Abstract: To prevent un-authorized accesses to data and resources available in workloads on an organization's or enterprise's computer network, various improvements to automated computer network security processes to enable them to enforce network security policies using native network security mechanisms to control communications to and/or from workload units of applications running on different nodes within hybrid computer network infrastructures having both traditional hardware resources and virtual resources provided by private and public cloud infrastructure services.

Abstract: An embodiment of a computerized method for detecting bootkits is described. Herein, a lowest level software component within a software stack, such as a lowest software driver within a disk driver stack, is determined. The lowest level software component being in communication with a hardware abstraction layer of a storage device. Thereafter, stored information is extracted from the storage device via the lowest level software component, and representative data based on the stored information, such as execution hashes, are generated. The generated data is analyzed to determine whether the stored information includes a bootkit.

Abstract: A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic, and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.

Abstract: A system and method for detecting phishing cyberattacks. The method involves parsing a code segment retrieved using a suspect uniform resource locator (URL) to identify any links included in the code segment. From these links, additional code segments may be recovered in accordance with a code segment recovery scheme. Thereafter, analytics are performed on the retrieved and possibly recovered code segments. The analytics include determining whether any of the code segments is correlated with a code segment associated with a known prior phishing cyberattack. Upon completing the analytics, an alert message including meta-information associated with results from the analytics is generated to identify that the URL is associated with a known prior phishing cyberattack when one or perhaps a combination of code segments associated with the URL are correlated to any code segment associated with a known prior phishing cyberattack.

Abstract: An electronic device for detecting threats within a server including a processor, and a memory communicatively coupled to the processor. The memory includes an inspection logic to receive a suspicious object for threat evaluation, and an analyzer logic including at least a first analyzer. The first analyzer, when processed by the processor, generates a virtual environment including a virtual client and a virtual server in communication over a virtualized communication link. The memory also includes a detonator logic configured to trigger the suspicious object. The analyzer logic loads and initializes the suspicious object into the virtual environment and further generates a first score based upon the triggering by the detonator logic that is indicative of a threat posed by the suspicious object. The memory may also include a reporting logic that compares a threat score to at least one threshold and in response may generate at least one remedial action.

Abstract: A non-transitory storage medium including software for detecting malicious objects stored at a cloud-based remote service is described. Herein, the software includes first, second and third logic modules. The first logic module is configured to (i) identify the cloud-based remote service hosting one or more objects and (ii) acquire access the one or more objects stored within the cloud-based remote service. The second logic module is configured to retrieve the one or more objects from the cloud-based remote service and submit the object(s) to a plurality of analytic engines. Each analytic engine is configured to conduct analytics on at least a first object of the object(s) and generate results based on the analytics conducted on at least the first object. The third logic is configured to conduct an analysis of meta-information associated with the first object to determine whether the first object is to be classified as malicious or benign.

Abstract: A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.

Abstract: An electronic device for receiving and seamlessly providing cybersecurity analyzer updates and concurrent management systems for detecting cybersecurity threats including a processor and a memory communicatively coupled to the processor. The memory stores an analyzer logic to generate a first analyzer configured to receive a suspicious object for threat evaluation, an inspection logic to manage a first queue of suspicious objects for threat evaluation to the first analyzer, and an update logic to receive updated cybersecurity analytics content data. The analyzer logic receives updated cybersecurity analytics content data and can generate a second analyzer that incorporates at least a portion of the parsed updated cybersecurity analytics content data.

Abstract: As described, a cloud-based enrollment service is configured to advertise features and capabilities of clusters performing malware analyses within a cloud-based malware detection system. Upon receiving an enrollment request message, including tenant credentials associated with a sensor having an object to be analyzed for malware, the cloud-based enrollment service is configured to use the tenant credentials to authenticate the sensor and determine a type of subscription assigned to the sensor. Thereafter, the cloud-based enrollment service is further configured to transmit an enrollment response message including a portion of the advertised features and capabilities of a selected cluster of the cloud-based malware detection system. The advertised features and capabilities includes information to enable the sensor to establish direct communications with the selected cluster.

Abstract: A device for verifying previous determinations from cybersecurity devices comprising a processor and a storage device communicatively coupled to the processor. The storage device comprises submission analysis logic including object parsing logic to receive submission message data and then parse the submission message data into object data, along with workflow selector logic to receive the object data and process the object data to select at least one analyzer within analyzer logic. The analyzer logic can generate at least one analyzer based on the selected analyzer within the workflow selector logic, analyze the object data for potential threats and embedded object data, generate results data based on that analysis, and pass the embedded object data back to the workflow selector for further analysis. Finally, the submission analysis logic comprises triage ticket generation logic to generate triage tickets for analyst review and alert logic to generate automatic alerts.

Abstract: To prevent un-authorized accesses to data and resources available in workloads on an organization's or enterprise's computer network, various improvements to automated computer network security processes to enable them to enforce network security policies using native network security mechanisms to control communications to and/or from workload units of applications running on different nodes within hybrid computer network infrastructures having both traditional hardware resources and virtual resources provided by private and public cloud infrastructure services.

Abstract: A computerized system and method to detect phishing cyber-attacks is described. The approach entails analyzing one or more displayable images of a webpage referenced by a URL to ascertain whether the one or more displayable images, and thus the webpage and potentially an email including the URL, are part of a phishing cyber-attack.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators can to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.

Abstract: A non-transitory storage medium having stored thereon logic wherein the logic is executable by one or more processors to perform operations is disclosed. The operations may include parsing an object, detecting one or more features of a predefined feature set, evaluating each feature-condition pairing of a virtual feature using the one or more values observed of each of the one or more detected features, determining whether results of the evaluation of one or more feature-condition pairings satisfies terms of the virtual feature, and responsive to determining the results of the evaluation satisfy the virtual feature, performing one or more of a static analysis to determine whether the object is associated with anomalous characteristics or a dynamic analysis on the object to determine whether the object is associated with anomalous behaviors.

Abstract: One embodiment of the described invention is directed to a key management module deployed within a cybersecurity system that operates as a multi-tenant Security-as-a-Service (SaaS) by relying on Infrastructure-as-a-Service (IaaS) cloud processing resources and cloud storage resources. The key management module is configured to assign a master key to a subscriber upon registration and, as requested, generate one or more virtual keys, based at least in part on the master key, for distribution to the subscriber. Each virtual key is included as part of a submission into the cybersecurity system and is used to authenticate the subscriber of the submission and verify that the subscriber is authorized to perform one or more tasks associated with the submission before the one or more tasks are performed.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: A computerized method is described for authenticating access to a subscription-based service to detect an attempted cyber-attack. First, a request is received by a subscription review service to subscribe to the subscription-based service. The service is configured to analyze one or more objects for a potential presence of malware representing the attempted cyber-attack. Using service policy level information, the cloud broker selects a cluster from a plurality of clusters to analyze whether the one or more objects are associated with the attempted cyber-attack and establishes a communication session between the sensor and the cluster via the cloud broker. The service policy level information is associated with the customer and is used in accessing the subscription-based service. The service policy level information includes at least an identifier assigned to the customer.

Abstract: A trust verification system for automatically verify an integrity of an object across multiple operating system (OS) platforms. The trust verification system features package verification logic, catalog verification logic, and component verification logic. The package verification logic recovers, from an incoming package, (i) an object, (ii) a catalog including identifiers associated with software component(s) forming the object and representation(s) associated with each of the software component(s), and (iii) a representation of the catalog. The catalog verification logic is configured to verify an integrity of the catalog while the component verification logic is configured to verify an integrity of software component(s) associated with the object.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.