Abstract: A number of techniques facilitate generation of data points from observations about network traffic. An inferencing system can use these data points to determine whether a relationship exists between two entities or whether an existing relationship has terminated, without any external knowledge of the existence of or termination of such a relationship.

Abstract: Disclosed are computer-implemented methods for ranking importance of assets of an entity, in which the assets can include hosts and/or IP addresses associated with the entity. The exemplary methods can include receiving datasets from one or more sources indicating frequency of system access, system configuration, and/or application configuration. The methods can include determining one or more input data based on the datasets. The methods can include determining, for each host and/or IP address associated with the entity, an importance ranking based on the input data. In some examples, the importance ranking may be based on a weighting of two or more input data.

Abstract: A method and system for creating a composite security rating from security characterization data of a third party computer system. The security characterization data is derived from externally observable characteristics of the third party computer system. Advantageously, the composite security score has a relatively high likelihood of corresponding to an internal audit score despite use of externally observable security characteristics. Also, the method and system may include use of multiple security characterizations all solely derived from externally observable characteristics of the third party computer system.

Abstract: Disclosed herein are computer-implemented methods and systems for forecasting security ratings for an entity. The methods and systems can include generating a plurality of simulated instantiations of a security scenario for the entity, in which the security scenario characterized by a plurality of security events associated with at least one event type. The methods and systems can further include determining a security rating for each instantiation of the plurality of instantiations; and generating a forecast cone based on the determined security ratings for the plurality of instantiations. In some examples, for each event type of the at least one event type, the methods and systems can include determining a rate, duration, and/or temporal placement of the security events associated with the event type over a forecasting period.

Abstract: A method and system for creating a composite security rating from security characterization data of a third party computer system. The security characterization data is derived from externally observable characteristics of the third party computer system. Advantageously, the composite security score has a relatively high likelihood of corresponding to an internal audit score despite use of externally observable security characteristics. Also, the method and system may include use of multiple security characterizations all solely derived from externally observable characteristics of the third party computer system.

Abstract: A system for determining an entity's security rating may include a ratings engine and a security database. The security database may include a manifest and a distributed index containing security records. Each of the security records may have a key (e.g., a network identifier of a network asset) and a value (e.g., security information associated with the network asset identified by the key). The keyspace may be partitioned into multiple key ranges. The manifest may contain references to segments of the distributed index. Each segment may be associated with a key range and may index a group of security records having keys within the key range. The manifest and the segments may be stored in an object storage system. The ratings engine may determine the security rating of an entity based on security records of the entity's network assets, which may be retrieved from the database.

Abstract: Computer-implemented methods are provided herein for quantifying correlated risk in a network of a plurality of assets having at least one dependency, where each asset belongs to at least one entity. The method includes generating a dependency graph based on relationships between the assets, at least one dependency, and at least one entity, and executing a plurality of Monte Carlo simulations over the dependency graph. Executing a plurality of Monte Carlo simulations includes generating a seed event in the dependency graph, where the seed event has a probability distribution, and propagating disruption through the dependency graph based on the seed event. The method further includes assessing loss for each of the assets, and aggregating losses for two or more assets to determine correlated risk in the network.

Abstract: A cybersecurity risk management method may include recommending, for each of a plurality of affiliates of an entity, a respective cybersecurity criticality tier selected from a set of cybersecurity criticality tiers; receiving user input adjusting and/or adopting the recommended cybersecurity criticality tier for each of the affiliates; assigning each of the affiliates to the respective adjusted or adopted cybersecurity criticality tier; obtaining respective security scores for the affiliates; and displaying a user interface component configured to show a visualization of a cybersecurity risk management plan of the entity with respect to the plurality of affiliates, wherein the risk management plan partitions the affiliates into a plurality of affiliate sets based on the security scores and the assigned cybersecurity criticality tiers of the affiliates and specifies, for each of the affiliate sets, an action to be taken by the entity with respect to the affiliates in the affiliate set.

Abstract: Computer-implemented methods and systems are provided for the detection of software presence remotely through the web browser by detecting the presence of webinjects in a web browser that visits a detection webpage. The methods can include delivering a detection webpage to a web browser, in which the detection webpage has detection code configured to detect a presence of the webinject in the detection webpage; and inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components. The method can further include, if webinject content is detected, generating a fingerprint for each of the one or more HTML components; transmitting the one or more fingerprints to an external server; and classifying, by the external server, the webinject based on the one or more fingerprints.

Abstract: A system and method for setting alert thresholds related to cybersecurity ratings of one or more affiliate entities. An example method includes: obtaining entity data including cybersecurity event data for an affiliate entity; calculating a time-series cybersecurity rating for the affiliate entity based on the entity data; associating an alert reporting threshold with the time-series cybersecurity rating, wherein a comparison of the alert reporting threshold to the time-series cybersecurity rating determines a number of alerts reported for the affiliate entity; applying an alternative alert reporting threshold against the time-series cybersecurity rating to determine an alternative number of alerts reported for the affiliate entity; and updating the alert reporting threshold for the time-series cybersecurity rating to the alternative alert reporting threshold.

Abstract: A cybersecurity risk management method may include recommending, for each of a plurality of affiliates of an entity, a respective cybersecurity criticality tier selected from a set of cybersecurity criticality tiers; receiving user input adjusting and/or adopting the recommended cybersecurity criticality tier for each of the affiliates; assigning each of the affiliates to the respective adjusted or adopted cybersecurity criticality tier; obtaining respective security scores for the affiliates; and displaying a user interface component configured to show a visualization of a cybersecurity risk management plan of the entity with respect to the plurality of affiliates, wherein the risk management plan partitions the affiliates into a plurality of affiliate sets based on the security scores and the assigned cybersecurity criticality tiers of the affiliates and specifies, for each of the affiliate sets, an action to be taken by the entity with respect to the affiliates in the affiliate set.

Abstract: A computer-implemented method is provided for statistical modeling of entities of a particular type. The method can include obtaining entity data including a plurality of entity data sets, each entity data set associated with a respective entity and including values for one or more static parameters indicative of a type of the entity. Each entity data set can include (i) values for input parameter(s) indicative of a security profile of the entity and (ii) a value of a security class parameter indicative of a security class of the entity based on the values of the input parameters. The method can include training a statistical classifier to infer a value of the security class parameter indicative of the security class of a particular entity of the particular type based on values of one or more of the input parameters indicative of a security profile of the particular entity.

Abstract: A computer-implemented method is provided for external detection of a vulnerable system coupled to a communication network. The method can include measuring communication traffic on the communication network to identify one or more domain names, which in turn can originate from server systems in the communication network. The method can further include identifying the domain names based on metadata from the domain names and/or the measured communication traffic, where each domain name has an associated property indicative of its vulnerability. The method can further include determining whether any one (or more) of the domain names is registered at a domain name registry and, if the domain name is not registered, registering the domain name.

Abstract: Among other things, traces are received of activities of an online user who is associated with an entity. By analysis of the traces a security state of the entity is inferred. Also, a map is generated between (a) technical assets that contribute to security characteristics of respective entities and (b) the identities of the entities that are associated with the respective technical assets At least part of the generating of the map is done automatically. A user can he engaged to assist in the generating of the map by presenting to the user through a user interface (a) data about the technical assets of entities and (b) an interactive tool for associating the technical assets with the identities of the entities.

Abstract: A computer-implemented method is provided for mapping IP addresses and domain names to organizations. The method includes receiving, by a mapping system from an data provider, a dataset related to a plurality of users of the data provider. The dataset includes (a) an IP address for a user device of each user of the plurality of users, and (b) a domain name for a user account of each user of the plurality of users; enriching, by an analytics engine of the mapping system, the received dataset with enrichment data from an enrichment source; receiving, by the analytics engine from a storage medium, historical data relevant to the enriched dataset; and mapping, by the analytics engine, (i) the IP address and/or (ii) the domain name of each user of a portion of the plurality of users to an organization based on the enriched dataset and the historical data.

Abstract: A system for determining an entity's security rating may include a ratings engine and a security database. The security database may include a manifest and a distributed index containing security records. Each of the security records may have a key (e.g., a network identifier of a network asset) and a value (e.g., security information associated with the network asset identified by the key). The keyspace may be partitioned into multiple key ranges. The manifest may contain references to segments of the distributed index. Each segment may be associated with a key range and may index a group of security records having keys within the key range. The manifest and the segments may be stored in an object storage system. The ratings engine may determine the security rating of an entity based on security records of the entity's network assets, which may be retrieved from the database.

Abstract: A system for discovering digital assets and determining an association between the assets and an entity analyzes publicly available information about entities of interest and dataset(s) generated via network observations from devices using the digital assets. Additional attributes included in the network observations dataset(s) and metadata from such observations may be used to enhance the correctness of the identified entity-asset associations. Network observations dataset(s) may be monitored on an on-going basis to provide current entity-asset associations.

Abstract: A computer-implemented method is provided for comparing the security profile of a particular entity to peer entities. The method can include receiving, for a particular entity, (i) a value for at least one feature and (ii) a number of security records of one or more security risk types. The method can include determining peer entities based on the value of the features; obtaining, for each peer entity, a number of security records; and adjusting the number of peer security records based on the number of entity security records. The method can further include comparing, for one or more security risk types, the received number of security records for the particular entity to the respective adjusted number of security records for each peer entity; and comparing a security profile of the particular entity to security profiles of the population of peer entities based on the comparison for the security risk types.

Abstract: Disclosed herein are computer-implemented methods and systems for forecasting security ratings for an entity. The methods and systems can include generating a plurality of simulated instantiations of a security scenario for the entity, in which the security scenario characterized by a plurality of security events associated with at least one event type. The methods and systems can further include determining a security rating for each instantiation of the plurality of instantiations; and generating a forecast cone based on the determined security ratings for the plurality of instantiations. In some examples, for each event type of the at least one event type, the methods and systems can include determining a rate, duration, and/or temporal placement of the security events associated with the event type over a forecasting period.