Abstract: Systems and methods are disclosed for autonomous security enhancement of a tenant network via a managed security service provider (MSSP) server comprising a processor and a memory, with information from a plurality of data sources, the method comprising querying a database or server, upon an encounter with an indicator of compromise (IoC), by a security system, to identify data sources of a plurality of data sources, wherein the data sources include information on the IoC; generating, via the processor, an IoC threat score for the IoC; generating, at least one actionable security enhancement notification based on the IoC threat score; and deploying an automated security response that can comprise displaying the IoC threat score and an actionable security enhancement notification to a user, allowing triggering or disabling of at least one action based on the single IoC threat score.

Abstract: The present disclosure describes a method and system for processing and indexing data from a continuously updated distributed database. The method and system employ a portioned database architecture to return results in a constant-time query and reduce the storage size of indexed records. The database partitions include a plurality of data records correspond to an index group in a single row of a rowKey table. The index group comprises data records that are indexed in a predetermined indexing interval. The portioned database architecture allows record fields to be queried from the index group.

Abstract: A method for generating representative Key:Value pairs of cyber event or cyber asset behavior and de-duplicating multiple alerts associated with a cyber event or cyber asset behavior. The Key:Value pairs comprise a hash value representative of the cyber event or cyber asset behavior and an asset identifier. The Key:Value pairs provides a security operations center a queryable identifier to easily track the behavior of an asset and determine the number of cyber event observations in a predetermined time period.

Abstract: A method for identifying cyber assets and implementing cyber risk mitigation actions based on domain redirects is disclosed. The method comprising selecting an entity for evaluation; identifying one or more seed domains of the entity; identifying candidate domains based on at least one of a public data source, a proprietary data source, or a combination thereof; fetching the candidate domains to determine routing information for each of the candidate domains; classifying, based on the routing information, each candidate domain that redirects to the one or more seed domains as an associated domain, wherein each associated domain is considered to be an asset of entity; generating an entity asset database based on the one or more seed domains and the associated domains; and generating a cyber risk mitigation action based on the entity asset database.

Abstract: A security automation platform is disclosed herein. The security automation platform can be communicably coupled to a tenant configured to deploy a tenant security platform and comprises a processor and a memory configured to store a security automation platform that, when executed by the processor, causes the processor to detect, via a variable store, a variable associated with the tenant, correlate, via a content library, the detected variable to an artifact stored within the content library; generate, via an automation schema, an automation for the tenant based on the artifact, wherein the automation comprises a security tool configured to continuously monitor an API deployed by the tenant, and transmit, via an API broker of the security automation platform, the generated automation to the security automation platform deployed by the tenant.

Abstract: The present disclosure describes a method and system for processing and indexing data from a continuously updated distributed database. The method and system employ a portioned database architecture to return results in a constant-time query and reduce the storage size of indexed records. The database partitions include a plurality of data records correspond to an index group in a single row of a rowKey table. The index group comprises data records that are indexed in a predetermined indexing interval. The portioned database architecture allows record fields to be queried from the index group.

Abstract: A method for generating representative Key:Value pairs of cyber event or cyber asset behavior and de-duplicating multiple alerts associated with a cyber event or cyber asset behavior. The Key:Value pairs comprise a hash value representative of the cyber event or cyber asset behavior and an asset identifier. The Key:Value pairs provides a security operations center a queryable identifier to easily track the behavior of an asset and determine the number of cyber event observations in a predetermined time period.

Abstract: A method for streamlining and standardizing the ingest of security data across a plurality of tenant networks is disclosed. Each of the plurality of tenant networks comprises at least one log source, the method comprising receiving, by each of a plurality of data gateway modules, raw log data from the log source associated therewith; generating, by each of the plurality of data gateway modules, formatted log data based on the raw log data; ingesting, by an edge module, formatted log data from the plurality of data gateway modules; automatically updating, by a central control plane module, a configuration of at least one of the plurality of data gateway modules based on a change to the log source(s) associated therewith; and implementing, by a security monitoring system, a security action related to at least one of the plurality of tenant networks based on the ingested formatted data.

Abstract: A method of enhancing network security across a plurality of tenants is disclosed herein. The method can include: providing a Security Information, and Event Management (SIEM) management application configured to be hosted by a SIEM provider server communicably coupled to a tenant server; coupling, via a data connector, the SIEM management application to a log source hosted by the tenant server, wherein the data connector is configured the control a flow of data to and from the log source; generating, via the SIEM management application, a JavaScript Object Notation (JSON) based solution bundle for the log source; visually displaying, via a user interface of the SIEM management application, a proposed SIEM protocol for the tenant server based, at least in part, on the JSON-based solution bundle; and deploying, via the SIEM management application, the proposed SIEM protocol from the SIEM provider server to the tenant server.

Abstract: A method of enhancing network security across a plurality of tenants is disclosed herein. The method can include: providing a Security Information, and Event Management (SIEM) management application configured to be hosted by a SIEM provider server communicably coupled to a tenant server; coupling, via a data connector, the SIEM management application to a log source hosted by the tenant server, wherein the data connector is configured the control a flow of data to and from the log source; generating, via the SIEM management application, a JavaScript Object Notation (JSON) based solution bundle for the log source; visually displaying, via a user interface of the SIEM management application, a proposed SIEM protocol for the tenant server based, at least in part, on the JSON-based solution bundle; and deploying, via the SIEM management application, the proposed SIEM protocol from the SIEM provider server to the tenant server.

Abstract: A method for enhancing network security across a plurality of tenants configured to host a plurality of client applications is disclosed herein. The method includes: providing a SIEM management application hosted by a SIEM provider server communicably coupled to the plurality of tenants; receiving a SIEM status from the plurality of tenants; visualizing the SIEM status; filtering the SIEM status based on a user input received via the graphical user interface; visualizing the filtered SIEM status; selecting, via the graphical user interface, at least one client application of the plurality of clients applications hosted by at least one tenant of the plurality of tenants to update based on the filtered SIEM status; generating a client application update, and an update alert based on the selection; transmitting the update alert to the at least one tenant; and updating the at least one client application based on the update alert.

Abstract: A Security Information, and Event Management (“SIEM”) provider server is disclosed herein. The SIEM provider server is configured to enhance network security on behalf of a tenant network by autonomously generating and providing an SIEM configuration to the tenant network. The SIEM provider server includes a processor and a memory configured to store a managed security service provider (“MSSP”) management system that, when executed by the processor, causes the processor to autonomously retrieve an SIEM artifact associated with the tenant network from a content repository; generate a tenant-specific SIEM configuration for the tenant network including the SIEM artifact; and deploy the tenant-specific SIEM configuration to a tenant-specific repository.

Abstract: A method of enhancing network security across a plurality of tenants is disclosed herein. The method can include: providing a Security Information, and Event Management (SIEM) management application configured to be hosted by a SIEM provider server communicably coupled to a tenant server; coupling, via a data connector, the SIEM management application to a log source hosted by the tenant server, wherein the data connector is configured the control a flow of data to and from the log source; generating, via the SIEM management application, a JavaScript Object Notation (JSON) based solution bundle for the log source; visually displaying, via a user interface of the SIEM management application, a proposed SIEM protocol for the tenant server based, at least in part, on the JSON-based solution bundle; and deploying, via the SIEM management application, the proposed SIEM protocol from the SIEM provider server to the tenant server.