Abstract: Dynamically detecting abnormalities in otherwise legitimate emails containing Uniform Resource Locators (URLs) is provided. An example method includes determining one or more rules defining normal patterns in a number of sending Top-Level Domains of previously received emails received via a computer network to a user or group of users; generating a trusted trends criteria for a received email, associated with the user or the group of users, by evaluating the received email against the one or more rules; determining whether the trusted trends criteria exceeds a predetermined threshold; in response to exceeding the predetermined threshold, generating a second URL and applying it to the received email by replacing a first URL of the received email with the second URL; and redetermining the one or more rules defining normal patterns in the number of sending Top-Level Domains based on the previously received emails and the received email.

Abstract: A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Abstract: A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Abstract: Methods and corresponding systems for malicious message detection and processing are provided herein. According to example embodiments, a method includes detecting, via an intermediary node, a link included in a message, the link being associated with an unknown resource. The intermediary node may have a processor and a memory for storing executable instructions to perform the method. The example method further includes hashing a unique identifier for a recipient of the message; coupling the hashed identifier with the link to create an updated link, and replacing the link in the message with the updated link. The method may include causing forwarding of the updated message to a recipient. Clicking on or otherwise selecting the updated link by the one or more recipients of the message may be tracked. The method may include mapping the hashed identifier to the unique identifier of each of the one or more recipients.

Abstract: Technology is disclosed for detecting, classifying, and/or enforcing policies on social networking activity. The technology can store a content policy, classify content posted to a social network, determine that the classification corresponds to the content policy, and apply an action specified by the content policy to the posted content.

Abstract: Technology is disclosed for detecting, classifying, and/or enforcing rules on social networking activity. The technology can scan and collect social content data from one or more social networks, store the social content data, classify content data posted to a social network, create and apply a set of social data content rules to future posted social content data.

Abstract: Embodiments disclosed herein may intercept, quarantine, and moderate communications internal to an uncontrolled system. An example of an uncontrolled system may be a web application associated with a social networking site. In accessing the social networking site, a user may type in a message. An instance of the uncontrolled system running on the user's device may prepare a request containing the message. Some embodiment disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a queue. This determination may be based on the destination of the request as well the type of the message. Some embodiments may reconstruct the original request for resubmission. If the session is expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may wait for the next time the user logs in to resubmit the reconstructed request.

Abstract: Systems and methods for analyzing applications (“apps”) on a mobile device for security risks for a company while maintaining the mobile device owner's privacy and confidentiality concerning the applications. The mobile device may be a user's personal device (a “bring your own device”). In an example method, a process generates one or more cryptographic representations of application information for each application on the mobile device. The cryptographic representations may comprise a hash or composite hash. The cryptographic representations may be transmit outside the mobile device to a system which makes a determination and provides an indication whether the application is permitted or not permitted for use at the company. The company can be associated with a hashed permitted or not permitted list. The application information can include application name, executable code, and a version number. The method may include automatically remediating the application if it matches a known risk.

Abstract: Methods and systems allow organizations to discover accounts, subscriptions, properties, sites and other online portals within each distinct social network platform and across disparate social network platforms, publishing platforms and networks that represent, claim to represent or are relevant to their organization and/or brands based on search terms and facilitate the statistical reporting and analysis of activities on the discovered properties.

Abstract: Embodiments disclosed herein provide a system, method, and computer readable storage medium storing computer instructions for implementing a Socialware architecture encompassing a suite of applications for continuously and adaptively monitoring and filtering traffic to and from social networking sites, particularly useful in an enterprise computing environment. In some embodiments, an appliance may be coupled to a proxy server for providing a plurality of Socialware services, including analyzing, logging, and reporting on traffic to and from social networking sites. Some embodiments may allow a user to report, identify, and prevent malicious and potentially malicious content and/or activity by another user. Some embodiments may encrypt outgoing traffic to and decrypt incoming traffic from social networking sites. Some embodiments may provide an enterprise user to define and restrict certain social networking activities outside of the enterprise computing environment.

Abstract: A computer includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to augment a message with network node attributes derived by linking from an original network node specified in the message to additional network nodes associated with the original network node. Message signatures representing the network node attributes are generated. The message signatures are evaluated to characterize the message.

Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a Uniform Resource Locator (URL) from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method includes automatically placing the URL in a sandbox for analysis.

Abstract: Embodiments disclosed herein may intercept, quarantine, and moderate communications internal to an uncontrolled system. An example of an uncontrolled system may be a web application associated with a social networking site. In accessing the social networking site, a user may type in a message. An instance of the uncontrolled system running on the user's device may prepare a request containing the message. Some embodiment disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a queue. This determination may be based on the destination of the request as well the type of the message. Some embodiments may reconstruct the original request for resubmission. If the session is expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may wait for the next time the user logs in to resubmit the reconstructed request.

Abstract: Systems and methods for malicious message detection and processing are provided herein. According to various embodiments, a method includes detecting, via an intermediary node, a link included in a message, the link being associated with an unknown resource, hashing a unique identifier for a recipient of the message, coupling the hashed identifier with the link, creating an updated link, and forwarding an updated message, including the updated link, to the recipient.

Abstract: A system, apparatus and method are provided for dynamically updating a configuration of a network device when relevant sources and destinations of network traffic are added, removed or migrated in a network. A configuration of a network device is associated with a set of network addresses representing a set of relevant sources and destinations of network traffic. The set is dynamic in that the membership of the set can change over time to include different network addresses as the set of relevant sources and destinations of network traffic changes over time. One or more data sources are monitored to obtain the network addresses for the set of relevant sources and destinations and to determine if the membership of the set has changed. When a change is detected, the configuration of the network device is updated on the network device to reflect the network addresses that are currently in the set.

Abstract: Systems and methods for analyzing applications on a mobile device for risk so as to maintain the privacy of the application user are provided. In the example method, the process receives a request from a mobile device. The request includes a cryptographic representation of application information for an application residing on a mobile device. The method includes comparing the cryptographic representation to an application information database that includes cryptographic representations of applications. The method also includes automatically remediating, e.g., quarantining and retiring, the application if the application matches an application that is a known risk in the database. Exemplary embodiments provide companies with controls to prevent specific applications—which have specific behaviors and are present on mobile devices being used by employees—from being used by employees, without the company having any visibility into what particular applications are being used by the employees on the mobile device.

Abstract: Dashboards for displaying threat insight information are provided herein, as well as systems and methods for generating the same. According to some embodiments, methods for providing a threat dashboard include locating metrics regarding a malicious attack against a targeted resource; the metrics indicating instances where users were exposed to the malicious attack or instances where a cloud-based threat detection system prevented the user from being exposed to the malicious attack. The method may also include rendering a threat dashboard for a web browser application of a client device, where the threat dashboard includes the located metrics.

Abstract: Embodiments disclosed herein may intercept, quarantine, and moderate communications internal to an uncontrolled system. An example of an uncontrolled system may be a web application associated with a social networking site. In accessing the social networking site, a user may type in a message. An instance of the uncontrolled system running on the user's device may prepare a request containing the message. Some embodiment disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a queue. This determination may be based on the destination of the request as well the type of the message. Some embodiments may reconstruct the original request for resubmission. If the session is expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may wait for the next time the user logs in to resubmit the reconstructed request.

Abstract: A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Abstract: A method for filtering unsolicited emails may comprise dynamically aggregating historical email data associated with a user or a group of users and dynamically determining one or more trusted trends criteria associated with the historical email data. The method may further comprise receiving a new email addressed to the user or the group of users, calculating a score associated with the new email based on the one or more trusted trends criteria, determining that the score is above a predetermined threshold score, and, based on the determination, selectively filtering the new email.