Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

Abstract: Methods and systems for building security applications can be provided. Data policies for accessing security data can be set, and a module pipeline including one or more modules selected from a plurality of modules can be generated. The modules can include at least one module operable to apply a predictive security application or model for detection or identification of security threats. Module execution policies governing execution of the one or more modules in the module pipeline also can be set. Upon receipt of a request to initiate execution of the module pipeline, it can be determined if the execution thereof would violate the data policies or the module execution policies. If so, execution of the module pipeline can be blocked, otherwise the module pipeline can be executed to process the portion of the security data.

Abstract: Systems and methods for identifying attack patterns or suspicious activity can include a profile builder, a primitive creator, and a compromise detector. The profile builder can populate one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith. The primitive creator can create primitives by comparing identified or extracted features to information in the one or more baseline activity profiles. The compromise detector can receive primitives, and based on identified combinations or sequences of primitives, generate compromise events to be provided to clients.

Abstract: With the systems and methods described herein, one or more security counter measures can be applied to received security data, e.g., by an initial detector, for identifying signatures or patterns in the received security data and determining whether to promote identifiers (e.g., URLs, IP addresses, domains, etc.) to an attacker learning system. If the identified signatures or patterns and/or the identifiers related thereto are determined to meet a threshold criterion, the identifiers are promoted to the attacker learning system. At the attacker learning system, a machine learning model is applied to promoted identifiers and security data associated therewith for determining whether the identifiers are malicious and should be added or otherwise included in an attacker database. Other aspects also are described.

Abstract: A system for providing secure authentication between a service provider and at least one user device having a storage. The system having a processor managed by the service provider, which processor manages authentication between the at least one device and the service provider. The processor is configured to generate a block including at least user account information upon receipt of an authentication request from the at least one device; apply a cryptographic hash function to the block to create a hash; transmit the hash to the at least one device for storage in the memory of the at least one device; and upon receipt of the hash, validate the hash prior to providing access to the service provider.

Abstract: In one aspect, the present disclosure is directed to systems and methods for validating and securely storing security entry updates. The security entry update is received from a contributor, and broadcast to a plurality of computing nodes. It then is determined whether to validate the received security update at each computing node of the plurality of computing nodes. If the received security entry update is validated, information relating to the received security update is added as transaction information in a current block, the current block is included in a blockchain that is stored in a datastore of each computing node of the plurality of computing nodes. Other aspects also are described.

Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.

Abstract: A method and system for parsing and identifying security log message data, which can include receiving system generated unstructured or partially semi-structured security log data from a plurality of source systems and devices, including a variety of different source systems and/or devices. The message data is received from the various sources in the form of raw log message data, as a stream of bytes received by a parsing system that identifies and extracts character features of the incoming raw messages. The extracted character features are compiled into data structures that are evaluated by a model(s) to determine segmentation boundaries thereof and generate message tokens, which are further classified as including variable data field(s) or as a template text string. Template categorized message tokens are used to provide message fingerprint information for characterizing the overall form of the message, and for comparison to a collection of previously stored/evaluated message fingerprints by a classifier.

Abstract: An information handling system monitors events of a first time period, forms sequences from the events (first sequences), and determines normal sequences of the events. In one embodiment, it may also form sequences based upon events of a second time period (second sequences), the second time period later than the first time period, match the first sequences against the second sequences, and remove events of the second sequences from the events of the second time period. The information handling systems may then search for anomalous events in the remaining events. In another embodiment, the normal sequences may represent purchases. The information handling systems may compare purchases of a customer to the normal sequences and determine products of possible interest to the customer based upon the comparison.

Abstract: The present disclosure provides systems and methods for organizations to use security date to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: A system can enable a global search of security data of a client base. The system can include a processor operable to record anonymity values set by clients of the client base, and to receive search requests including one or more search parameters from the clients. Upon receipt of a search request, processor can generate a result set for the received search request and determine an aggregated anonymity value for the result set. The processor further may compare the aggregated anonymity value of the results set with a set anonymity value for each of the clients for filtering or removing the data points or information of the one or more clients with the set anonymity value that is greater than the aggregate anonymity value from the result set.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

Abstract: A metric data aggregator includes a processor and a data store. The processor is configured to obtain service level metric data from a plurality of proxy servers; obtain cloud level metric data from a plurality of proxy servers and at least one load balancer; aggregate the service level metric data and the cloud level metric data; and provide the aggregated service level and cloud level metric data to a remote user. The data store configured to store aggregated cloud level and service level metric data; and retrieve the aggregated service level and cloud level metric data in response to queries.

Abstract: A system for providing secure authentication between a service provider and at least one user device having a storage. The system having a processor managed by the service provider, which processor manages authentication between the at least one device and the service provider. The processor is configured to generate a block including at least user account information upon receipt of an authentication request from the at least one device; apply a cryptographic hash function to the block to create a hashed block; transmit the hashed block to the at least one device for storage in the memory of the at least one device; and upon receipt of the hashed block, validate the hashed block prior to providing access to the service provider.

Abstract: The present disclosure provides systems and methods for organizations to use forensic to generate a risk scores associated with potential compromise based on clustering and/or similarities with other organizations that have or may have been compromised. For example, specific attributes or marks, such as low fidelity indicators of compromise can be used to create a similarity score rank over time that may be used as a similarity and risk measurement to generate a continual/dynamic score, which can change and/or be updated as new data is created or arrives to detect or prevent threats and/or malicious attacks.

Abstract: Methods and systems for developing and distributing applications and data for building security applications can be provided. A plurality of data policies can be set for access and/or filtering security data based on selected parameters. One or more modules can be generated for processing the security data, with each of the modules governed by one or more module policies. Upon receipt of a request to initiate execution of the one or more modules to access and process a selected portion or filtered set of the security data, it can be determined if the request violates the data policies and/or the module policies applicable for processing the selected portion or filtered set of the security data, and if the data policies and/or the module policies are not violated, the one or more modules can be executed to process the selected portion or filtered set of the security data.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: An information handling system performs a method for analyzing attacks against a networked system of information handling systems. The method includes detecting a threat indicator, representing the threat indicator in part by numerical parameters, normalizing the numerical parameters, calculating one or more measures of association between the threat indicator and other threat indicators, finding an association of the threat indicator with another threat indicator based upon the normalized numerical parameters, and assigning to the threat indicator a probability that a threat actor group caused the attack, wherein the threat actor group was assigned to the other threat indicator.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.