Abstract: Routing log-based information between production servers and logging servers is disclosed. A log entry for a logging server is generated at a production server. A shard identifier is computed for a shard associated with the logging server based on application of a hashing algorithm to properties associated with the production server. The hashing algorithm and properties are selected to prevent or minimize the likelihood of computing of the same shard identifier by another production server for the same shard associated with the logging server. The log entry is transmitted to the shard associated with the logging server. A determination is made that the logging server has malfunctioned by detecting that the log entry transmitted to the shard is absent. In response, another shard identifier is computed for another shard of another logging server and a subsequent log entry from the production server is transmitted to the another shard of the another logging over. No load balancers are used by the routing system.

Abstract: Methods and systems for reviewing software code. The methods involve detecting a change in source code associated with an application and determining an effect on the application of the detected change based at least in part on a context profile associated with application.

Abstract: New intrusion detection system (IDS) rules to be deployed on an IDS that generates alerts based on an applied ruleset are accessed. A trial window that includes incorporating the new IDS rules into a candidate list to enable summarization and filtering of the alerts is started and the applied ruleset that includes existing IDS rules is supplemented with the candidate list that includes the new IDS rules. The applied ruleset is transmitted to a network sensor associated with the IDS upon the supplementation and alerts generated based on network events implicated by both the existing IDS rules and the new IDS rules in the applied ruleset are received from the IDS. Upon completion of the trial window, a set of alerts generated only by the new IDS rules in the applied ruleset are designated as suppressed alerts and a set of new IDS rules is eliminated from the applied ruleset upon determining that the set of new IDS rules generate a subset of alerts that exceed an alert threshold.

Abstract: Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection (DPI) that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention (IDS/IPS) system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response (IDR) operations.

Abstract: Disclosed herein are methods, systems, and processes to configure and facilitate selective and granular multi-customer support access in cloud-based cybersecurity computing environments. A request to authorize a multi-customer support account (MCSA) is received. Customer accounts that include an anchor tenant customer account and several secondary tenant customer accounts as well as a set of applications associated with the customer accounts are identified. The MCSA is configured to selectively access customer accounts and granularly access associated applications by being designated with a set of varying access limits for the anchor tenant customer account and another set of varying access limits for the secondary tenant customer accounts, each set of varying access limits being made applicable to various instances of applications associated with each of those customer accounts.

Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Methods and systems for classifying network users. The system may receive a classification of a user account on a network and network activity data associated with the user account. Upon detecting a discrepancy between the expected behavior of the user account based on its classification and the present behavior of the user account, the system may obtain a corroborating result from one or more directory sources. An alert may then be issued based on the detected discrepancy and the corroborating result.

Abstract: Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.

Abstract: Disclosed herein are methods, systems, and processes for the enhanced crawling of unexposed web applications for vulnerability scanning purposes. A response to a request generated to a web application is received and a web application framework detection routine on the response for web application frameworks is executed. A determination is made that a web application framework is part of the response and the response is loaded in a web browser associated with the web application. A custom web application framework hook for the web application framework is injected into a web page of a web browser and a list of Document Object Model (DOM) elements and corresponding event handlers is received. A determination is made, based on the list, to execute DOM events to discover functionality of the web application. The web page is loaded in the web browser, the DOM events are executed, and network activity of the web browser during execution of the DOM events is recorded.

Abstract: Systems and methods for determining an extent of a vulnerability on a computer and remediating the vulnerability. An installed resource set comprising shared software resources installed on the computer is enumerated. A vulnerable resource is identified in the installed resource set. A vulnerable process set including at least one vulnerable process that uses the vulnerable resource is enumerated. And, the vulnerable process is remediated.

Abstract: Disclosed herein are methods, systems, and processes for granular and prioritized visualization of anomalous log data. Log data that includes several logs is accessed. A unique identifier is generated for each log by generating a single hash for one or more fields in each log. Based on the hashing, the several logs are converted into a series of unique identifiers. A timestamp for each log in the series of unique identifiers is appended to generate a list of timestamps for each unique identifier in the series of unique identifiers. The list of timestamps for each unique identifier is overlayed on a time series graph in a graphical user interface (GUI).

Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: A Uniform Resource Identifier (URI) discovery system is implemented that evaluates web configuration servers obtained from web servers to determine the existence and configuration of URIs hosted by the web servers. To discover URIs, the URI discovery system may obtain web server configuration files, and other metadata, from collection agents executing on web servers. The web server configuration files may then be parsed to evaluate the combinations of hosts, paths, and ports for the web server that may correspond to respective URIs. A URI discovery result may then be generated that describes the discovered URIs and includes configurations of the different URIs. The URI discovery result may be stored in an entry for the web server.

Abstract: Systems and methods are disclosed to implement an outlier detection system for text records. In embodiments, the detection system generates a fingerprint for each incoming record so that similar records map to similar fingerprints. Each record is assigned to a closest cluster in a set of clusters based computed distances between on the record's fingerprint and respective cluster fingerprints of the clusters. The cluster fingerprint is dynamically updated to maintain respective a representative fingerprint of its member records. When a new record is received that is not sufficiently close to any cluster, a new cluster is added to the set for the new record. In embodiments, the creation of the new cluster triggers an alert that the new record is a potential outlier. Advantageously, the disclosed detection system can be used to detect outliers in records in near real time, without the need to pre-specify outlier characteristics.

Abstract: A SQL database system is disclosed for reading and writing a non-SQL document store using SQL. The database system includes a SQL query engine configured to use different types of dynamically loadable connectors adapted to communicate with the non-SQL document store via its data access interface. The connectors may include a first connector that treats data within an individual document in the document store as multiple table rows, and a second connector that treats individual documents as individual table rows. In some embodiments, both types of document access modes may be implemented by a single multi-modal connector. In some embodiments, the connector may enable a table to be stored across multiple documents and provide the document identifier of the documents as an attribute of the table. Advantageously, by allowing multiple rows to be stored in individual documents, a table can be stored using less storage space and accessed more efficiently.

Abstract: Systems and methods are disclosed to implement a time series anomaly detection system that uses configurable statistical control rules (SCRs) and a forecasting system to detect anomalies in a time series data (e.g. fluctuating values of a network activity metric). In embodiments, the system forecasts future values of the time series data along with a confidence interval based on seasonality characteristics of the data. The time series data is monitored for anomalies by comparing actual observed values in the time series with the predicted values and confidence intervals, according to the SCRs. The SCRs may be defined and tuned via a configuration interface that allows users to visually see how different SCRs perform over real data. Advantageously, the disclosed system allows users to create custom anomaly detection triggers for different types of time series data, without use of a monolithic detection model which can be difficult to tune.

Abstract: Systems and methods are disclosed to implement a thread sensor generation system to generate thread sensors for extracting side channel information about other executing threads on a multithreading CPU. In embodiments, the system generates a set of sensors for evaluation. Each sensor may include a sequence of arithmetic or logic operations between variables or constants, which will cause a particular resource usage pattern by the CPU. The sensors are executed on the CPU in parallel with instances of a victim thread to measure an execution slowdown profile of the sensor thread caused by CPU resource conflicts with the victim thread. Based on the execution slowdown profiles, a sensitivity metric is calculated for each sensor, which is used to select the best sensor(s) for the victim thread. Sensors generated using the disclosed techniques can be used to extract secret information via side-channel attacks on currently available multithreaded processors.

Abstract: Methods and systems for monitoring activity on a network. The system may first classify network activity data as being generated by a human actor or an automated process. Then, the system may assign a first behavioral profile to the entity based on the network activity data and detect anomalous activity associated with the entity.

Abstract: Disclosed herein are methods, systems, and processes for facilitating security orchestration, automation, and response (SOAR) in cybersecurity computing environments that use biometric data or implement biometric data gathering. An instruction is periodically transmitted to a protected computing device to perform a security scanning operation that captures biometric data generated from a biometric device associated with the protected computing device. The biometric data received from the protected computing device includes a biometric identity of a trusted user or an untrusted user. A security database is accessed to determine whether the biometric identity matches a stored biometric identity of the trusted user.