Abstract: Disclosed below are representative embodiments of methods, apparatus, and systems for managing, monitoring, controlling, and/or classifying assets in an information technology (“IT”) environment. Certain embodiments leverage bath services oriented architecture concepts and event mechanisms to create a platform with which additional controls can easily integrate.

Abstract: Apparatus and methods are disclosed for generating, sending, and receiving messages in a networked environment using autonomous (or semi-autonomous) agents. In one example of the disclosed technology, a method of controlling message flow in a computer network comprising a plurality of agents, agent data consumers, and an agent message bridge configured to send messages by receiving a set of messages, at least some of the messages including a message type, queuing the set of messages in a spooler that includes an indication of the respective message type for each of the messages, receive an indication that sending some of the messages queued in the spooler should be delayed for one or more indicated message types, and sending at least one of the messages to a selected one or more of the agent data consumers, the sent messages not being of the indicated message types.

Abstract: Apparatus, methods, and articles of manufacture or disclosed for implementing risk scoring systems used for vulnerability mitigation in a distributed computing environment. In one disclosed example, a computer-implemented method of mitigating vulnerabilities within a computing environment includes producing a risk score indicating at least one of: a vulnerability component, a security configuration component, or a file integrity component for an object within the computing environment, producing a signal score indicating a factor that contributes to risk for the object, and combining the risk score and the signal score to produce a combined risk score indicating a risk level associated with at least one vulnerability of the computing system object. In some examples, the method further includes mitigating the at least one vulnerability by changing a state of a computing object using the combined risk score.

Abstract: Apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation associations including, if a particular vulnerability is detected, then not executing other correlated scanning rules for a particular software patch.

Abstract: Disclosed below are representative embodiments of methods, apparatus, and systems for managing and classifying assets in an information technology (“IT”) environment using a tag-based approach. The disclosed tag-based classification techniques can be implemented through a graphical user interface. Embodiments of the disclosed tag-based classification techniques can be used to allow a user to easily and quickly select, and perform actions on groups of one or more assets (e.g., monitor policies, perform upgrades, etc.). For example, the tag-based classification techniques can automatically classify assets into “tag sets” (or “tagged sets”) based on node properties or user-selected criteria or conditions (e.g., criteria or conditions that are established in a user-created tagging profile or rule). The tagged assets can then be further filtered to identify even deeper relationships between the assets.

Abstract: Apparatus and methods are disclosed for generating, sending, and receiving messages in a networked environment using autonomous (or semi-autonomous) agents. In one example of the disclosed technology, a method of collecting data from an agent executing on a host computer connected to one or more agent data consumers via a network connection includes collecting host data, the collecting occurring whether or not the agent can currently send data via the network connection. When the agent cannot send data via the network connection, the agent spools at least a portion of the collected host data in a spooler. When the agent can send data via the computer network, the agent sends at least a portion of the spooled host data to at least one of the agent data consumers.

Abstract: Apparatus and methods are disclosed for processing messages from agents of a network environment including the use of collectors. Collectors can use configurable pipelines to improve processing of messages received from the agents. In one example of the disclosed technology, a number of networked agents are configured to gather data describing operational aspects of an agent's computing host. A collector is configured to receive reports from the agent and send the gathered data to one or more destination agent data consumers designated by augmentation information in the reports. In some examples, the collector transforms data using one or more stage selector rules.

Abstract: A compliance server receives change data associated with a change captured on a target host wherein the target host may have provided the change data in response to detecting the change, and the change data may include one or more rules, settings, and/or parameters. Also, in various embodiments, the compliance server may determine whether the one or more rules, settings, and/or parameters meet one or more compliance policies and generate one or more test results based at least on the results of the determining. Further, in some embodiments, the target host may detect a change to a rule, setting, and/or parameter based on a collection policy defining what change data is to be collected by the target host and provide data associated with the rule, setting, and/or parameter as change data to the compliance server.

Abstract: Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from a compliance and configuration control (“CCC”) tool and generating information for a security information and event management (“SIEM”) tool based on the information from the CCC tool. For example, in one exemplary embodiment, information from a CCC tool is transferred to a SIEM tool or logging tool by receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool, and generating an output message in a message format that is recognized by the SIEM tool or logging tool. In particular embodiments, the message format is a customizable message format that is adaptable to multiple different SIEM tools or logging tools. In further embodiments, the data transferred to the SIEM tool comprises data indicative of compliance policy changes.

Abstract: Disclosed below are representative embodiments of methods, apparatus, and systems for managing one or more cybersecurity tools that are deployed to help protect electronic assets in an IT infrastructure—including, for example, one or more security configuration management tools, vulnerability management tools, event logging tools, or other IT infrastructure security or monitoring tools that are used to monitor, secure, and/or control assets in an IT infrastructure. In one example, a request to install local software for access to a remote security control service is received from a remote user at a remote device; and data for installing the local software is transmitted to the remote user. In certain implementations, the data for installing the local software further includes a public cryptographic certificate.

Abstract: Apparatus and methods are disclosed for implementing software reconciliation frameworks to process changes detected to software installed on computer hosts. According to one embodiment, a method includes receiving change data describing changes to one or more software components stored on a computer-readable storage device, determining installed software on a computer associated with the computer-readable storage device, receiving a manifest comprising a description of file changes associated with a software patch or update for the installed software, and comparing the change data to the manifest. Based on the comparing, if the change data matches the manifest, the changes are promoted, and if the change data does not match the manifest, the changes are marked for further analysis.

Abstract: Apparatus and methods are disclosed for generating, sending, and receiving messages in a networked environment using autonomous (or semi-autonomous) agents. In one example of the disclosed technology, a method of controlling message flow in a computer network comprising a plurality of agents, agent data consumers, and an agent message bridge configured to send messages by receiving a set of messages, at least some of the messages including a message type, queuing the set of messages in a spooler that includes an indication of the respective message type for each of the messages, receive an indication that sending some of the messages queued in the spooler should be delayed for one or more indicated message types, and sending at least one of the messages to a selected one or more of the agent data consumers, the sent messages not being of the indicated message types.

Abstract: Apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation associations including, if a particular vulnerability is detected, then not executing other correlated scanning rules for a particular software patch.

Abstract: In some embodiments, a target host may have provided the change data in response to detecting the change, and the change data may include one or more rules, settings, and/or parameters. Also, in various embodiments, the compliance server may determine whether the one or more rules, settings, and/or parameters meet one or more compliance policies and generate one or more test results based at least on the results of the determining. Further, in some embodiments, the target host may detect a change to a rule, setting, and/or parameter based on a collection policy defining what change data is to be collected by the target host and provide data associated with the rule, setting, and/or parameter as change data to the compliance server.

Abstract: An automated method for facilitating management of a data processing environment is disclosed. In various embodiments, the method may include facilitating creation of a first memorialization, in digital form, of first one or more changes made to a first data processing device of the data processing environment. In various embodiments, the method may further include facilitating creation of a second and a third memorialization, both in digital form, of second and third one or more changes made to a second and a third data processing device of the data processing environment, respectively. In various embodiments, the method may still further include facilitating automated approval of the second and third changes made to the second and third data processing devices, using the first, second and third memorializations. Other embodiments of the present invention may include, but are not limited to, apparatus adapted to facilitate practice of the above-described method.

Abstract: Apparatus and methods are disclosed for generating, sending, and receiving messages in a networked environment using autonomous (or semi-autonomous) agents. In one example of the disclosed technology, a method of collecting data from an agent executing on a host computer connected to one or more agent data consumers via a network connection includes collecting host data, the collecting occurring whether or not the agent can currently send data via the network connection. When the agent cannot send data via the network connection, the agent spools at least a portion of the collected host data in a spooler. When the agent can send data via the computer network, the agent sends at least a portion of the spooled host data to at least one of the agent data consumers.

Abstract: An automated method for facilitating management of a data processing environment is disclosed. In various embodiments, the method may include facilitating creation of a first memorialization, in digital form, of first one or more changes made to a first data processing device of the data processing environment. In various embodiments, the method may further include facilitating creation of a second and a third memorialization, both in digital form, of second and third one or more changes made to a second and a third data processing device of the data processing environment, respectively. In various embodiments, the method may still further include facilitating automated approval of the second and third changes made to the second and third data processing devices, using the first, second and third memorializations. Other embodiments of the present invention may include, but are not limited to, apparatus adapted to facilitate practice of the above-described method.

Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from one or more security control tools, such as a security configuration management tool, a vulnerability management tool, an event logging tool, or other IT infrastructure security or monitoring tool that is used to monitor, secure, and/or control assets in an IT infrastructure. For example, in some embodiments, user interfaces are disclosed that allow a user to quickly view, filter, and evaluate the degree of security control coverage in selected assets of an enterprise. In further embodiments, user interfaces are disclosed that allow a user to view and evaluate the current security state for selected assets in across a variety of categories and, in some cases, as guided by a two-dimensional vulnerability risk matrix.

Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from a compliance and configuration control (“CCC”) tool and generating information for a security information and event management (“SIEM”) tool based on the information from the CCC tool. For example, in one exemplary embodiment, information from a CCC tool is transferred to a SIEM tool or logging tool by receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool, and generating an output message in a message format that is recognized by the SIEM tool or logging tool. In particular embodiments, the message format is a customizable message format that is adaptable to multiple different SIEM tools or logging tools. In further embodiments, the data transferred to the SIEM tool comprises data indicative of compliance policy changes.