Abstract: A system, method, and computer-readable medium are disclosed for monitoring actions of an entity. In various embodiments the monitoring includes: monitoring a plurality of electronically-observable actions of the entity, the plurality of electronically-observable actions of the entity corresponding to a plurality of events enacted by the entity; associating the plurality of events enacted by the entity with a story; and, using the story to derive an inference regarding the entity.

Abstract: A method, system and computer-usable medium for performing a feature generation operation. The performing a feature generation operation including: receiving a stream of events, the stream of events comprising a plurality of events; applying labels to applicable events from the plurality of events, the applying labels providing a labeled event; and, processing the labeled event to extract a feature from the labeled event, the processing providing a feature associated with an event.

Abstract: A method, system and computer-usable medium for routing data loss prevention (DLP) events across different network levels. A determination is made as to a number of DLP networks. The classification and data as to a DLP network is determined. Certain data is processed, including an entity risk level and certain data is held, such as certificates. The held data is processed by a computing platform. Processed entity risk levels are returned to the DLP networks. When all networks are processed, processed and held data are sent to the computing platform.

Abstract: A system, method, and computer-readable medium are disclosed for performing an eventually consistent event resolution operation. The eventually consistent event resolution operation includes: parsing entity identifier information, the parsing generating a plurality of entity identifier elements from the entity identifier information; normalizing an entity identifier element of the plurality of entity identifier elements to provide a normalized entity identifier element; associating the normalized entity identifier element with the entity to resolve the identity of the entity; and, performing an eventually consistent event resolution operation, the eventually consistent event resolution operation updating distributed data associated with the entity, distributed data corresponding to entity identifiers impacted by subsequent changes to entity mappings being updated by the eventually consistent event resolution operation to reflect a more recent entity mapping.

Abstract: A method, system and computer-usable medium are disclosed for identifying security risks to a computer system based on a distribution of categorical features of events. Certain embodiments are directed to a computer-implemented method comprising: receiving a stream of events, the stream of events including a plurality of events; extracting a categorical feature from the plurality of events, where the categorical feature includes a set of categorical feature members, where the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature; constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, analyzing the distribution of the categorical feature to identify one or more security risk factors.

Abstract: A method, system and computer-usable medium for detecting if a file(s) is/are copied to/from a computing device from/to one or more other devices. The computing device or information handling device is connected to other devices using a transfer protocol such as Media Transfer Protocol. File activity is monitored between the computing device and the other devices. Each file activity is entered into a common queue available to the computing device and the other devices. Comparison is made at to the entries in the queue as to entries that the same size and the file activity happens within a time window. Pairs that meet the size and activity time window are determined to be file copy pairs.

Abstract: A system, method, and computer-readable medium are disclosed for enforcing security policies. Enforcing security policies includes monitoring electronically-observable user interactions of an entity, the electronically-observable user interactions comprising corresponding user behavior of the entity; converting the electronically-observable user interactions into electronic information representing the user behavior; and, applying an organization specific security policy based upon the electronic information representing the user behavior, the organization specific security policy comprising an automatically generated organization specific rule.

Abstract: A system, method, and computer-readable medium are disclosed for generating security policies. Generating security policies includes gathering information related to an organization, the information related to the organization comprising electronically-observable information related to the organization; converting the electronically-observable information related to the organization into electronic information related to the organization; using the electronic information related to the organization to automatically generate a plurality of organization specific rules; and, generating an organization specific security policy, the organization specific security policy comprising at least one organization specific rule.

Abstract: An email phishing detection mechanism is provided that utilizes machine learning algorithms. The machine learning algorithms are trained on phishing and non-phishing features extracted from a variety of data sets. Embodiments extract embedded URL-based and email body text-based feature sets for training and testing the machine learning algorithms. Embodiments determine the presence of a phishing message through a combination of examining an embedded URL and the body text of the message for the learned feature sets.

Abstract: A method, system and computer-usable medium for performing a spoofed email detection operation, comprising: maintaining a list of allowed third party domains that are authorized to send an internally-addressed email, the list of allowed third party domains comprising a plurality of domains; receiving an email from a third party sender, the email comprising an email envelope, the email envelope storing a domain of a third party sender address of the third party sender; comparing the domain of the third party sender address stored in the email envelope with the list of allowed third party domains; identifying the domain of the third party sender address stored in the email envelope as an allowed domain when the domain of the third party sender address matches a third party domain stored within the list of allowed third party domains.

Abstract: A method, system and computer-usable medium for adaptively assessing risk associated with an endpoint, comprising: determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency and a duration of an endpoint monitoring interval; collecting user behavior to collect user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity; comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed; and changing the risk score of the user to the current risk score when the risk score of the user has changed.

Abstract: A system, method, and computer-readable medium for resolving an identity of an entity, comprising parsing entity identifier information associated with the entity to provide an entity identifier element, the entity identifier information comprising temporal information; classifying the entity identifier element to provide a classified entity identifier element; normalizing the classified entity identifier element to provide a classified and normalized entity identifier element; and, associating the classified and normalized entity identifier element and the temporal information with the entity to resolve the identity of the entity at a particular point in time.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility; associating the security related activity with a component of a cyber kill chain; and, performing a security operation on the security related activity via a security system, the security operation disrupting performance of the component of the cyber kill chain by affecting performance of the security related activity by the entity.

Abstract: A method, system and computer-usable medium for redisplaying data at a remote access client system from a secure computing environment. The redisplaying data includes receiving a request form the remote access client system for data, inspecting the request for potential unauthorized or malicious retransmission. Modifying the data, by filtering audio data or transforming graphical data prior to sending the requested data is performed to prevent the unauthorized or malicious retransmission.

Abstract: A method, system and computer-usable medium for detecting an occurrence of visual hacking via a visual hacking detection operation which includes: receiving a surveillance image; processing the surveillance image to generate surveillance image data; and, performing a visual hacking detection operation using the surveillance image data, the visual hacking detection operation determining whether visual hacking has been detected.

Abstract: A system, method, and computer-readable medium are disclosed for performing an entity behavior cataloging operation. The entity behavior cataloging operation includes: identifying a plurality of security related activities, the plurality of security related activities being based upon an observable from an electronic data source; analyzing the plurality of security related activities, the analyzing identifying a plurality of events of analytic utility associated with the plurality of security related activities; generating a set of entity behavior catalog data based upon the event of analytic utility associated with the security related activity, the set of entity behavior catalog data comprising an associated group of behaviors; and, storing the set of entity behavior data and the associated group of behaviors within an entity behavior catalog, the entity behavior catalog providing an inventory of entity behaviors for use when performing a security operation.

Abstract: A system, method, and computer-readable medium are disclosed for performing an entity behavior cataloging operation. The entity behavior cataloging operation includes: identifying a security related activity, the security related activity being based upon an observable from an electronic data source; analyzing the security related activity, the analyzing identifying an event of analytic utility associated with the security related activity; generating entity behavior catalog data based upon the event of analytic utility associated with the security related activity; and, storing the entity behavior catalog data within an entity behavior catalog, the entity behavior catalog providing an inventory of entity behaviors for use when performing a security operation.

Abstract: A method, system and computer-usable medium for generating session-based security information. Generating the session-based security information includes the steps of monitoring user behavior between an enactor and an entity; detecting user behavior data associated with the user behavior; generating a session using the user behavior data, the session relating to an entity discrete interaction of the enactor; and, associating the session and the session-based security information with the user profile.

Abstract: A method, system and computer-usable medium for adaptively remediating multivariate risk, comprising: detecting a violation of a multivariate security policy, the multivariate security policy comprising a plurality of variables; identifying a variable from the plurality of variables associated with a cause of the violation; associating an entity with the variable associated with the cause of the violation; and, adaptively remediating a risk associated with the entity.

Abstract: Disclosed herein is technology that detects potentially deceptive URI (Uniform Resource Identifier) of a homograph attack (e.g., an Internationalized Domain Name (IDN) homograph attack). In one or more implementations, the detection may be accomplished, at least in part, by assessing the likelihood that all of the characters in the URI (e.g., domain name) were typed on a keyboard using a single keyboard map. This Abstract is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.