Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: In one or more examples, an advanced form of network endpoint sensor is deployed to an endpoint device to provide local monitoring and reporting of network traffic flowing to and/or from the endpoint device. For example, such network endpoint sensors may reduce reliance on other types of monitoring component (such as mirrors/TAPs) and/or complement functionality of other type(s) of monitoring component (e.g. in a deployment with “roaming” endpoints). In one or more examples, network data may be linked or otherwise associated with endpoint data locally at an endpoint device. In one or more examples, such linking may be performed locally prior to reporting, response and/or remediation.

Abstract: In one or more examples, an advanced form of network endpoint sensor is deployed to an endpoint device to provide local monitoring and reporting of network traffic flowing to and/or from the endpoint device. For example, such network endpoint sensors may reduce reliance on other types of monitoring component (such as mirrors/TAPs) and/or complement functionality of other type(s) of monitoring component (e.g. in a deployment with “roaming” endpoints). In one or more examples, network data may be linked or otherwise associated with endpoint data locally at an endpoint device. In one or more examples, such linking may be performed locally prior to reporting, response and/or remediation.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: An endpoint agent configured, when executed on an endpoint device, to: access outgoing and/or incoming packets via a local traffic access function of the endpoint device, the outgoing packets sent from a network interface of the endpoint device to a packet-switched network and carrying outbound payload data generated by one or more processes executed on the endpoint device, the incoming packets received at the network interface from the packet-switched network and carrying inbound payload data for processing by the one or more processes; extract network traffic telemetry from the outgoing and/or incoming packets, the extracted network traffic telemetry summarizing the outgoing and/or incoming packets; and transmit, to a cybersecurity service, a series of network telemetry records containing the extracted network traffic telemetry for use in performing a cybersecurity threat analysis. Further aspects pertain to the “deduplication” of telemetry records when network traffic is monitored by multiple sources.

Abstract: An endpoint agent configured, when executed on an endpoint device, to: access outgoing and/or incoming packets via a local traffic access function of the endpoint device, the outgoing packets sent from a network interface of the endpoint device to a packet-switched network and carrying outbound payload data generated by one or more processes executed on the endpoint device, the incoming packets received at the network interface from the packet-switched network and carrying inbound payload data for processing by the one or more processes; extract network traffic telemetry from the outgoing and/or incoming packets, the extracted network traffic telemetry summarizing the outgoing and/or incoming packets; and transmit, to a cybersecurity service, a series of network telemetry records containing the extracted network traffic telemetry for use in performing a cybersecurity threat analysis. Further aspects pertain to the “deduplication” of telemetry records when network traffic is monitored by multiple sources.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.