Abstract: A method and system for scoring performance of a security product are provided. The method includes receiving security product performance data of the security product configured to handle a specific cyber threat; classifying the performance data into a product profile associated with the security product; computing at least one security product performance score for the product profile based on the classified product security performance data; and associating the at least one security performance score with the product profile. In an embodiment, the method also includes selecting the at least one security product from a plurality of security products based on their respective performance scores for the respective cyber threat.

Abstract: A system and method for method for generating a security rule classification model comprises receiving at least one security rule from at least one attack database of a first security product of a plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule; classifying each generated vector to a security engine within a security service using a classification sub-model to generate a preliminary classification model, wherein the classification sub-model is provided from previous classification of security rules for a security product of the plurality of different security products that is different than the first security product; determining a score for the preliminary classification model; and validating the preliminary classification model as the security rule classification model, when the score is over a predefined threshold.

Abstract: A method and system for classification of cyber-threats is provided. The method includes receiving a request for classifying a cyber-threat detected by a cyber-security system, wherein the request includes initial information about the detected cyber-threat; enriching the initial information about the detected cyber-threat to provide textual information about at least one perceived threat related to the detected cyber-threat; and classifying each of the at least one perceived threat into a security service, wherein the classification is performed based on the respective textual information.

Abstract: A system and method for generating policies for investigating cyber-security attacks are provided. The method includes selecting at least one entity of interest (EoI); determining at least one detection event associated with the at least one EoI; processing the at least one detection event to create a plurality of investigation rules, wherein each of the plurality of investigation rules includes a set of filters utilized to identify malicious activity related the at least one EoI; and defining an investigation policy for the EoI, wherein the defined investigation policy includes the plurality of investigation rules.

Abstract: A cyber-security system and method for proactively predicting cyber-security threats are provided. The method comprises receiving a plurality of security events classified to different groups of events; correlating the plurality of received security events to classify potential cyber-security threats to a set of correlation types; determining a correlation score for each classified potential cyber-security threat; and determining a prediction score for each classified potential cyber-security threat, wherein the prediction score is determined based in part on the correlation score.

Abstract: A system and method for classifying security rules of a plurality of different security products into a security decision engine in a service. The method comprises receiving at least one security rule from at least one attack database of a security product of the plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule, wherein each vector is generated based on a set of terms indicative of a cyber-solution; mapping each of the generated vector to a security service, wherein the security service represents a cyber-solution category, wherein the mapping is performed using a classification model; and associating each of the respective security rule with the security service, when an evaluation threshold is met.

Abstract: A method and system for cyber threat risk-chain generation are provided. The method includes obtaining a plurality of events; mapping each event of the plurality of obtained events to a global threat type, wherein each global threat type is associated with a risk-chain group; correlating among the mapped plurality of events to determine at least a transition between one global threat type to another; and updating a data structure maintaining data of at least one risk-chain, when the transition is determined, wherein the at least one risk-chain is a lifecycle of a cyber-attack.

Abstract: A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Abstract: A system and method for classifying security rules of a plurality of different security products into a security decision engine in a service. The method comprises receiving at least one security rule from at least one attack database of a security product of the plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule, wherein each vector is generated based on a set of terms indicative of a cyber-solution; mapping each of the generated vector to a security service, wherein the security service represents a cyber-solution category, wherein the mapping is performed using a classification model; and associating each of the respective security rule with the security service, when an evaluation threshold is met.

Abstract: A cyber-security system and method for proactively predicting cyber-security threats are provided. The method comprises receiving a plurality of security events classified to different groups of events; correlating the plurality of received security events to classify potential cyber-security threats to a set of correlation types; determining a correlation score for each classified potential cyber-security threat; and determining a prediction score for each classified potential cyber-security threat, wherein the prediction score is determined based in part on the correlation score.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats. The method includes: activating a security application configured to handle a cyber-threat; receiving a plurality of feeds during a runtime of the security application; analyzing the plurality of received feeds to determine if the security application is required to be re-programmed to perform an optimized action to efficiently protect against the cyber-threat; and re-programming, during the runtime, the security application, when it is determined that the security application requires performance of the optimized action.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats. The method comprises: determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE; receiving at least one engine rule describing an anomaly to be evaluated; and creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.

Abstract: A system and method for programmably creating a security application via a graphical user interface. The method comprises: causing a display of a service stage GUI window including at least one security phase zone; receiving a selection of at least one security service including at least one security decision engine; causing a display of an event rule stage window including at least one event rule parameters zone; receiving a selection of at least one event rule related to the at least one SDE; causing a display of an event relationship stage GUI window including at least one rule selection zone; receiving a selection of at least one workflow rule and at least one action; and configuring the security application based on the selected at least one work rule and the selected at least one action.

Abstract: A method and system for scoring performance of a security product are provided. The method includes receiving security product performance data of the security product configured to handle a specific cyber threat; classifying the performance data into a product profile associated with the security product; computing at least one security product performance score for the product profile based on the classified product security performance data; and associating the at least one security performance score with the product profile. In an embodiment, the method also includes selecting the at least one security product from a plurality of security products based on their respective performance scores for the respective cyber threat.

Abstract: A system and method for classifying security rules of a plurality of different security products into a security decision engine in a service. The method comprises receiving at least one security rule from at least one attack database of a security product of the plurality of different security products; normalizing each of the at least one security rule; generating a vector for each of the least one normalized security rule, wherein each vector is generated based on a set of terms indicative of a cyber-solution; mapping each of the generated vector to a security service, wherein the security service represents a cyber-solution category, wherein the mapping is performed using a classification model; and associating each of the respective security rule with the security service, when an evaluation threshold is met.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats. The method includes: activating a security application configured to handle a cyber-threat; receiving a plurality of feeds during a runtime of the security application; analyzing the plurality of received feeds to determine if the security application is required to be re-programmed to perform an optimized action to efficiently protect against the cyber-threat; and re-programming, during the runtime, the security application, when it is determined that the security application requires performance of the optimized action.

Abstract: A system and method for generating policies for investigating cyber-security attacks are provided. The method includes selecting at least one entity of interest (EoI); determining at least one detection event associated with the at least one EoI; processing the at least one detection event to create a plurality of investigation rules, wherein each of the plurality of investigation rules includes a set of filters utilized to identify malicious activity related the at least one EoI; and defining an investigation policy for the EoI, wherein the defined investigation policy includes the plurality of investigation rules.

Abstract: A method and system for cyber threat risk-chain generation are provided. The method includes obtaining a plurality of events; mapping each event of the plurality of obtained events to a global threat type, wherein each global threat type is associated with a risk-chain group; correlating among the mapped plurality of events to determine at least a transition between one global threat type to another; and updating a data structure maintaining data of at least one risk-chain, when the transition is determined, wherein the at least one risk-chain is a lifecycle of a cyber-attack.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats are presented. The method includes selecting at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determining at least one workflow rule respective of the at least one security application; receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; generating at least one security event respective of the plurality of received signals; checking determining if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat.

Abstract: A system and method for programmably creating a security application via a graphical user interface. The method comprises: causing a display of a service stage GUI window including at least one security phase zone; receiving a selection of at least one security service including at least one security decision engine; causing a display of an event rule stage window including at least one event rule parameters zone; receiving a selection of at least one event rule related to the at least one SDE; causing a display of an event relationship stage GUI window including at least one rule selection zone; receiving a selection of at least one workflow rule and at least one action; and configuring the security application based on the selected at least one work rule and the selected at least one action.