Abstract: A Dynamic Name Server (DNS) surrogation method, a DNS system, and a DNS server provide DNS surrogation which is the idea that if a user device sends a DNS resolution request to a given DNS server that server does not need to actually perform the recursion itself. A policy can be defined telling the server that first received the request to take other factors into account and “relay” or “surrogate” that request to another node. This additional node is called a “surrogate” and it actually performs the recursion therefore allowing the resolving party to perform proper localization, optimization, or any other form of differentiated resolution. This surrogation also distributes the job of actually performing resolution, which adds scalability to the DNS server or service itself. A network of “surrogate” resolvers is possible as well as the concept of every client needing DNS resolution can also become a surrogate.

Abstract: Systems and method are implemented by one or more servers associated with a cloud-based security system, for determining security risks of entities including users or groups of users associated with the cloud-based security system and optimizing remediation based thereon. The method includes maintaining logs of transactions through the cloud-based security system; obtaining a plurality of attributes from the transactions while excluding impossible comparison items from the transactions; performing empirical scoring on normalizing the plurality of attributes for ranking risky entities; identifying the risky entities based on one of the empirical scoring and analytics; and updating policies and/or monitoring in the cloud-based system based on the identifying.

Abstract: A method in a cloud-based security system includes operating a Domain Name System (DNS) resolution service, proxy, or monitor in the cloud-based security system; receiving DNS records with time-to-live (TTL) parameters; checking the TTL parameters for indication of a fast flux technique; and detecting domains performing the fast flux technique based on the DNS records. A cloud-based security system includes a plurality of nodes communicatively coupled to one or more users; and a Domain Name System (DNS) service providing a resolution service, proxy, or monitor in the cloud-based security system; wherein the DNS service is configured to receive DNS records with time-to-live (TTL) parameters; check the TTL parameters for indication of a fast flux technique; and detect domains performing the fast flux technique based on the DNS records.

Abstract: Systems and methods implemented by a unified agent application executed on a mobile device, for unified service discovery and secure availability include authenticating a user into a plurality of cloud services including a proxy service and a Virtual Private Network (VPN) service, wherein the proxy service is utilized for Internet traffic and the VPN service is for Intranet traffic; creating and operating a link local network at the mobile device with a virtual network interface and multiple listening sockets; and intercepting traffic at the virtual network interface from one or more client applications on the mobile device and splitting the traffic between the proxy service, the VPN service, and the Internet based on a type of the traffic, a destination, and the one or more client applications.

Abstract: Systems and methods for managing sparsely updated counters in memory include, for a given interval of time and N counters associated with the given interval, managing a first set of the N counters in a first level of storage in the memory, wherein the first level of storage utilizes a hash table to store a counter identifier and a value for each of the first set; and responsive to filling up the first level of storage for a given user in the given interval, managing the first set and a second set of the N counters in a second level of storage in the memory, wherein the set utilizes memory buckets to incrementally store the first set and the second set.

Abstract: Systems and methods, implemented by one or more nodes in a cloud-based security system, for enforcing application-based control of network resources include receiving a request from a user device for the network resources; evaluating the request through the cloud-based security system and determining an application on the user device performing the request; and performing one of (1) denying the request if the application is unauthorized to access the network resources, (2) redirecting the request to an authorized application on the user device if the application is legitimate but unauthorized to access the network resources, and (3) allowing the request if the application is authorized to access the network resources.

Abstract: Content Delivery Network (CDN) protection systems and methods, performed by a cloud node in a distributed security system include receiving traffic between one or more origin servers and the CDN; monitoring the traffic based on policy; detecting one or more of malware and data leakage in the traffic based on the policy; and blocking the traffic responsive to the detecting the one or more of the malware and the data leakage in the traffic, prior to the traffic entering the CDN.

Abstract: A cloud configuration management method implemented in a cloud configuration management system communicatively coupled to one or more cloud nodes in a cloud system includes creating a plurality of golden configurations for each of a plurality of roles, wherein each of the one or more cloud nodes has one of the plurality of roles for operation in the cloud system; defining metadata rules for each of the plurality of golden configurations; performing a configuration analysis to audit the one or more cloud nodes using the metadata rules; and providing results of the configuration analysis to determine misconfiguration of any of the one or more cloud nodes.

Abstract: A cloud-based method, system, and transparent proxy for user-level policy, reporting, and authentication over Domain Name System (DNS) include maintaining a local user Internet Protocol (IP) database identifying users in an enterprise; and acting as a transparent proxy for all DNS requests from the users performing the steps of: for a user already identified in the local user IP database, forwarding a DNS request to a cloud-based system with an identifier from the local user IP database of the user associated with the DNS request; and for the user not identified in the local user IP database, performing a series of redirects and hand offs in the cloud-based system to identify the user.

Abstract: A multi-tenant cloud-based firewall method from a client, performed by a cloud node, includes receiving a packet from the client, wherein the client is located externally from the cloud node; checking if a firewall session exists for the packet, and if so, processing the packet on a fast path where a lookup is performed to find the firewall session; if no firewall session exists, creating the firewall session; and processing the packet according to the firewall session and one or more rules. The cloud node can perform the method without a corresponding appliance or hardware on premises, at a location associated with the client, for providing a firewall.

Abstract: A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and, if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user.

Abstract: A cloud based security method includes authenticating a mobile device through a cloud based security system; associating the mobile device with a user of the cloud based security system based on the authenticating; monitoring user requests from the mobile device by the cloud based security system; detecting security threats based on the monitoring; and sending an out of band end user notification to the mobile device responsive to detecting a security threat, wherein the out of band end user notification comprises information for the user related to the security threat.

Abstract: Systems and methods for managing sparsely updated counters in memory include, for a given interval of time and N counters associated with the given interval, managing a first set of the N counters in a first level of storage in the memory, wherein the first level of storage utilizes a hash table to store a counter identifier and a value for each of the first set; and responsive to filling up the first level of storage for a given user in the given interval, managing the first set and a second set of the N counters in a second level of storage in the memory, wherein the set utilizes memory buckets to incrementally store the first set and the second set.

Abstract: Cloud based mobile device security and policy systems and methods use the “cloud” to pervasively enforce security and policy on mobile devices. The cloud based mobile device security and policy systems and methods provide uniformity in securing mobile devices for small to large organizations. The cloud based mobile device security and policy systems and methods may enforce one or more policies for users wherever and whenever the users are connected across a plurality of different devices including mobile devices. This solution ensures protection across different types, brands, operating systems, etc. for smartphones, tablets, netbooks, mobile computers, and the like.

Abstract: A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.

Abstract: An upgrade method for a Unix or Unix-like operating system, a server, and a cloud-based system include operating a server with an old operating system with a partition structure for media, wherein the partition structure includes a root partition and a usr partition; copying media to the root partition and the usr partition associated with a new operating system while the old operating system is operating; rebooting the server with the new operating system set to load; and subsequent to the rebooting, making the root partition persistent using memory and the usr partition persistent using a NULL file system.

Abstract: Systems and methods for tracking and auditing changes in one or more cloud-based systems include, at a Web application, intercepting requests between one or more users and the Web application associated with the one or more cloud-based systems and creating log messages based on the intercepted requests; at a log forwarder in the logging system, forwarding the log messages to a log indexer; at the log indexer in the logging system, receiving the forwarded log messages and indexing the forwarded log messages in a centralized storage; and, at the logging system, responsive to a query, forwarding responsive indexed data from the centralized storage, based on the query.

Abstract: A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained.

Abstract: A cloud configuration management method implemented in a cloud configuration management system communicatively coupled to one or more cloud nodes in a cloud system includes creating a plurality of golden configurations for each of a plurality of roles, wherein each of the one or more cloud nodes has one of the plurality of roles for operation in the cloud system; defining metadata rules for each of the plurality of golden configurations; performing a configuration analysis to audit the one or more cloud nodes using the metadata rules; and providing results of the configuration analysis to determine misconfiguration of any of the one or more cloud nodes.

Abstract: An automation and regression management method for testing software in a highly-complex cloud-based system with a plurality of nodes, through an automation and regression management system, includes receiving a plurality of requests for automated test runs on nodes in the highly-complex cloud-based system; managing the plurality of requests by either starting an automated test run on a node or queuing the automated test run if another automated test run is already operating on the node; determining details of each of the automated test runs subsequent to completion; storing the details of each of the automated test runs in a database; and providing the details of each of the automated test runs to a requesting user.