Abstract: Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

Abstract: Provided herein are systems and methods for classifying content to prevent data breach or exfiltration. An entity engine may receive content for classification into a content type for preventing data breach or exfiltration. The entity engine may determine that secondary data, defined by an operand of an entity definition, is present in the content. Each entity definition may correspond to one content type and may include a Boolean expression of operands. Each operand may include a matching element to be used for matching against content undergoing classification into one of the content types, upon secondary data defined by the operand being present in the content. The entity engine may classify the content into a content type of the content types, corresponding to the entity definition, based on matching the matching element of the operand to the content, and matching other operands of the entity definition to the content.

Abstract: Provided herein are systems and methods for identifying personal identifiers in content. An entity engine may receive content to identify candidate personal identifiers. The entity engine may determine that a text string in the content matches to a data format specified in entity definitions corresponding to types of personal identifiers and a rule for finding a geographic or linguistic term in the content correlated to the specific type of personal identifier. Each entity definition may specify a data format for finding a specific type of personal identifier in content. The data format corresponds to a type of personal identifier. The entity engine may identify, according to a rule of the first entity definition, a geographic or linguistic term in the content correlated to the type of personal identifier. The entity engine may classify the text string as the type of personal identifier, for preventing data breach or exfiltration.

Abstract: Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Abstract: Provided herein are systems and methods for risk tracking. A tracker engine executable on servers may provide, in a user interface, a plurality of categories of locations for files in a networked environment. The tracker engine may identify in the user interface risk categories of the files in each of the categories of the locations. The tracker engine may provide, in the user interface, types of egress points for the files. The tracker engine may generate links between the categories of the locations of the files, the risk categories of the files and the types of egress points for the files. Details about each of the files may be navigable from the user interface via a corresponding category of a location of the file, a corresponding risk category of the file or a corresponding type of egress point for the file.

Abstract: Provided herein are systems and methods for multi-event correlation. Receiving a stream of events, each leaf rule engine may detect a plurality of events from the stream that matches a characteristic for the leaf rule engine. Each leaf rule engine may identify, from the plurality of events and within a time window, a group of events that satisfies a condition for the respective leaf rule engine. A root conditions engine may receive a stream of leaf events corresponding to the group of events identified by each leaf rule engine. The root conditions engine may identify, from the received stream of leaf events and within a root time window, a collection of events that satisfies a condition for the root conditions engine. A trigger may execute an action according to the collection of events identified within the root time window.

Abstract: Provided herein are systems and methods of investigating an entity or a potential incident. A tracker engine may receive an identification of a first entity in a networked environment. The tracker engine may display, in a user interface responsive to receiving the identification, a representation of the first entity, and representations of a plurality of entities associated with the first entity. The plurality of associated entities may include: a network connection, a file, a process, a user or a computing device. The tracker engine may receive, via the user interface, a selection of a second entity from the plurality of associated entities. The tracker engine may update, responsive to receiving the selection, the user interface to display a representation of the second entity graphically linked to the representation of the first entity, and representations of a plurality of entities associated with the second entity.

Abstract: Provided herein are systems and methods for multi-event correlation. Receiving a stream of events, each leaf rule engine may detect a plurality of events from the stream that matches a characteristic for the leaf rule engine. Each leaf rule engine may identify, from the plurality of events and within a time window, a group of events that satisfies a condition for the respective leaf rule engine. A root conditions engine may receive a stream of leaf events corresponding to the group of events identified by each leaf rule engine. The root conditions engine may identify, from the received stream of leaf events and within a root time window, a collection of events that satisfies a condition for the root conditions engine. A trigger may execute an action according to the collection of events identified within the root time window.

Abstract: Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Abstract: Systems and methods for enhanced DOM and event mirroring and security in web applications provides an intermediate Master Browser between web content and client devices to improve security and other enhancements.