Abstract: A system for controlling accesses to network enabled devices includes a network interface over which a hub communicates with network enabled devices, a processor, and a multilayer access control layer. The access control layer includes instructions that, when executed by the processor, cause the processor to detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network enabled device communicatively coupled to the hub, characterize the request according to a user of the remote host device, the application making the attempt, and the network enabled device, and determine whether to allow or deny the request based upon the characterization and a plurality of rules. The rules may include definitions of access rights, with respect to the network enabled device, for users, applications, commands or queries made by applications, remote host devices, and network domains.

Abstract: A set of attributes of a particular asset of a computing environment is identified that are determined from data collected by one or more utilities in the computing environment. A criticality rating is automatically determined for the particular asset based at least in part on the set of attributes. A security activity is caused to be performed relating to the particular asset based on the automatically determined criticality rating of the particular asset.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed for dynamic extension of restricted software applications after an operating system mode switch. An example system includes a switch detector to detect a switch of a computing device from a restricted operating system to an unrestricted operating system, and a restricted application upgrader to be invoked when the switch is detected, the restricted application upgrader is to generate a first request to a server to obtain a first executable, the first request including a parameter of a restricted software application of the computing device, execute the first executable to generate a second request to the server to obtain a second executable to install an unrestricted software application associated with the restricted software application, and execute the second executable to install the unrestricted software application.

Abstract: There is disclosed in one example a gateway apparatus to operate on an intranet, including: a hardware platform; and an access proxy engine to operate on the hardware platform and configured to: intercept an incoming packet; determine that the incoming packet is an access request directed to an access interface of a resource of the intranet; present an access checkpoint interface; receive an authentication input response; validate the authentication input response; and provide a redirection to the access interface of the device.

Abstract: A technique for detecting malware looks at startup hooks that may be created by malware to assist in ensuring that the malware is started upon a reboot of a programmable device. After enumerating startup hooks in the system, startup hooks associated with untrusted executables are deleted. If the startup hook is restored, that is an indication that the untrusted executable may be malware. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: A method in one example implementation includes extracting a plurality of data elements from a record of a data file, tokenizing the data elements into tokens, and storing the tokens in a first tuple of a registration list. The method further includes selecting one of the tokens as a token key for the first tuple, where the token is selected because it occurs less frequently in the registration list than each of the other tokens in the first tuple. In specific embodiments, at least one data element is an expression element having a character pattern matching a predefined expression pattern that represents at least two words and a separator between the words. In other embodiments, at least one data element is a word defined by a character pattern of one or more consecutive essential characters. Other specific embodiments include determining an end of the record by recognizing a predefined delimiter.

Abstract: There is disclosed a computing apparatus, including: a hardware platform; a service mapping requirements table including a plurality of components and having associated therewith a plurality of service requirements; an isolation platform; and a security policy engine configured to: receive a new appliance image for the isolation platform; scan the new appliance image and build a bill of materials (BoM) for the new container image, the BoM including a plurality of components; search the service mapping requirements table for the plurality of components and identify service requirements for the components; and generate a security policy for the new appliance image.

Abstract: A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Abstract: Methods, apparatus, systems and articles of manufacture to detect steganographically hidden content in a media file are disclosed. An example system includes a media classifier to determine type of a media file, and a detector to apply a detection technique to the media file. The detector selects the detection technique from a plurality of steganographically-based detection techniques based on the media file type. The system also includes a remediator to apply a remediation technique to the media file based on whether the detector detects steganographically hidden content in the media file.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a file, determine a polyglotness score for the file, where the polyglotness score is an indicator of whether or not the file is a polyglot file, and analyze the file for the presence of malware if the polyglotness score satisfies threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface to communicatively couple to an enterprise service bus (ESB); instructions encoded within the memory to provide a data exchange layer (DXL) application programming interface (API), the DXL API to provide communication with a plurality of other DXL endpoints via a DXL broker; and instructions encoded within the memory to provide an asset management engine to: subscribe to a DXL location services topic via the DXL broker; receive a DXL location services query from a DXL endpoint via the DXL broker; and publish network location data via the DXL broker.

Abstract: Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.

Abstract: In one example, there is disclosed a domain master for a data exchange layer (DXL), including: a hardware platform configured to execute instructions; and one or more memories having stored thereon instructions to instruct the hardware platform to: communicatively couple to the DXL; provide a DXL messaging service including native support for request-response (1:1) transactions via a publish-subscribe (1:N, N>1) fabric; provide DXL domain master services for a DXL domain; and provide DXL-based real-time policy and task distribution for DXL endpoints of the DXL domain.

Abstract: Apparatus, methods and systems to associate a flight plan of an unmanned aerial vehicle (e.g., a drone) with a cryptographic signature are disclosed herein. Some disclosed examples include one or more non-transitory computer-readable media including computer-executable instructions. The computer readable instructions, when executed by one or more processors, cause the one or more processors to compare a flight path over a geographic area of an unmanned aerial vehicle to a geographically identified no-fly zone. The flight path is included in a flight plan. The instructions also cause the vehicle to determine whether the flight path enters the geographically identified no-fly zone, and based on whether the flight path is determined to enter the geographically identified no-fly zone, associate the flight plan with a cryptographic signature.

Abstract: Particular embodiments described herein provide for modular device assemblies and methods for enabling maintenance and servicing, particularly by an unmanned aerial vehicle. A device assembly comprises a plurality of modules, each module having control circuitry, a communications port and contact points to couple the modules. When the modules are coupled, the communications ports are connected to create a bus for communications between the modules. The modular device structure where modules are removable and replaceable allows for an unmanned aerial vehicle to perform maintenance on the device.

Abstract: Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.

Abstract: In an example, there is disclosed a computing apparatus, including: a hardware platform comprising a processor and a memory; software to access a network or internet resource according to a domain name; a network stack to provide network or internet access; and a virtual private network (VPN), configured to locally intercept a domain name-based access request, query a domain policy repository to determine whether the domain name should be blocked, and to query an external domain name system (DNS) server for an internet protocol (IP) address for the domain name and pass the request through the network stack if the domain name should not be blocked.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and one or more mediums including instructions to instruct the processor to provide a security scanner to: determine that an object to be inspected is an archive including a plurality of bundled files; determine that the archive is encrypted; identify unencrypted data within the encrypted archive that can be made visible to an end user after a failed decryption operation; scan the unencrypted data for a pattern that matches password data; and attempt to decrypt the archive according to the password data.

Abstract: A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.