Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation.

Abstract: An email phishing detection mechanism is provided that utilizes machine learning algorithms. The machine learning algorithms are trained on phishing and non-phishing features extracted from a variety of data sets. Embodiments extract embedded URL-based and email body text-based feature sets for training and testing the machine learning algorithms. Embodiments determine the presence of a phishing message through a combination of examining an embedded URL and the body text of the message for the learned feature sets.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying a security related activity of the entity, the security related activity being of analytic utility; accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog providing an inventory of entity behaviors; and performing a security operation via a distributed security analytics environment, the security operation using entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; associating a human factor with the entity; identifying an event of analytic utility, the event of analytic utility being derived from the observable from the electronic data source; analyzing the event of analytic utility, the analyzing the event of analytic utility taking into account the human factor associated with the entity enacting the event of analytic utility; generating a risk score in response to the analyzing, the risk score taking into account the human factor associated with the entity; and, performing the security operation when the risk score meets a security risk parameter.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having security policy visualization. At least one embodiment is directed to a computer-implemented method for implementing security policies in a secured network, including: retrieving a set of rules of a security policy; analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy; and generating a visual presentation on a user interface using results of the SMT operations, where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions. In at least one embodiment, two or more security policies are presented with visual indicia representing differences between the security policies, including representations of one or more targeted policy dimensions with respect to one or more fixed policy dimensions.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a security risk persona; associating the security risk persona with a phase of a cyber kill chain; and, performing a security operation on the security related activity via a security system, the security operation disrupting performance of the phase of the cyber kill chain.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; the security related activity comprising a concerning behavior, the security related activity being enacted during an activity session; associating the security related activity enacted during an activity session with a security risk persona; analyzing the security related activity, the analyzing the security related activity using the security risk persona; and, performing a security operation in response to the analyzing the security related activity.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying an event of analytic utility; analyzing the event of analytic utility, the analyzing the event of analytic utility identifying an entity behavior associated with the event of analytic utility; and, performing the security operation in response to the analyzing the event of analytic utility, where the monitoring, identifying, analyzing and performing are performed via a distributed security analytics framework.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring a plurality of actions of an entity, the plurality of actions of the entity corresponding to a plurality of events enacted by the entity; maintaining information relating to the monitoring within a user edge component; identifying an event of analytic utility; analyzing the event of analytic utility at the user edge component, the analyzing generating a security risk assessment; and, providing the security risk assessment to a network edge component.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying a security related activity of the entity, the security related activity being of analytic utility; accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog providing an inventory of entity behaviors; and performing a security operation via a human-centric risk modeling framework, the security operation using entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: A method may include providing a multi-access interface for network traffic, comprising: receiving information regarding topology of a virtual private network and storing the topology in the form of a routing table. A method may include providing an interface for network traffic, comprising: in a virtual private network comprising a plurality of tunnels delivering only information associated with OSI Level 3, receiving a network communication and performing multicast forwarding among the plurality of tunnels using multicast forwarding from OSI Level 2. A method may include providing an interface for network traffic, comprising, in a virtual private network: establishing a connection between a first node of the virtual private network and a second node serving as a virtual private network broker and fetching, by the first node from the virtual private network broker, information regarding one or more other nodes of the virtual private network.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security analytics mapping operation.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source, the security related activity comprising a concerning behavior; generating a contextual modifier relating to the security related activity; analyzing the security related activity, the analyzing the security related activity being based upon the contextual modifier; and, performing a security operation in response to the analyzing the security related activity.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a security risk persona; and, performing a security operation in response to the analyzing the security related activity.

Abstract: A method, system, and computer-usable medium are disclosed, comprising: initiating a web transaction between an endpoint device and a target web server; automatically switching between a first communication mode and a second communication mode in response to one or more communication performance conditions associated with conducting the web transaction, where the endpoint device communicates with the target web server using an intermediate proxy server in the first communication mode; and the endpoint device communicates with the target web server without using the intermediate proxy server in the second communication mode. Other embodiments include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.

Abstract: A method, system and computer-usable medium are disclosed for operating an endpoint agent at an endpoint device. Certain embodiments include a computer-implemented method for operating an endpoint agent at an endpoint device, including: operating the endpoint agent to selectively subscribe to events corresponding to activities occurring at an endpoint platform; processing events received from a message bus by the endpoint agent, where the events processed by the endpoint agent are events to which the endpoint agent has subscribed; and communicating, to a service, information corresponding to the events processed by the endpoint agent. Other embodiments of this aspect of the invention may include corresponding stand-alone and/or network computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform one or more of these actions.

Abstract: A system, method, and computer-readable medium are disclosed for performing a type-dependent event deduplication operation. The type-dependent event deduplication operation comprising: receiving a stream of events, the stream of events comprising a plurality of events, each event of the plurality of events having an associated event type; determining an event type of the plurality of events; parsing the plurality of events based upon the associated event type, the parsing providing a plurality of parsed events; and, performing a type-dependent event deduplication operation on the plurality of parsed events, the type-dependent event deduplication operation deduplicating events based upon the event type.

Abstract: A method for filtering data packets at a firewall system is disclosed that includes receiving a data packet having a plurality of fields at a processor, and determining whether a precondition exists, where an action is associated the precondition. The action associated with the precondition is performed if it is determined that the precondition exists. The data packet is processed using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields. A user associated with the data packet is identified, and it is determined whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user. The data packet is processed using the one or more rules stored in the cache if present.