Abstract: A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: An information handling system includes a storage and a processor. The storage is configured to store malware samples and malware signatures. The processor is configured to unpack a malware sample, compare the malware sample to known malware families, extract a command-and-control domain, extract encryption keys and communication parameters, store a malware signature for the malware sample, the malware signature including information required to monitor a network for activity of the malware sample or detect the malware sample on another system, and provide the command-and-control server addresses, encryption keys, and communication parameters to a botnet tracker.

Abstract: A method of normalizing security log data can include receiving one or more security logs including unstructured data from a plurality of devices and reviewing unstructured data of the one or more security logs. The method also can include automatically applying a probabilistic model of one or more engines to identify one or more attributes or features of the unstructured data, and determine whether the identified attributes or features are indicative of identifiable entities, and tagging one or more identifiable entities of the identifiable entities, as well as organizing tagged entities into one or more normalized logs having a readable format with a prescribed schema. In addition, the method can include reviewing the one or more normalized logs for potential security events.

Abstract: A method of assessing the quality of a network filter rule containing a wildcard includes determine an instantaneous entropy for the network filter rule based on string distances or instantaneous entropy between a plurality of wildcard matches for the network filter rule. The method further includes performing an action if the string distance or instantaneous entropy for the network filter rule crosses a threshold. The action being selected from disabling the network filter rule, flagging the rule as a low quality rule, generating a candidate rule based on a portion of the match having low entropy and a portion of the match having high entropy, or a combination thereof.

Abstract: Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.

Abstract: An information handling system performs a method for analyzing attacks against a networked system of information handling systems. The method includes detecting a threat indicator, representing the threat indicator in part by numerical parameters, normalizing the numerical parameters, calculating one or more measures of association between the threat indicator and other threat indicators, finding an association of the threat indicator with another threat indicator based upon the normalized numerical parameters, and assigning to the threat indicator a probability that a threat actor group caused the attack, wherein the threat actor group was assigned to the other threat indicator. In some embodiments, the normalizing may include transforming a distribution of the numerical parameters to a distribution with a standard deviation of 1 and a mean of 0. In some embodiments, the normalizing may include applying an empirical cumulative distribution function.

Abstract: An information handling system includes a storage and a processor. The storage is configured to store network activity logs from a first client system and a second client system. The processor is configured to receive a security alert from the first client system, analyze the security alert to obtain a plurality of indicators, utilize the supplementary indicators to build a statistical security model, and analyze activity on the second client system using the statistical security model to identify an additional security events.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.

Abstract: Methods and systems for developing and distributing applications and data for building security applications can be provided. A plurality of data policies can be set for access and/or filtering security data based on selected parameters. One or more modules can be generated for processing the security data, with each of the modules governed by one or more module policies. Upon receipt of a request to initiate execution of the one or more modules to access and process a selected portion or filtered set of the security data, it can be determined if the request violates the data policies and/or the module policies applicable for processing the selected portion or filtered set of the security data, and if the data policies and/or the module policies are not violated, the one or more modules can be executed to process the selected portion or filtered set of the security data.

Abstract: A system for providing secure authentication between a service provider and at least one user device having a storage. The system having a processor managed by the service provider, which processor manages authentication between the at least one device and the service provider. The processor is configured to generate a block including at least user account information upon receipt of an authentication request from the at least one device; apply a cryptographic hash function to the block to create a hashed block; transmit the hashed block to the at least one device for storage in the memory of the at least one device; and upon receipt of the hashed block, validate the hashed block prior to providing access to the service provider.

Abstract: A method for provisioning a secure container for running an application includes routing traffic between the application and a secure container service over a virtual private network, and restricting the flow of traffic to or from the application other than traffic to or from the secure container service. The method further includes providing limited name resolution for the secure container with a customized domain name system server, establishing network proxy services to filter and route approved inbound traffic to the application, and establishing outbound network proxy services to filter and route approved outbound traffic from the application.

Abstract: A method for task access behavior based site security includes recording file accesses by an application and user during operation; automatically generating a permissions record indicating allowable access to files by the application and user based on the recorded file accesses; intercepting a file access request; comparing the file access request to a permissions record; and blocking access to the file when the file access is not included in the permissions record.

Abstract: A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

Abstract: A method for packet inspection in a computer network includes receiving a plurality of network streams from a plurality of client systems at a first load balancer; allocating the network streams across a proxy instances; and inspecting and filtering the network streams by the proxy instances. The method further includes forwarding the filtered network streams to a second load balancer; allocating the filtered network streams to a plurality of application instances; and processing and responding to the network streams at the application instances. The method still further includes inspecting and filtering the responses to the network streams by the proxy instances; and forwarding the response to the client systems.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A method includes selecting a first connection between a connection manager and a managed system, the first connection being associated with a first privilege level, communicating by the connection manager a first command to the managed system via the first connection, determining that a second command is executable on the managed system using a connection that is associated with a second privilege level, the second privilege level being a lower privilege level than the first privilege level, selecting a second connection between the connection manager and the managed system, the second connection being associated with the second privilege level, and communicating, by the connection manager, the second command to the managed system via the second connection.

Abstract: Network traffic can be prevented from entering a protected network. An alert can be received that can be triggered by network traffic that matches at least one signature that is associated with undesired network behavior. A source of the network traffic that triggered the alert can be determined, and network traffic that originates from the source can be blocked. Blocking the source can include assigning a determination to the alert. It can then be determined whether network traffic from the source should be blocked based on the determination. The source can then be provided to the protected network such that a network device coupled to the protected network can be configured to block network traffic that originates from the source.