations among a plurality of entities that are associated with a computer system; and selectively grouping behavior anomalies that are exhibited by the plurality of entities into collections based at least in part on the determined relations among the entities. The technique includes selectively reporting the collections to a security operations center.

Abstract: Examples disclosed herein relate to alerts for communities of a security information sharing platform. Some examples may enable obtaining a security indicator from a user of a first community of a security information sharing platform that enables sharing of security information among a plurality of communities; including the security indicator in community-based security information associated with the first community, the first security indicator comprising a first observable; sharing the first security indicator with the security information sharing platform; obtaining, from the security information sharing platform, information related to sightings of the first observable; and providing a first alert to the first community based on the information related to the sightings of the first observable.

Abstract: A technique includes receiving data identifying behavior anomalies that are exhibited by entities that are associated with a computer system. The technique includes associating the behavior anomalies with contexts based at least in part on threat intelligence to provide modified anomalies. The threat intelligence associates the contexts with indicators of potential breach. The technique includes characterizing the behavior anomaly identification based at least in part on the threat intelligence. The characterization includes applying machine learning to features of the modified anomalies to classify the identified behavior anomalies.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. It is determined that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues, the determining comprising comparing a property associated with the received alert to a property of alerts associated with the past processes, and the information contained in the information repository comprising actions taken in the past processes to address the respective issues. Performance of a remediation action is triggered that comprises an action, identified by the information in the information repository, taken to respond to the given alert.

Abstract: In some examples, a plurality of alerts relating to issues in a computing arrangement are received, where the plurality of alerts generated based on events in the computing arrangement. A subset of the plurality of alerts is grouped into a bundle of alerts, the grouping being based on a criterion. The bundle of alerts is communicated to cause processing of the alerts in the bundle of alerts together.

Abstract: A method of establishing a secure channel between a human user and a computer application is described. A secret unique identifier (“PIN”) is shared between a user and an application. When the user makes a request that involves utilizing the PIN for authentication purposes, the application renders a randomly selected identifier. The randomly selected identifier is in a format that is recognizable to a human but is not readily recognizable by an automated agent. The randomly selected identifier is then presented to the human user. The user identifies the relationship between the randomly selected identifier and the PIN. If the user's input reflects the fact that the user knows the PIN, then the user is authenticated.

Abstract: A machine-readable medium may store instructions executable by a processing resource to access log data of an enterprise and extract time-series data of an enterprise entity from the log data. The time-series data may include measured feature values of a set of selected features over a series of time periods. The instructions may be further executable to train a predictive model specific to the enterprise entity using the time-series data, wherein the predictive model is to generate, for a particular time period, a predicted feature value for each of the selected features; access actual feature values of the enterprise entity for the particular time period; apply first-level deviation criteria to the actual feature value and the predicted feature value of each selected feature to identify deviant features of the enterprise entity; and apply second-level deviation criteria to the identified deviant features to identify the enterprise entity as behaving abnormally.

Abstract: Example implementations relate to a security information sharing platform that enables sharing of security information among a plurality of members. For example, in an implementation, a system may determine that a first member of a community of a security information sharing platform is entitled access to a first set of encrypted information shared by a second member of the community. The system may also receive a request, from the first member, to access the first set of encrypted information, the request including a masked parameter. The system may also determine that the masked parameter matches an access parameter for accessing the first set of encrypted information and provide the first member access to the first set of encrypted information in response to determining that the masked parameter matches the access parameter.

Abstract: Examples relate to collaborative security lists. The examples disclosed herein enable obtaining a first candidate entry suggested by a first user of a community to be included in a collaborative security list. The collaborative security list may comprise a list of entries known to be secure or a list of entries known to be insecure. The examples disclosed herein further enable providing a candidate security list comprising at least the first candidate entry to the community and obtaining, from a second user of the community, a first score indicating how confident the second user is that the first candidate entry is secure. The examples disclosed herein further enable determining whether to include the first candidate entry in the collaborative security list based on the first score.

Abstract: Examples relate to collaborative investigation of security indicators. The examples disclosed herein enable presenting, via a user interface, community-based threat information associated with a security indicator to a user. The community-based threat information may comprise investigation results that are obtained from a community of users for the security indicator, and an indicator score that is determined based on the investigation results. The examples further enable obtaining an investigation result from the user and updating the indicator score based on the investigation result.

Abstract: Examples disclosed herein relate to considering geolocation information in a security information sharing platform. Some examples may enable determining geolocation information for a security indicator shared to the security information sharing platform. Some examples may enable determining an indicator score associated with the security indicator based on the determined geolocation information. Some examples may enable facilitating display, via a user interface, the first indicator score to the first community of users based on the indicator score.

Abstract: Examples disclosed herein relate to controlling data access on a security information sharing platform. Some examples may enable receiving, from a first member of a first community of the security information sharing platform that enables sharing of security information among a plurality of users, a request to share a first set of information. Some examples may enable determining, based on a set of parameters associated with the request to share the first set of information, an encryption mechanism to use to encrypt the first set of information. Some examples may enable encrypting the first set of information using the determined encryption mechanism. Some examples may enable sharing the encrypted first set of information.

Abstract: An example of security threat analysis can include generating a security threat hypothesis based on security data in a threat exchange server. A request for analysis based on the security data can be sent via communication links to at least one security monitored participant to analyze the security data. A response can be received from the at least one security monitored participant with information related to the completed security related task.

Abstract: According to an example, security indicator access determination may include determining a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A rule associated with identification of a third entity that has access to the security indicator may be analyzed. The third entity may be different from the second entity, and if the second entity belongs to a community, the third entity may not be in the community of the second entity. A determination may be made as to whether to identify the third entity based on the analysis of the rule. In response to a determination that the third entity is to be identified or not to be identified, the third entity may be identified to the first entity, or not identified to the first entity.

Abstract: According to an example, conditional security indicator sharing may include analyzing a security indicator that is received from a first entity by a security indicator sharing platform for sharing with a second entity. A determination may be made as to whether to share the security indicator with a third entity based on a condition. In response to a determination that the security indicator is to be shared or not to be shared with the third entity based on the condition, the security indicator may be respectively shared with the third entity, or not shared with the third entity.

Abstract: Systems and methods are provided for performing transactions and managing communications using a trusted third party. In one embodiment, a sender transfers an encrypted version of a file (such as a digitally encoded audio track, movie, document, or the like) to someone who wishes to receive it. The receiver computes a first hash of at least a portion of the encrypted data content, and sends the first hash to a third party configured to compare at least a portion of the first hash to at least a portion of a second hash. The receiver receives a file decryption key from the third party, and decrypts at least the portion of the received encrypted data content with the decryption key. In some cases, multiple hashes of the encrypted data content may be computed, each using a different portion of the encrypted data content.

Abstract: Systems and methods are provided for authentication by combining a Reverse Turing Test (RTT) with password-based user authentication protocols to provide improved resistance to brute force attacks. In accordance with one embodiment of the invention, a method is provided for user authentication, the method including receiving a username/password pair associated with a user; requesting one or more responses to a first Reverse Turing Test (RTT); and granting access to the user if a valid response to the first RTT is received and the username/password pair is valid.

Abstract: Example embodiments disclosed herein relate to determining threat scores for threat observables. Information about multiple threat observables are received from providing entities. The information about the threat observables include at least one attribute about a respective threat associated with the threat observable. Threat scores are determined for the respective threat observables for multiple entities. In one example, a first score of a first one of the threat observables is determined and is different than a second score of the first threat observable for a second entity based on a treatment of the attribute(s).

Abstract: Systems, methods, and machine-readable and executable instructions are provided for attack notification. Attack notification can include receiving security-related data from a number of computing devices that are associated with a number of entities through a communication link and analyzing a first portion of the security-related data that is associated with a first entity from the number of entities to determine whether the first entity has experienced an attack. Attack notification can include analyzing a second portion of the security-related data that is associated with a second entity from the number of entities and the first portion of the security-related data that is associated with the first entity to determine whether the second entity is experiencing the attack. Attack notification can include notifying, through the communication link, the second entity that the second entity is experiencing the attack if it is determined that the second entity is experiencing the attack.