Abstract: There is disclosed a system and method of detecting security threats for an enterprise, including: filtering a first set of endpoint metadata records to identify a subset of metadata records, wherein filtering includes identifying endpoint security metadata records that are uncommon in context of the enterprise; and designating the subset of metadata records as indicating a potential security threat including designating the subset of metadata records for human analysis.

Abstract: There is disclosed in one example a method of a work node synchronously load balancing to a multi-node service having an expected maximum of n work nodes, including: provisioning a flow table having m bucket groups, m?1, the bucket groups including n slots each; enumerating a static integer self-identification id0; initializing the flow table with id0 in each slot; performing a discovery iteration, including: discovering a peer device; enumerating a static integer identification idx for the peer device; assigning idx to each slot corresponding to a home position for the peer device; and load balancing slots not assigned to a home position according to a deterministic algorithm; and discovering additional nodes and performing discovery iteration for the additional nodes.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: provide a data exchange layer (DXL) software interface, the DXL software interface to communicatively couple to an enterprise service bus (ESB) and to provide DXL messaging services via the ESB; communicatively couple to a DXL broker via the DXL software interface; via the DXL broker, subscribe to a DXL location services topic; receive via the DXL broker a location services query; and responsive the location services query, provide logical location data for one or more network devices.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed herein to accelerate security threat investigation. An example apparatus includes a model trainer to train a security investigation model, a game engine to determine a source security software product and a destination security software product of a security threat object, an actions database to store at least one of the previous security response action, the source security software product, the destination security software product, and the security threat object, an action generator to generate at least one suggested security response action in response to a user security investigation action, wherein the suggested security response action is based on an execution of the security investigation model, and a software product controller to adjust a display of the destination security software product of the security threat object in response to the security response action.

Abstract: A computing apparatus to provide endpoint detect and response (EDR) filtering to an enterprise, including: a processor and memory; a network interface; a network protocol to communicatively couple to a data source via the network interface; and instructions encoded within the memory to provide an EDR filtering pipeline to receive an unfiltered EDR stream via the network interface, extract an EDR record from the EDR stream, and apply a hash to the EDR record to determine that the EDR record is uncommon in context of the enterprise; and a decorator module to decorate the EDR record for in-depth analysis.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.

Abstract: A system for securing electronic devices includes a processor, non-transitory machine readable storage medium communicatively coupled to the processor, security applications, and a security controller. The security controller includes computer-executable instructions on the medium that are readable by the processor. The security application is configured to determine a suspicious file from a client using the security applications, identify whether the suspicious file has been encountered by other clients using the security applications, calculate a time range for which the suspicious file has been present on the clients, determine resources accessed by the suspicious file during the time range, and create a visualization of the suspicious file, a relationship between the suspicious file and the clients, the time range, and the resources accessed by the suspicious file during the time range.

Abstract: Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.

Abstract: In one or more examples, there is disclosed a system and method of detecting agent presence for self-healing. An out-of-band monitoring process, such as Intel® AMT, or any process in firmware executing on a co-processor, may monitor one or more processes to determine if one goes down or otherwise meets a security criterion. Crashed processes may be reported to an enterprise security controller (ESC). The ESC may notice trends among affected machines and instruct the machines to take appropriate remedial action, such as booting from a remedial image.

Abstract: Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.

Abstract: In an example, there is disclosed a data exchange layer (DXL) broker, including: a hardware platform including a processor and a memory; a DXL service store; a traditional internet protocol (IP) network stack; a DXL driver to operate a DXL layer on top of the traditional IP network stack; and instructions encoded within the memory to: enumerate a plurality of DXL endpoints connected to the DXL broker via the traditional IP network stack; store IP network routing information and DXL identification information for the DXL endpoints in the DXL service store; receive a DXL message for a DXL endpoint, the DXL message including DXL identification information for one of the plurality of DXL endpoints; and route the DXL message to the one of the plurality of DXL endpoints via the IP network routing information for the one of the plurality of DXL endpoints.

Abstract: In one or more examples, there is disclosed a system and method of detecting agent presence for self-healing. An out-of-band monitoring process, such as Intel® AMT, or any process in firmware executing on a co-processor, may monitor one or more processes to determine if one goes down or otherwise meets a security criterion. Crashed processes may be reported to an enterprise security controller (ESC). The ESC may notice trends among affected machines and instruct the machines to take appropriate remedial action, such as booting from a remedial image.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify and report cloud-based security vulnerabilities. An apparatus comprising: a security vulnerability detector to, in response to a resource monitor monitoring a threshold amount of activity in a resource of a cloud computing environment, determine one or more security vulnerabilities associated with the resource and the cloud computing environment; a vulnerability processor to correlate the one or more security vulnerabilities with one or more kill chains to exploit at least one security vulnerability in the cloud computing environment; and a report generator to generate a report including a story graph indicating a subset of at least one of: (a) the one or more security vulnerabilities associated with the one or more kill chains, (b) one or more remediation actions to obviate the one or more security vulnerabilities, or (c) threat intelligence feeds associated with the one or more security vulnerabilities.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: Example apparatus disclosed herein to perform a cybersecurity investigation include a graph generator to iteratively generate an information graph based on investigative data in response to detection of a threat alert in a monitored network, the investigative data accessed from information sources based on a set of information seeker tools, the information graph generated based on a graph schema specifying possible relationships between the information seeker tools. Example apparatus also include a pattern recognizer to traverse the information graph to identify a path in the information graph matching a pattern from the graph schema associated with a cybersecurity threat. Example apparatus further include a user interface to output the path identified in the information graph and the cybersecurity threat to an output device.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.