Abstract: A method, apparatus and product for sub-networks based cyber security. One method includes detecting a device connecting to a local network, wherein the local network is divided into an initial set of subnets, identifying the device by performing a fingerprinting operation on the device, determining an expected usage of the device and updating the initial set of subnets based on the expected usage of the device to generate an updated set of subnets. The method further includes selecting a subnet of the updated set of subnets of the local network to connect the device based on the expected usage of the device, the selected subnet corresponding to the expected usage of the device and connecting the device to the selected subnet in the local network.

Abstract: Systems, methods, and related technologies for determining a risk score or value are described. The risk score determination may include accessing network traffic from a network, where the network traffic is associated with a plurality of entities. One or more values associated with one or more properties associated with an entity are determined. The one or more values may be based on the network traffic. At least one of a functional risk value, a configurational risk value, or a behavioral risk value associated with the entity are determined. A risk value for the entity is determined based on the functional risk value and at least one of the configurational risk value or the behavioral risk value associated with the entity.

Abstract: Systems, methods, and related technologies for classifying a device on a network are described. A method includes capturing device information corresponding to a device on a network. The method inputs unstructured crowdsourced data on the network into a machine learning model to produce structured crowdsourced data. The method classifies the device based on evaluating the device information with the structured crowdsourced data.

Abstract: Systems, methods, and related technologies for threat attribution are described. A method includes accessing network traffic to determine an incident based on a correlation of events as being associated with a same coordinated attack. The incident includes indicators of compromise (IoCs) and a Tactics, Techniques and Procedures (TTPs). The method also includes computing a first probability function based on the IoCs, wherein the first probability function comprises a first set of probability of attributions for a first list of known threat actors, and computing a second probability function based on the TTPs, wherein the second probability function comprises a second set of probability of attributions for a second list of known threat actors.

Abstract: Systems and methods for identifying common vulnerabilities and exposures (CVEs) associated with an entity are described. The identification of the CVEs for an entity includes accessing entity security vulnerabilities and exposures, extracting one or more keywords from each of the entity security vulnerabilities and exposures, and accessing entity property data associated with an entity coupled to a network. The identification further includes comparing the one or more keywords from each of the entity security vulnerabilities and exposures to the entity property data associated with the entity coupled to the network, and determining one or more entity security vulnerabilities and exposures that are associated with the entity coupled to the network based on the comparing of the one or more keywords and the entity property data.

Abstract: Adaptive scanning is described. The adaptive scanning may include performing a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network. One or more attributes associated with the device based on the passive scan are determined and an active scan of the device is performed based on the one or more attributes based on the passive scan. The active scan is customized for the device based on the one or more attributes determined based on the passive scan and the active scan comprises sending one or more requests to the device. One or more attributes associated with the device may be determined based on the active scan. The one or more attributes based on the passive scan and the one or more results based on the active scan associated with the device are stored.

Abstract: Systems, methods, and related technologies for analyzing traffic are described. In certain aspects, network traffic is analyzed and a domain name system (DNS) message is extracted from the network traffic. Subsequent network traffic is monitored and analyzed based on the DNS message and in view of one or more criteria. In response to the one or more criteria being satisfied, an indication of compromise (IoC) for a device is determined.

Abstract: Systems, methods, and related technologies for determining a comprehensive risk score or value are described. The risk score determination may include selecting an entity communicatively coupled to a network and determining a cyber-attack likelihood value and a cyber-attack impact value associated with the entity. A cyber-attack risk may then be determined based on the cyber-attack likelihood value and a cyber-attack impact value associated with the entity. An operational failure likelihood value and an operational failure impact value associated with the entity can be determined. An operational failure risk based on the operational failure likelihood value and the operational failure impact value associated with the entity can be determined. A risk value may then be determined for the entity based on the cyber-attack risk and the operational failure risk and the risk value for the entity can be stored.

Abstract: Systems, methods, and related technologies for entity classification are described. Entity attributes for entity classification are determined and entities coupled to a network are monitored. Values for each entity attribute for each entity coupled to the network are identified. A semantic similarity, between the plurality of entities, of the values for each entity attribute is determined. The entities are clustered into multiple entity clusters based on the semantic similarity of the values for each of the entity attributes for the entities.

Abstract: Systems, methods, and related technologies for classification are described. Network traffic transmitted by a first device is obtained. A set of features is determined based on the network traffic. A first classification for the device is determine a first classification for the first device based on the set of features. The first classification is associated with a first classification level. A second machine learning model is identified based on the first classification. The second machine learning model is associated with the first classification. A second classification for the first device is determined based on the second machine learning model. The second classification is associated with a second classification level. At least one of the first classification and the second classification is stored.

Abstract: Systems, methods, and related technologies for segmentation management are described. In certain aspects, an entity communicatively coupled to a network is selected and one or more characteristics of the entity may be determined. A segmentation policy may be selected based on the one or more characteristics of the entity and one or more tags to be assigned to the entity based on the segmentation policy may be determined. A zone for the entity based on the one or more tags may be determined and one or more enforcement points associated with the zone for the entity may be determined. One or more enforcement actions may then be assigned to the one or more enforcement points based on the zone associated with the entity.

Abstract: Systems, methods, and related technologies for parsing network traffic are described. Network traffic transmitted by a set of devices communicatively coupled to a network is obtained. The network traffic is parsed to determine a set of field values from the network traffic based on the set of protocol fields. The set of field values are transmitted to the set of processing engines.

Abstract: Systems, methods, and related technologies for a risk driven planning and simulation tool for a computer network are described. A security risk is determined for each of a plurality of devices on a network. A network traffic map is presented to a display. The network traffic map shows network traffic between the plurality of devices and the security risk for each of the plurality of devices. Segmentation of one or more of the plurality of devices on the network is simulated and presented to the display with updates to the network traffic or updates to the security risk of some of the devices on the network.

Abstract: Systems, methods, and related technologies for classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to at least one of train or tune the models associated with lower reliability level.

Abstract: Systems, methods, and related technologies for segmentation management are described. The segmentation management may include visualization, configuration including translation, simulation, or a combination thereof of one or more segmentation policies. In certain aspects, a segmentation policy is accessed and a segmentation rule is determined based on the segmentation policy, wherein the segmentation rule is based on a characteristic of an entity determined without the use of an agent. An enforcement point associated with the segmentation rule may be determined, where the enforcement point is communicatively coupled to a network. The segmentation rule may be translated into a configuration associated with the enforcement point and the configuration communicated to the enforcement point.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, data associated with communications of a first entity on a network are accessed, behaviors are determined based on the data associated with the communications of the first entity, and sequences of the behaviors of the first entity are determined. A profile of the first entity is determined based on the sequences of the behaviors, the profile including a classification of the first entity, a state machine of the profile of the first entity is determined, the state machine being associated with the classification against which the behaviors can be matched, a second entity is detected coming onto the network, and responsive to detecting the second entity coming onto the network, the second entity is classified based on the state machine of the profile of the first entity.

Abstract: Systems, methods, and related technologies relate to obtaining a first classification of a device on a network from a first source, obtaining a second classification of the device on the network from a second source wherein the first classification and the second classification are different, and determining a classification result of the device based on selecting at least one of the first classification or the second classification.

Abstract: Systems, methods, and related technologies for device classification are described. Methods include determining device information associated with a device coupled to a network, the device information including information obtained from one or more sources, classifying the device using the device information as input to a classifier, and applying a policy to the device based on the classification of the device.

Abstract: A method includes accessing events associated with a network and determining an issue based on a correlation of a portion of the events, wherein the issue represents an incident associated with the portion of the events, and wherein the correlation of the portion of the events is based on information associated with the network and at least in part on an event type of the portion of the events. A priority associated with the issue is determined at least based on the event type of the portion of the events. A first event type that is associated with an operational technology (OT) entity has a higher priority than a second event type that is not associated with the OT entity. Data associated with the issue is stored.

Abstract: Systems, methods, and related technologies for determining fields of an unknown protocol are described. Network traffic capture is grouped into one or more clusters of packets based on similarity. Each of the one or more clusters are parsed to identify one or more fields of an unknown protocol. The network traffic capture is modified, including annotating the identified one or more fields of the unknown protocol. A protocol parser is generated without user input, including parsing each of the annotated one or more fields of the unknown protocol to generate a description of the unknown protocol comprising identified one or more fields of the unknown protocol and an order of the identified one or more fields of the unknown protocol, and compiling the description into the protocol parser.