Abstract: A method includes creating a virtual machine including a remote file system, a file system service, and a security application. Access to the remote file system is restricted with the security application upon an unknown malicious code outbreak. The more that is known about the threat, the more precise are the restrictions placed upon the file system thus reducing the impact on users of the file system to an absolute minimum.

Abstract: Techniques are disclosed for data risk management in accessing an Infrastructure as a Service (IaaS) cloud network. More specifically, embodiments of the invention evaluate virtual machine images launched in cloud-based environments for compliance with a policy. After intercepting a virtual machine image launch request, an intermediary policy management engine determines whether the request conforms to a policy defined by a policy manager, e.g., an enterprise's information security officer. The policy may be based on user identities, virtual machine image attributes, data classifications, or other criteria. Upon determining whether the request conforms to policy, the policy management engine allows the request, blocks the request, or triggers a management approval workflow.

Abstract: A computer-implemented method for validating self-signed certificates may include (1) identifying a self-signed certificate associated with an application, (2) identifying a publisher allegedly responsible for publishing the application, (3) identifying a website associated with the publisher allegedly responsible for publishing the application, (4) determining that the website references the application, (5) determining that a website certificate associated with the website has been signed by a certificate authority, and (6) validating the self-signed certificate in response to determining both that the website references the application and that the website certificate associated with the website has been signed by the certificate authority. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A cloud service access and information gateway receives, from a user device, a request to access a cloud service. The cloud service access and information gateway determines a context of the request and compares the context of the request to a cloud service access policy. If the context of the request satisfies the cloud service access policy, the cloud service access and information gateway determines a type of information associated with the request and compares the type of information associated with the request to an information control policy. If the type of information satisfies the information control policy, the cloud service access and information gateway grants the user device access to the cloud service.

Abstract: A computer-implemented method for protecting computing resources based on logical data models may include (1) receiving, from a security agent, log data that specifies details of a security event detected by the security agent, (2) creating an instance of a data structure for a logical data model that describes a path cycle of a security threat, (3) populating at least one field of the data structure for the logical data model with a completed value, (4) populating at least one other field of the data structure for the logical data model with a value of incomplete based on a completed value for the other field being unavailable, and (5) performing a security action based on an analysis of the instance of the data structure for the logical data model. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

Abstract: The disclosed computer-implemented method for detecting attempts to transmit sensitive information via data-distribution channels may include (1) identifying an attempt to transmit a file through a data-distribution channel, (2) comparing, using an image-matching technique, the file with at least one known sensitive file that is both stored in an image format and protected by a data-loss-prevention policy, (3) determining, based on the results of the image-matching technique, that the file violates the data-loss-prevention policy, and (4) performing a security action in response to determining that the file violates the data-loss-prevention policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for interfacing with dynamic web forms may include (1) identifying a web page, (2) parsing the web page in order to identify an attribute of at least one interactive element that indicates that the interactive element may be used to create at least one input field on the web page, (3) in response to identifying the attribute, monitoring the interactive element in order to detect a user interaction with the interactive element, (4) in response to detecting the user interaction with the interactive element, identifying at least one new input field on the web page, and (5) performing an automated task on the new input field in response to the input field being newly identified. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed method may include (1) identifying a data center application whose functionality is provided by a set of systems, (2) organizing, automatically by the computing device, the set of systems into one or more application model groups by, for each system in the set of systems, identifying an attribute of the system that is indicative of a security context under which the system should operate and assigning the system to an application model group for which the security context will be provided, and (3) for each application model group in the one or more application model groups, protecting the application model group by selecting a firewall configuration that will provide the security context for the application model group and by using the selected firewall configuration to protect the application model group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for distributed rate limiting is provided. The method includes detecting, in a first communication received by an application, a suspicious behavior, the first communication having traveled through a network to the application, the detecting performed by a rate limiter coupled to the application. The method includes communicating, from a blocking analytics module associated with the application, to a blocker located in the network, information regarding an origin of the first communication. The method includes blocking, at the blocker located in the network, further communication having a same origin as the origin of the first communication.

Abstract: A virtual machine template is created. The template includes a file system containing files to be deduplicated across multiple virtual machines. For each file to deduplicate, a hash of the content is generated and stored in association with the file. The content of the file is moved from the virtual machine template to a file store. The entry for the file in the store is indexed according to the hash. Multiple virtual machines are created by cloning the template, each containing a copy of its file system and the hashes stored locally in association with the corresponding deduplicated files. File access operations are monitored on each one of the multiple virtual machines, and attempts to access deduplicated file are detected. In response, the corresponding locally stored hash is used to retrieve the content of the file from the central file store, and provide it to the virtual machine.

Abstract: Techniques for detecting advanced security threats are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting a security threat including generating a resource at a client, implementing the resource on the client, monitoring system behavior of the client having the resource implemented thereon, determining whether a security event involving the implemented resource has occurred based on the monitored system behavior, and generating a report when it has been determined that the security event has occurred.

Abstract: Mobile push user authentication for native client based logon is described. In one method, an authentication server receives from a user interface at a native client a password for native-client based logon to a remote server. The method determines whether a portion of the password includes a one-time password (OTP). When the password includes an OTP, the method validates the remaining portion of the password as a first authentication factor, and validates the OTP as a second authentication factor. When the password does not include an OTP, the method sends a mobile push notification to a registered device, validates the password as the first authentication factor, receives a response to the mobile push notification, and validates the response to the mobile push notification as the second authentication factor. The native-client based logon is authorized when the first authentication factor and the second authentication factor are validated.

Abstract: A processing device detects a file system call that is associated with copying data to a destination file. The processing device identifies an application initiating the copying of the data to the destination file and determines one or more files that are opened by the application. The processing device identifies a source file from the one or more files opened by the application. The source file corresponds to the destination file. The processing device determines whether the source file includes data to be protected and allows or denies the copying of the data to the destination file based on whether the source file includes data to be protected.

Abstract: A method to identify machines infected by malware is provided. The method includes determining whether a universal resource locator in a network request is present in a first cache and determining whether a fully qualified domain name from the uniform resource locator is present in a second cache. The method includes evaluating a parent hostname as to suspiciousness. The method includes indicating the computing device has a likelihood of infection, responsive to one of: the universal resource locator being present in the first cache with a first indication of suspiciousness, the fully qualified domain name being present in the second cache with a second indication of suspiciousness, or the evaluating the parent hostname having a third indication of suspiciousness, wherein at least one method operation is performed by the processor. A system and computer readable media are provided.

Abstract: Injected threads are tracked to detect malware that injects malicious code into the address space of a legitimate process. Relationships between threads of processes executing on a client and files stored by the client are mapped to identify files that create threads in executing processes. The address space of a process is analyzed to identify legitimate memory regions in the address space. A suspicious thread referencing a suspicious memory region of the address space outside of the legitimate memory regions is identified. The suspicious memory region is scanned to identify malware. The mapped relationships are used to identify the file that created the thread that referenced the address space in which the malware was identified. The malware in the file is remediated.

Abstract: A computer-implemented method for predicting optimum run times for software samples may include (1) identifying a set of training data that identifies (i) a plurality of static characteristics of at least one previously executed software sample and (ii) an amount of time taken by a software-analysis mechanism to observe a threshold level of run-time behaviors of the previously executed software sample, (2) identifying a plurality of static characteristics of an additional software sample, (3) determining that the static characteristics of the additional software sample and the previously executed software sample exceed a threshold level of similarity, and then (4) predicting an optimum run time for the additional software sample based at least in part on the amount of time taken by the software-analysis mechanism to observe the threshold level of run-time behaviors of the previously executed software sample. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malicious use of digital certificates may include determining that a digital certificate is invalid. The method may further include locating, within the invalid digital certificate, at least one field that was previously identified as being useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates. The method may also include determining, based on analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications. The method may additionally include performing a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications. Various other methods, systems, and computer-readable media are disclosed.

Abstract: A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments may include (1) intercepting, at a proxy, an attempt to configure a computing instance on a cloud computing platform with a permission that would provide the computing instance with access to secured data on the cloud computing platform, (2) identifying a user within an enterprise that initiated the attempt to configure the computing instance with the permission, (3) determining, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data, and (4) blocking the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data. Various other methods, systems, and computer-readable media are also disclosed.