Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment.

Abstract: A computer-implemented method includes identifying one or more software processes that execute on the endpoint device and that perform at least one file operation including opening a file, reading the file, writing the file, or transmitting the file over a network. The method further includes storing for each software process of the one or more software processes identification information about the file. The method further includes responsive to determining that a triggering event has occurred, performing one or more actions including: preventing deletion of the file, determining one or more attributes of a suspicious process that accessed the file, requesting that a separate component analyze event journal records in relation to a time interval that overlaps with when the suspicious process accessed the file, or transmitting a cryptographic hash of the file to a server.

Abstract: Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include receiving an indication of a security threat to the user device, the indication of security threat associated with a device threat type, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, restricting execution of a subset of software available on the user device for a first time period, and, after the elevating, automatically remediating the security threat on the user device within the first time period.

Abstract: Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include receiving an indication of a security threat to a user device of the plurality of user devices, the indication of security threat associated with a device threat type, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, elevating security measures associated with the user device for a first time period, and, after the elevating, automatically remediating the security threat on the user device within the first time period.

Abstract: Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include monitoring a plurality of processes executing on the user device to identify a pre-execution flag associated with at least one process of the plurality of processes, and, responsive to identifying the pre-execution flag: receiving an indication of a security threat to the user device, the indication of security threat associated with the at least one process and a device threat type, responsive to the receiving the indication of the security threat, elevating security measures associated with the user device for a first time period, and after the elevating, automatically remediating the security threat on the user device within the first time period.

Abstract: Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods can include monitoring network traffic on a computer network, detecting an indication of a security threat to at least one endpoint, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, updating a network-access policy for the plurality of endpoints with the threat type, and after the updating, automatically remediating the security threat on the at least one endpoint within a first time period.

Abstract: Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set.

Abstract: A method for performing admission control in a containerized computing environment includes deploying, by one or more processors of a computer system, the containerized computing environment, receiving, by the containerized computing environment, constraints associated with admission control for containers, the constraints related to container security and receiving, by the containerized computing environment, a request for creating a container. The method includes determining, by an admission controller of the containerized computing environment, a quality metric of the container associated with the received request, performing, by the admission controller of the containerized computing environment, admission control prior to the creating of the container by applying the constraints using the determined quality metric, and allowing or disallowing, by the admission controller of the containerized computing environment, creation of the container based on the performing the admission control.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.

Abstract: In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.

Abstract: A machine learning model is sequentially fine-tuned with new training data as the training data becomes available. By using a suitable mix of old and new data, and weighting samples in the training data by age, the model can be efficiently updated to maintain accuracy against a changing malware landscape without manual modifications of the network layers or the computational expense of full retraining.

Abstract: A computer-implemented method includes sending email scan requests to an email scanner. The method further includes receiving, from the email scanner, a verdict of suspicion and one or more data fragments. The method further includes storing the one or more data fragments for each email of the plurality of emails in a datastore. The method further includes receiving a new email. The method further includes deriving one or more new keys for the new email. The method further includes retrieving one or more matching data fragments from the datastore by matching the one or more new keys with the one or more keys stored in the datastore. The method further includes providing, to the email scanner, the new email and the one or more matching data fragments. The method further includes receiving a new verdict of suspicion and one or more new data fragments.

Abstract: A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.

Abstract: In some embodiments, a processor receives natural language data for performing an identified cybersecurity task. The processor can provide the natural language data to a first machine learning (ML) model. The first ML model can automatically infer a template query based on the natural language data. The processor can receive user input indicating a finalized query and to provide the finalized query as input to a system configured to perform the identified computational task. The processor can provide the finalized query as a reference phrase to a second ML model, the second ML model configured to generate a set of natural language phrases similar to the reference phrase. The processor can generate supplemental training data using the set of natural language phrases similar to the reference phrase to augment training data used to improve performance of the first ML model and/or the second ML model.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A firewall system provides two network paths for network flows: one path through a firewall on a host device and another path through an alternative hardware or software system that handles network flows that have been analyzed and allowed by the firewall. The firewall system can then transfer network flows between the two paths according to the status of each network flow.

Abstract: A method for processing electronic messages including unsubscribe links comprises receiving a plurality of electronic messages directed from a sender to an intended recipient, wherein at least one electronic message from the plurality of electronic messages includes an unsubscribe link that is associated with an instruction that instructs the sender to discontinue sending electronic messages to the intended recipient, parsing the electronic messages to identify unsubscribe links from the plurality of electronic messages, for each identified unsubscribe link, creating a record associated with the identified unsubscribe link in a database, generating an aggregate of the identified unsubscribe links based on the records in the database, and transmitting the aggregate of the identified unsubscribe links to the intended recipient.

Abstract: In embodiments, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation.