Abstract: Various embodiments include systems and methods to implement network scanner timeouts based at least in part on historical network conditions. The implementing comprises initiating, using one or more network scanners and according to a first set of timeout parameters, a first security assessment of one or more scan targets in a network, wherein the first set of timeout parameters comprises a first initial round trip time (RTT)-timeout parameter value to which a dynamic RTT-timeout value is initially set. The implementing comprises determining a first set of RTT statistics for the first security assessment. The implementing comprises determining, based at least in part on the first set of RTT statistics, a second set of timeout parameters for a second security assessment of the one or more scan targets. The implementing comprises initiating, according to the second set of timeout parameters, the second security assessment of the one or more scan targets.

Abstract: A software agent executing on a computing device receives a request from a client to provide data associated with neighboring devices to the computing device. The client includes a scan engine to perform a network scan of a network that includes the computing device. The software agent accesses device data in a cache of an operating system command, determines, based on the device data, an identifier associated with each device that is neighboring the computing device, converts the device data into a standardized format to create neighboring device data, and sends the neighboring device data to the client.

Abstract: Systems and methods are disclosed to implement an adaptive indexing system for a data store that dynamically selects which query keys to include in the index based on observed query statistics of the data store. In embodiments, the system monitors the query statistics to determine when a query key exceeds a usage threshold, and then dynamically adds the query key to the index. The addition causes subsequent data to be indexed by the query key, and may also cause a reindexing of existing data in the data store, for example a recent window of data selected based on the query statistics. In embodiments, the index is repeatedly modified to continuously adapt the index to changing querying patterns. Advantageously, the disclosed system autonomously selects a small set of the most frequently used query keys in the index, which limits the size of the index without sacrificing query performance.

Abstract: A SQL database system is disclosed for reading and writing a non-SQL document store using SQL. The database system includes a SQL query engine configured to use different types of dynamically loadable connectors adapted to communicate with the non-SQL document store via its data access interface. The connectors may include a first connector that treats data within an individual document in the document store as multiple table rows, and a second connector that treats individual documents as individual table rows. In some embodiments, both types of document access modes may be implemented by a single multi-modal connector. In some embodiments, the connector may enable a table to be stored across multiple documents and provide the document identifier of the documents as an attribute of the table. Advantageously, by allowing multiple rows to be stored in individual documents, a table can be stored using less storage space and accessed more efficiently.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes. Additionally, the MOs and MAs can be used to present the raw network data in a variety of intuitive user interfaces.

Abstract: Various embodiments include systems and methods to implement a security platform providing query transformations and layered filtering. Security data associated with a client deployment of assets may be determined and analyzed for identifying security vulnerabilities. The security platform may support an application programming interface that provides a flexible query format that allows multiple layers of filtering logic at various layers of a frontend query. The filtering logic may be translated into a backend query format used to retrieve security data specified by the frontend query.

Abstract: Various embodiments include systems and methods of assessing vendor risk. One or more sets of IP address(es) associated with one or more vendors is identified. Risk data related to the set(s) of IP address(es) is obtained using internet telemetry data. Based at least in part on the risk data, security risk level(s) are determined for the vendor(s). Some embodiments include systems and methods of implementing a vendor-based risk posture assessment of an organization. The vendor-based risk posture assessment may be based at least in part on one or more security risk levels determined for the vendor(s) of the organization.

Abstract: Disclosed herein are systems, methods, and processes for a machine learned alert triaging classification (ATC) system that uses machine learning techniques to generate an alert triage classification model that can be trained and deployed in modern security operation centers to optimize alert triaging and cyber threat classification. A training dataset of classified records is obtained. Each classified record in the training dataset includes detection characteristics data of a set of machines and threat classification results produced by performing alert triage classification of detection messages associated with the set of machines. An ATC model is trained using the training dataset according to a machine learning technique. The training tunes the ATC model to classify, based on at least the detection characteristics data, a new detection message associated with a machine from the set of machines as a threat or as not a threat.

Abstract: Embodiments disclose a honeyrepo implemented in a cybersecurity computing environment. A honey repository is configured for inclusion in a source control system by a detection and response server that is communicatively coupled to a continuous integration system that accesses a shared repository and has access to individual repositories of the source control system by generating a honey repository configuration package that includes decoy metadata to entice an attacker to initiate a request to access the honey repository. The honey repository configuration package that includes the decoy metadata is transmitted to the source control system to generate the honey repository and access to the source control system is monitored at the detection and response server. If an attacker initiates the request to access the honey repository, access is disabled for the attacker to the individual repositories of the source control system and the shared repository managed by the continuous integration system.

Abstract: Various embodiments include systems and methods pertaining to a security service platform that detects security threats based on a security service that operates on structurally deduplicated network data. The security service platform, based on using the structure, or data model, of data being deduplicated, generates structurally deduplicated event data that is more compact than traditionally compressed data or traditionally deduplicated data stored in a structured data format. The security service may perform a security analysis that includes rule matching to detect threats to a network, where the rule matching operates on the structurally deduplicated data.

Abstract: Various embodiments include systems and methods to implement processing of web content for vulnerability assessments. A plurality of documents comprising web content may be obtained from multiple different web sources, and the documents may be parsed to determine a set of discrete document chunks. Parsing the documents includes determining whether a document satisfies a segmentation condition for segmenting the document into multiple discrete document chunks using a named-entity recognition system configured to segment the document based at least in part on a vulnerability identification. The discrete document chunks may be stored in a database, where vulnerability information is indexed such that each respective entry in the database corresponds to a respective vulnerability identification and a respective discrete document chunk.

Abstract: Techniques for monitoring assets in a cloud computing environment, comprising: collecting datasets for respective assets in the cloud computing environment, each of the datasets comprising at least some data stored by a respective one of the assets at one or multiple timepoints, the datasets including a first dataset for a first asset of the assets; determining priority scores for the assets using: feature values determined using data in the datasets, and feature values determined using data about the assets and stored in the cloud computing environment, wherein the determining comprises: determining, using data in the first dataset that was stored by the first asset at one or more timepoints, at least one first feature value for the first asset; determining, using data about the first asset and stored in the cloud computing environment, at least one second feature value for the first asset; and determining a priority score for the first asset using the at least one first feature value and the at least one se

Abstract: A configuration change assessment pipeline is disclosed, executable to assess a continuous stream of resource configuration changes in a cloud-based computer network for security policy violations. In embodiments, the system executes assessment nodes that are configurable to monitor the input stream for specific change events, identify a set of related resources that should be assessed as result of a change event, perform various assessments on the related resources, and write assessment findings to an output stream. Action nodes are configured to consume the output stream and perform responsive actions such as generating user notifications and initiating automated remediation steps. Advantageously, the disclosed system is able to perform ad hoc assessments of a small set of relevant resources in response to specific change events in the network, so that security policy violations can be identified much more quickly.

Abstract: Various embodiments include systems and methods to implement a complementary scan engine scheme for avoiding redundant vulnerability check data collection when using a scan engine to scan a target asset and/or to implement a vulnerability result integration scheme for determining whether to integrate a respective vulnerability result into one or more databases. In various embodiments, at least one integration state may be determined. According to the vulnerability result integration scheme, the at least one integration state may define whether an integrator is to integrate the respective vulnerability result into the database(s).

Abstract: Techniques for event driven harvesting and analysis of cloud computing resources in a cloud computing environment, comprising: obtaining information about at least one cloud computing event in the cloud computing environment; determining if the at least one event is related to the allocation of storage to a cloud computing resource; in response to determining the at least one event is related to the allocation of storage to a cloud computing resource, requesting data from the cloud computing resource; and analyzing the data for the presence of security risks and vulnerabilities.

Abstract: A Uniform Resource Identifier (URI) discovery system is implemented that evaluates web configuration servers obtained from web servers to determine the existence and configuration of URIs hosted by the web servers. To discover URIs, the URI discovery system may obtain web server configuration files, and other metadata, from collection agents executing on web servers. The web server configuration files may then be parsed to evaluate the combinations of hosts, paths, and ports for the web server that may correspond to respective URIs. A URI discovery result may then be generated that describes the discovered URIs and includes configurations of the different URIs. The URI discovery result may be stored in an entry for the web server.

Abstract: The techniques described herein relate to visualizing network attack paths. An example method includes using at least one computer hardware processor to perform: identifying one or more vulnerable network resources in a plurality of network resources, each of the one or more vulnerable network resources having at least one respective security vulnerability; accessing at least one portion of a relational representation of a set of network resources in the plurality of network resources, identifying, using the at least one portion of the relational representation, one or more network attack paths between the one or more vulnerable network resources and network resources in the set, generating, using the at least one portion of the relational representation, a graph, and generating a GUI comprising a visualization of the graph and information indicating that the one or more attack paths may be used to exploit one or more security vulnerabilities of the set.

Abstract: Techniques for analyzing cybersecurity vulnerabilities in a computing environment, including: using at least one computer hardware processor to perform: (A) identifying a first cybersecurity vulnerability associated with a resource in the computing environment; (B) obtaining data related to one or more factors related to risk posed by the first cybersecurity vulnerability, the one or more factors including at least one factor indicative of a degree of current exploitation of the first cybersecurity vulnerability; (C) determining, using the obtained data, one or more factor weights for the one or more factors related to the risk posed by the first cybersecurity vulnerability; (D) determining a first score for the first cybersecurity vulnerability using the determined one or more factor weights; and (E) performing one or more security actions based on the determined first score for the first cybersecurity vulnerability.

Abstract: Various embodiments include systems and methods pertaining to a security service platform that includes a correlation engine for identifying correlations between different security services of the security service platform. In some embodiments, the correlation engine may be configured to parse, aggregate, and/or correlate data from an application security service and data from a vulnerability management service to assess coverage (or lack thereof) and/or to assist in remediation prioritization. The correlation engine may generate a report that can be presented to a user via a graphical user interface (GUI).

Abstract: Various embodiments include systems and methods to implement a complementary scan engine scheme for avoiding redundant vulnerability check data collection when using a scan engine to scan a target asset. The implementation may include determining a set of potential vulnerability checks for scanning the target asset using the scan engine. Fingerprint data indicating which versions of software are installed on the target asset may be collected. Based at least in part on the fingerprint data, it may be determined that a particular version of a local scan agent is installed on the target asset. Responsive to a determination that the local scan agent is functioning, the scan engine may perform any vulnerability check, in the set of potential vulnerability checks, that is not covered by the local scan agent. Responsive to a determination that the local scan agent is not functioning, the scan engine may perform all vulnerability checks in the set of potential vulnerability checks.