Abstract: Automatically investigating security incidents and generating security incident reports using a Large Language Model (LLM). A computerized system receives an incoming Security Alert Message pertaining to a possible security-related incident. The system automatically feeds into the LLM at least: the content of the Security Alert Message; the metadata of the Security Alert Message; context information describing a security domain; and organization context information pertaining to users and machines of that organization. The system automatically prompts the LLM to automatically investigate the Security Alert Message and to automatically generate a detailed Incident Report pertaining to the Security Alert Message.

Abstract: Automated multi-phase investigation of security incident alerts using a Large Language Model (LLM) with converging dialogue. A computerized system receives a Security Alert Message pertaining to a possible security-related incident pertaining to an organization. The system automatically evaluates whether the Security Alert Message is either (I) a False Positive security alert message or (II) a True Positive security alert message, by performing an iterative multi-phase converging process in which the LLM evaluates at least: (i) the content of that Security Alert Message, and (ii) the meta-data of that Security Alert Message, and (iii) organizational context that is related to that Security Alert Message. An iterative process is performed by the LLM, which utilizes an Agent Module to fetch additional context information from organizational sources. The LLM re-updates the Risk Score and re-evaluates the Risk Score until convergence to a decision.

Abstract: A system and method for dynamically refining access rules for governing control of access by multiple users to data elements or services (DEOSs) stored in or accessed through at least one access controllable network element (ACONE), including collecting initial permissions to the DEOSs, receiving and periodically updating notifications of actual access events of the multiple users to the DEOSs, generating initial user groups for the multiple users, generating for each of the initial user groups, based at least partially on the notifications of actual access events, a list of users who have accessed at least one of the DEOSs, based at least partially on the lists, generating modified user groups, based at least partially on the modified user groups, generating modified permissions, and based on the modified permissions, updating the initial permissions to the DEOSs, thereby enabling only the users in particular modified user groups to access particular DEOSs.

Abstract: A method and system for classifying a video file within an environment in which the file is located and when a file is classified as sensitive, controlling transmission of the file outside the environment. Classifying the video comprises analysing, using at least one machine learning model, the video to recognise any individuals in the video; obtaining a transcript of any speech in the video and generating, using the analysis, obtained transcript and a database of individuals linked to the environment, a labelled transcript which identifies each individual linked to the environment that is in the video. Information about each identified individual may be obtained from a connected database. A first generative AI model generates a text-based summary of the video by using the labelled transcript and information about identified individuals as prompts. A second generative AI model then determines a sensitivity classification of the video using the generated text-based summary.

Abstract: A computer-implemented method is provided for use with a package repository including software packages that include source portable and linkable executable files. The method includes populating a mapping database by, for each of a plurality of the source portable and linkable executable files having a file format: calculating a hash value of a pre-defined subset of sections of the source portable and linkable executable file, the pre-defined subset defined for the file format and including fewer than all of the sections specified by the file format; and storing, in the mapping database, the calculated hash value in association with (a) an identifier of the source portable and linkable executable file and (b) an identifier of the software package of the source portable and linkable executable file. Other embodiments are also described.

Abstract: A method for automatic management of user permissions in an organization including automatically grouping users into a plurality of user clusters based on at least one similarity between users in each user cluster, for each user cluster, automatically generating a set of cluster user permissions, the set of cluster user permissions including user permissions belonging to users in the cluster and actively used by at least one user in the cluster and for each user cluster, automatically modifying user permissions of each user in each cluster in accordance with the set of cluster user permissions.

Abstract: A system for automatically monitoring efficacy of security controls in a computer network, including a probe engine configurable with at least one set of rules relating to access permissions to data in the computer network, at least one security probe forming part of the probe engine and operative to automatically place, at at least one storage location within the computer network and with access permissions that are non-compliant with the at least one set of rules, simulated data corresponding to the data in the computer network and attempt to access the simulated data following the placement thereof, using access privileges satisfying the non-compliant access permissions, and a security monitoring and reporting module operative to provide a user sensible output indicating at least whether the attempt to access the simulated data was successful and, if so, reporting mitigating activities by the security controls in response to the successful attempt.

Abstract: A method of classifying a file, including extracting metadata from the file, assigning a classification for the file by applying a machine learning model that was trained to classify files based on the metadata, determining a confidence level representing an accuracy of the classification, wherein if the confidence level is below a threshold value analyze the content of the file to assign a classification for the file based on the content; and store the assigned file classification.

Abstract: Device, system, and method for automatically detecting and classifying personally identifiable information (PII) in documents and files. A method includes performing a deterministic rule-based search, in a plurality of stored documents, for PII data-items. If the deterministic rule-based search indicates that a particular document is more likely than not to contain a PII data-items then the method includes: extracting a textual snippet from the particular document, wherein the textual snippets surrounds the PII data-item; adding the textual snippet and the particular document to one or more training datasets utilized for training a Large Language Model (LLM) configured to find PII data-items in documents for Named Entity Recognition (NER) in those documents.

Abstract: A system and method for dynamically refining access rules for governing control of access by multiple users to data elements or services (DEOSs) stored in or accessed through at least one access controllable network element (ACONE), including collecting initial permissions to the DEOSs, receiving and periodically updating notifications of actual access events of the multiple users to the DEOSs, generating initial user groups for the multiple users, generating for each of the initial user groups, based at least partially on the notifications of actual access events, a list of users who have accessed at least one of the DEOSs, based at least partially on the lists, generating modified user groups, based at least partially on the modified user groups, generating modified permissions, and based on the modified permissions, updating the initial permissions to the DEOSs, thereby enabling only the users in particular modified user groups to access particular DEOSs.

Abstract: A system for monitoring data elements, including a data element monitor (DEM), monitoring a multiplicity of data elements, some of which having associated therewith a data representation, each of the multiplicity of data elements including data element content and data element information, and each of the data representations including data representation information corresponding to at least a subset of the data element information, an event notification ascertainer (ENA), ascertaining which of the multiplicity of the data elements being monitored has an event notification associated therewith and a difference reporter, reporting a difference between the data representation information in a data representation associated with one of the multiplicity of data elements being monitored, which has an event notification associated therewith, and corresponding data element information of that one of the multiplicity of the data elements being monitored which has an event notification associated therewith.

Abstract: A method for automatic management of user permissions in an organization including automatically grouping users into a plurality of user clusters based on at least one similarity between users in each user cluster, for each user cluster, automatically generating a set of cluster user permissions, the set of cluster user permissions including user permissions belonging to users in the cluster and actively used by at least one user in the cluster and for each user cluster, automatically modifying user permissions of each user in each cluster in accordance with the set of cluster user permissions.

Abstract: A system for automatically monitoring efficacy of security controls in a computer network, including a probe engine configurable with at least one set of rules relating to access permissions to data in the computer network, at least one security probe forming part of the probe engine and operative to automatically place, at at least one storage location within the computer network and with access permissions that are non-compliant with the at least one set of rules, simulated data corresponding to the data in the computer network and attempt to access the simulated data following the placement thereof, using access privileges satisfying the non-compliant access permissions, and a security monitoring and reporting module operative to provide a user sensible output indicating at least whether the attempt to access the simulated data was successful and, if so, reporting mitigating activities by the security controls in response to the successful attempt.

Abstract: A method for indexing objects in a computerized system having an index, comprising identifying in the computerized system an at least one indexed object that meets an at least one criterion related to contents of the at least one indexed object, detecting an at least one non-indexed object having a property similar to an at least one property of the at least one indexed object that was identified, and indexing the at least one non-indexed object in the index, wherein the method is performed by the computerized system, and an apparatus for performing the same.

Abstract: A system for preventing an excess user authentication token utilization condition in an enterprise computer environment, the system including an excess user authentication token utilization condition predictor operable for calculating a number of additional group memberships of each of the enterprise users that can be expected to result in an excess user authentication token utilization condition, a group membership estimator operable, for each the enterprise user, for estimating a number of additional group memberships of the enterprise user that will be created by an anticipated activity, and an anticipated excess user authentication token utilization condition alerter operable, before initiation of the anticipated activity, for providing an alert if the anticipated activity can be expected to result in an excess user authentication token utilization condition.

Abstract: A method for characterizing data elements in an enterprise including ascertaining at least one of an access metric and a data identifier for each of a plurality of data elements and employing the at least one of an access metric and a data identifier to automatically apply a metatag to ones of the plurality of data elements.

Abstract: A method for managing data in an enterprise by identifying data of interest from among a multiplicity of data elements in an enterprise, the method including characterizing data of interest at least by at least one non-content based data identifier thereof and at least one access metric thereof, the at least one access metric being selected from data access permissions and actual data access history and selecting data of interest by considering only data elements from among the multiplicity of data elements which have the at least one non-content based data identifier thereof and the at least one access metric thereof.

Abstract: A system for providing bi-directional visualization of authority of users over SACs in an enterprise-wide network, the system including functionality for providing user-wise visualization of the authority of a given user over at least one SAC in respect of which the user has authority, and functionality for providing SAC-wise visualization for a given SAC of the authority of at least one user over the given SAC.

Abstract: A system for providing bi-directional visualization of authority of users over SACs in an enterprise-wide network, the system including functionality for providing user-wise visualization of the authority of a given user over at least one SAC in respect of which the user has authority, and functionality for providing SAC-wise visualization for a given SAC of the authority of at least one user over the given SAC.

Abstract: A computerized method and apparatus for distinguishing between false positive read events and true positive events of reading a file, comprising determining an amount of date read from the file, in case the amount of data exceeds a threshold generating a true positive read event, otherwise generating a false positive read event in case a decision condition is met, and an apparatus to carry out the same.