Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: A device may generate information to cause the display of a graphical user interface (GUI) element reflecting how a selected enterprise network is performing on a technology assessment metric relative to other enterprise networks, where the generating includes: determining, based on data values reflecting individual performance of the plurality enterprise networks on the technology assessment metric, a part of a normal distribution curve to be shown, a first point to be shown on the part of the normal distribution curve indicating a percentile for the data value reflecting the individual performance of the selected enterprise network, and a second point along the part of the normal distribution curve reflecting a goal for the individual performance of the selected enterprise network. A device may send, to a client device, the information to cause the GUI element to be presented in a dashboard on the graphical user interface of the client device.

Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. An application dependency map, including first layer of application mapping information, is initialized, and then a first query is sent to one or more of the machines. In response, information identifying entities that have participated in predefined communications with entities identified in an existing layer of application mapping information in the application dependency map are received, and a second layer of application mapping information is added to the application dependency map, based at least in part on the information received in response to the first query. After adding the second layer of application mapping information to the application dependency map, a second query is sent to one or more of the of the endpoint machines, the second query being based at least in part on the application dependency map.

Abstract: Systems, methods, and machine-readable media are described for managing unmanageable devices in an enterprise network. In particular, techniques are described for allowing normally unmanageable endpoint devices to be managed by a management service. An agent establishes a connection with a management service in accordance with a management protocol. The agent collects endpoint data associated with a plurality of unmanageable endpoint devices and generates a virtual representation of each unmanageable endpoint device using a corresponding portion of the endpoint data. The agent performs transactions with the management service using each virtual representation to represent a corresponding unmanageable endpoint device participating in the management protocol.

Abstract: Techniques are described for integrating a backup service into a management service. A plurality of endpoints are managed with at least one management interface and a particular set of operations are selected based on the one or more backup services identified, the set of operations including: determining differences between a set of data being backed up by the one or more backup services for each endpoint of the plurality of endpoints and data backup requirements for each endpoint, the differences indicating a portion of data of one or more of the endpoints not included in the set of data being backed up; and automatically adding the portion of data to the set of data being backed up by the backup service, wherein adding the portion of data is performed with operations selected based on the one or more backup services.

Abstract: A cloud service to facilitate performance by a first organization of an assessment of an enterprise network of a second organization is described. According to one aspect, the cloud service performs the following operations with approval from the second organization. Specifically, the cloud service causes client software to be installed on a plurality of endpoints within the enterprise network to determine a first information regarding a current state of those endpoints. Also, the cloud service receives a second information that is based on the first information, and then causes a third information to be securely shared with the first organization. The third information is the second information or is based on the second information, and the third information is limited, through a set of one or more mechanisms, to that considered to be acceptable to share with another organization.

Abstract: A non-static collection of machines self-organizes into a linear communication orbit. A server has sent a data unit to a subset of machines in the linear communication orbit. A first machine receives a plurality of shards of the data unit from an upstream neighbor of the first machine in the linear communication orbit and sends the plurality of shards of the data unit to a downstream neighbor of the first machine in the linear communication orbit. The first machine selects and maintains a subset of the plurality of shards of the data unit in a local cache of the first machine according to a data caching method. The first machine selects the subset of the plurality of shards it maintains independently of whether the subset of the plurality of shards are maintained locally by the upstream neighbor and the downstream neighbor of the first machine in the linear communication orbit.

Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: A server system in communication with a plurality of machines that form a linear communication orbit establishes a direct duplex connection between the server system and a first endpoint machine. The server system enrolls the first endpoint machine as a satellite endpoint machine, which enables the satellite endpoint machine to execute one or more function modules. Typically, the server system authenticates, via the direct duplex connection, the first endpoint machine, and, after authenticating the first endpoint machine, sends, to the first endpoint machine, an instruction for executing a function module. The server system receives a report including information obtained by the first endpoint machine executing the function module. At least one of the establishing a direct duplex connection, sending the instruction, and receiving the report includes sending or receiving a communication between the first endpoint machine and the server system via the linear communication orbit.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: A method is provided of managing a non-static collection of machines. A first client machine runs a first communication protocol. The non-static collection of machines includes a first linear communication orbit, the first linear communication orbit comprising a sequence of machines that run the first communication protocol, and a second linear communication orbit, the second linear communication orbit comprising a sequence of machines that run a second communication protocol distinct from the first communication protocol. The first client machine receives an instruction from a server to install the second communication protocol, installs the second communication protocol, and then submits a registration request to the server. The first client machine receives, from the server, contact information of a list of potential neighbors. The first client machine then, proactively constructs and maintains a respective local segment of the second linear communication orbit.

Abstract: A server system, coupled to a linear communication orbit, has a plurality of function modules. Each function module is configured to collect data from machines located at nodes of the linear communication orbit, process collected data according to a schema definition to generate result data, and store the result data in a database. Data collection requests, based on the schema definition, are sent through the linear communication orbit to collecting data from a set of machines via the linear communication orbit. In some embodiments, a central data management module of the one or more servers is configured to provide the schema definition to and receive result data reported from the function modules.

Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. An application dependency map, including first layer of application mapping information, is initialized, and then a first query is sent to one or more of the machines. In response, information identifying entities that have participated in predefined communications with entities identified in an existing layer of application mapping information in the application dependency map are received, and a second layer of application mapping information is added to the application dependency map, based at least in part on the information received in response to the first query. After adding the second layer of application mapping information to the application dependency map, a second query is sent to one or more of the of the endpoint machines, the second query being based at least in part on the application dependency map.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: In a distributed system that includes a collection of machines, a server system generates a global dictionary from sampling responses received from machines in the collection of machine, at least a subject of the sampling responses including information indicating one or more terms in a corpus of information stored at a respective machine in the collection of machines. The global dictionary includes global document frequency values corresponding to the document frequencies of terms in the corpora of information stored in the collection of machines. The server system generates a similarity search query for a target document, the similarity search query including identifiers of terms in the target document and optionally document frequency information for those terms, obtained from the global dictionary, and sends, through one or more linear communication orbits, the similarity search query to one or more respective machines in the collection of machines.

Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: A first machine identifies, from among a non-static collection of machines, a respective set of forward contacts that comprises a set of machines. The set of forward contacts are distributed along the ordered sequence in the forward direction away from the respective machine in an order of increasing similarity between the respective channel number assigned to the first machine and a respective channel number assigned to each of the set of forward contacts. The first machine establishes a respective direct communication channel between the first machine and each of the set of forward contacts. The first machine sends a first query to a first forward contact and sends collected answers for the first query to at least a second forward contact that has a greater similarity to the first machine based on the respective channel numbers of the first machine and the first and second forward contacts.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: A method is provided of managing a non-static collection of machines. A first client machine runs a first communication protocol. The non-static collection of machines includes a first linear communication orbit, the first linear communication orbit comprising a sequence of machines that run the first communication protocol, and a second linear communication orbit, the second linear communication orbit comprising a sequence of machines that run a second communication protocol distinct from the first communication protocol. The first client machine receives an instruction from a server to install the second communication protocol, installs the second communication protocol, and then submits a registration request to the server. The first client machine receives, from the server, contact information of a list of potential neighbors. The first client machine then, proactively constructs and maintains a respective local segment of the second linear communication orbit.