Abstract: A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data from these scans. The security management system may also receive data from other sources, and, as a result, the system may handle data having many different formats and attributes. When the security management system tries to associate data to assets, there may not be a globally unique identifier that is applicable for all received data. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly correlate data with assets based on attribute information.

Abstract: The present describes simulating a threat-actor executing an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) simulant is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL simulant. In one implementation, the DSL simulant is executed to simulate a threat-actor executing an attack execution operation.

Abstract: The present disclosure describes defending against an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) file is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL file. In one implementation, the DSL file is executed to defend against a first attack execution operation executed by a threat-actor.

Abstract: The present disclosure describes enticing a threat-actor to execute an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) file is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL file. In one implementation, the DSL file is executed to create a computing environment that entices a first attacker to execute an attack execution operation within a given domain.

Abstract: Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.

Abstract: A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.

Abstract: The presently described embodiments relate to a novel system and method to collect state as a snapshot from a potentially transient endpoint and transmit the state to a public or private network for storage and processing. This system and method allows for the synchronization and virtualization of the endpoint state image in the network for purposes of processing, analysis, and reporting, including but not limited to endpoint vulnerability auditing.

Abstract: The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems.

Abstract: Embodiments disclosed herein are directed to intelligent malware detection. A scanner server is used to scan an endpoint device for malware. Various attributes and behaviors of the endpoint device are identified in retrieved scan data. Identified attributes and behaviors are then evaluated according to a malware detection framework, which is used to determine whether (as well as to what extent) the identified attributes and behaviors are indicative of malware. In this manner, potential security risks associated with the malware may be identified. The framework is constructed through a machine learning process that aggregates attributes and behaviors common amongst members of malware families. Advantageously, the framework enables the scanner server to detect unknown variants of known malware families.

Abstract: Present example embodiments relate generally to scanning websites, wherein the devices, methods, and logic for the scanning comprises receiving interaction information between a user computing device and a web application of the website; dynamically determining an action to be performed to the web application that approximately simulates the user computing device interacting with the web application, wherein the action is dynamically determined based on the received interaction information; establishing a browsing session with the website; discovering the web application within the website; and identifying a vulnerability of the web application by interacting with the web application using the action.

Abstract: Embodiments disclosed herein are directed to intelligent malware detection. A scanner server is used to scan an endpoint device for malware. Various attributes and behaviors of the endpoint device are identified in retrieved scan data. Identified attributes and behaviors are then evaluated according to a malware detection framework, which is used to determine whether (as well as to what extent) the identified attributes and behaviors are indicative of malware. In this manner, potential security risks associated with the malware may be identified. The framework is constructed through a machine learning process that aggregates attributes and behaviors common amongst members of malware families. Advantageously, the framework enables the scanner server to detect unknown variants of known malware families.

Abstract: A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.

Abstract: Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.

Abstract: The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems.

Abstract: Described herein is a system and method for detecting vulnerability state deltas, the method comprising the steps of: receiving data related to a network connected device; determining a vulnerability state of the network connected device based upon the data; storing the vulnerability state in a vulnerability state database; receiving additional data related to the network connected device; determining an updated vulnerability state of the network connected device based upon the additional data; determining one or more deltas based upon differences between the vulnerability stare and the updated vulnerability state; and updating the stored vulnerability state with the updated vulnerability state.

Abstract: The technology described herein provides a novel system and method for web-based log analysis. The analysis combines the benefits of typical log monitoring systems with those of typical vulnerability managements systems. The synergy of the combined log monitoring and vulnerability management results in a single provider detecting vulnerability and subsequently accessing archived log data to detect if the vulnerability has been exploited in the past, identifying compromised machines for customers.

Abstract: The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems.

Abstract: A dynamical hierarchical tagging system connected to a user site through a remote communications network. The system may comprise a master controller, a job management server connected to the master controller, one or more scanners in communication with the job management server, wherein the one or more scanners are configured to scan for one or more user assets located at the user site, resulting in scan results, a scan logic processor connected to the master controller, wherein the scan logic processor is configured to store the scan results in a user database, a tagging logic engine connected to the master controller, wherein the tagging logic engine is configured to tag the scan results stored in the user database, and an indexing logic processor connected to the master controller, wherein the indexing logic processor is configured to search and index the tagged scan results stored in the user database.

Abstract: A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.

Abstract: Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.