Abstract: Systems and techniques for security content delivery based on tagged personas are described herein. User data may be obtained for a user of a network file system. Attributes may be extracted from the user data to establish a user persona. Event data may be obtained for a security event experienced by the network file system. The security event may be associated with the user. A set of available remediation content items may be identified using the event data. A content item may be selected from the set of remediation content items using the user persona. A transmission medium may be determined for transmission of the content item to the user using the user persona. The content item may be transmitted to the user via the transmission medium.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for applications that detect indicators of data exfiltration through applications such as browser-based interfaces. The disclosed system monitors file system element events related to one or more target applications (such as browsers) through operating system interfaces. Once an event of interest is detected, the system interfaces with the browser to determine a context for the event of interest that may include a URL of a website that the user was visiting corresponding to the file system element event. If the URL is directed towards a prohibited site, a notification may be generated that may be used as a signal to alert an administrator. As used herein, a file system element may include a file, directory, folder, archive, blob, raw storage, metadata, or the like. File system element events may include copying, deleting, modifying, or moving a file system element.

Abstract: Disclosed in some examples are methods, systems, devices, and machine-readable mediums which monitor for file system element transfers to and from both the endpoint and authorized accounts on network-based service providers (e.g., cloud-based storage). The system uses the capabilities of monitoring both the network-based service and the client computing device to filter out legitimate uploads to authorized network-based services and legitimate downloads to authorized computing devices. By matching events, it filters out events that are likely legitimate, the system may provide more accurate information, notifications, awareness, and unmatched event indications.

Abstract: A system for forensic file services is configured to receive data indicative of operations executed on a filesystem element stored on a computing resource associated with a first tenant, to and adjust the data according to an indicated database schema. The system is also configured to store the adjusted data in a record of a partition of a database, where the partition configured to store a history of operations executed on filesystem elements of computing resources associated with the first tenant. The system is further configured to receive a search request to search the database and to execute the search request on a second partition of the database to identify one or more matching records. The system is additionally configured to provide the identified records in response to the search request.

Abstract: Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for applications that detect indicators of data exfiltration through applications such as browser-based interfaces. The disclosed system monitors file system element events related to one or more target applications (such as browsers) through operating system interfaces. Once an event of interest is detected, the system interfaces with the browser to determine a context for the event of interest that may include a URL of a website that the user was visiting corresponding to the file system element event. If the URL is directed towards a prohibited site, a notification may be generated that may be used as a signal to alert an administrator. As used herein, a file system element may include a file, directory, folder, archive, blob, raw storage, metadata, or the like File system element events may include copying, deleting, modifying, or moving a file system element.

Abstract: A system for detecting anomalous user interactions with a computing resource a processor and a memory communicatively coupled to the processor and configured with instructions, which cause the processor to perform operations including receiving a request to monitor interactions of a user with the computing resource, obtaining first event data first event data that includes information that is indicative of first interactions of the user with the computing resource prior to receiving the request and obtaining second event data that includes information that is indicative of second interactions of the user with the computing resource after receiving the request. The operations further include determining, based on the first event data and the second event data, whether a deviation between the first interactions and the second interactions satisfies an indicated criteria. The operations additionally include generating a security alert based on the determination.

Abstract: Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: A system for processing a file stored on a computing system includes causing a processor of the system to obtain file usage data that is indicative of a number of times the file is loaded into a memory of the system and to obtain file-size data that is indicative of a size the file. The system further includes causing the processor to obtain metadata indicative of contents the file and to determine a file value based on the file usage data and at least one of the file-size data, the metadata, or a file-identifier value that is derived from an identifier of the file, where the file value comprising a quantitative or qualitative indicator of a value of the file. The system additionally includes causing the processor to adjust processing of the file relative to processing of other files associated with the computing system based on the file value.

Abstract: A system a module that is configured to cause a processor to obtain a set of file references that are configured to access files associated with a first computing system, where the set of file references include a references to the target file and one or more source files. The module is further configured to cause the processor to retrieve the target file and the one or more source files and to partition the target file and the one or more source files into respective first set of tokens and second set of tokens. The module is further configured to cause the processor to identify, based on the first set of tokens and the second set of tokens, at least one source file of the one or more source files that contain a threshold quantity of tokens of the target file.

Abstract: System and techniques for dynamically building a file graph are described herein. Meta data is received for a first and a second file. An intersection of the first metadata set and the second metadata set is computed. An edge in a file graph is created based on the intersection. Then, after receiving a query about the first file, the second file is provided as a result to the query based on the edge in the file graph.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Systems and techniques for sensitive data movement detection are described herein. An attempt to relocate a file that is a member of a monitored data set may be identified. A user account associated with the attempt to relocate the file may be determined. A safe user group may be identified for the user account associated with the attempt to relocate the file. A destination may be obtained for the attempt to relocate the file. A safe zone may be determined for the monitored data set using the user account and the identification of the monitored data set. A notification may be provided based on the destination for the attempt to relocate the file and the safe user group and the safe zone.

Abstract: Systems and techniques for three-dimensional file event representation are described herein. File event data may be obtained for a file for a time segment. The file event data may include a file system hierarchy for the file. A spatial file operation map may be generated for the file system hierarchy including a file operation map for the file for the time segment. The file operation map for the file may include a plurality of layers with each layer of the plurality of layers representing a file operation class available for the file. It may be determined that a file operation was performed on the file during the time segment based on the file event data. An indication may be generated on a layer of the plurality layers of the file operation map that the file operation was performed. The layer corresponds to a file operation class of the file operation.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums which provide for encrypted file system element containers which secure sensitive file system elements. The encrypted file system element containers are sent from a network based file storage system upon selection of file system elements for a network based file download and stored in a user's computing device in an encrypted state while the data is at rest. An application on the user's computing device may provide access to the file system elements (e.g., files, directories, and the like) inside the encrypted file system element containers according to a set of one or more access rules. Example access rules include a time-to-live (TTL) rule that deletes or causes the encrypted file system element containers to be inaccessible after a predetermined amount of time.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums which monitor, archive, and version file system elements stored in one or more different network based file storage systems for one or more different users. Any changes to file system elements stored in the network based file storage systems are recorded and versioned. The system may allow users to revert to a previous version of a file system element, recover a deleted file system element, and the system allows for audits to determine which users placed a file system element in which network based file storage systems and determine which users had access to the file system element in the network based file storage systems. As a result, the disclosed system improves the end-user experience by providing versioning and auditing capabilities as well as allowing organizations to monitor and control their digital property in network based file storage systems.

Abstract: In connection with a data distribution architecture, client-side “deduplication” techniques may be utilized for data transfers occurring among various file system nodes. In some examples, these deduplication techniques involve fingerprinting file system elements that are being shared and transferred, and dividing each file into separate units referred to as “blocks” or “chunks.” These separate units may be used for independently rebuilding a file from local and remote collections, storage locations, or sources. The deduplication techniques may be applied to data transfers to prevent unnecessary data transfers, and to reduce the amount of bandwidth, processing power, and memory used to synchronize and transfer data among the file system nodes. The described deduplication concepts may also be applied for purposes of efficient file replication, data transfers, and file system events occurring within and among networks and file system nodes.