Abstract: Systems and methods include, responsive to determining a user can access an application via a cloud-based system, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user is remote over the Internet, obtaining a predetermined inspection profile for the user with the inspection profile including a plurality of rules evaluated in an order; performing inspection of the access using the plurality of rules in the order; and responsive to results of any of the plurality of rules, one or more of monitoring, allowing, blocking, and redirecting the access, via the cloud-based system.

Abstract: A method includes monitoring content inline between any of users, enterprises, and the Internet by a cloud-based system; analyzing the content with a trained machine learning model to provide an initial classification of benign or malicious; determining an uncertainty associated with the initial classification; and one of allowing the content, blocking the content, and sandboxing the content, based on the initial classification and the uncertainty. The uncertainty is used to minimize latency for user experience while avoiding incorrect classifications, in the inline monitoring.

Abstract: A method implemented by a cloud-based system includes steps of, responsive to connecting to a user device with a user associated with a first tenant of a plurality of tenants, obtaining security policies for the user that are configured for the tenant, wherein the security policies for the user are the same regardless of connection type, location of the user, and device type and operating system of the user device; stream scanning traffic between the user device and the Internet based on the security policies, wherein the security policies are for firewall and intrusion prevention functions; and one of allowing and blocking the traffic based on the stream scanning.

Abstract: Systems and methods for cloud-based inline encrypted traffic inspection include monitoring a plurality of users having associated user devices communicating over the Internet and the plurality of users are each associated with a plurality of organizations; responsive to traffic being encrypted by any user of the plurality of users, performing operations to enable inline access to the encrypted traffic for the any of the plurality of users; obtaining policy for the any user where the policy is determined by an associated organization of the any user and policy defines how the encrypted traffic is inspected; inspecting the encrypted traffic for the any user based on the obtained policy; and performing actions on the encrypted traffic based on the inspecting.

Abstract: Kill-chain reconstruction via machine learning includes, responsive to (1) training one or more machine learning models for kill-chain reconstruction, (2) monitoring one or more users associated with an enterprise, and (3) detecting an incident that is one or more of a threat and a policy violation for a user of the one or more users, identifying a transaction associated with the threat and a policy violation as a seed transaction; retrieving transactions of the user from a preconfigured time window leading up to and occurring after the seed transaction; and reconstructing a kill-chain based on the seed transaction and the time window.

Abstract: A cloud service is executed on a plurality of nodes, each including at least one processor, and the cloud service is configured to communicate with a plurality of user devices, each user device associated with a user from an organization of a plurality of organizations, and each user device includes a plugin or browser extension installed thereon, provide configuration information to any of the plurality of user devices where the configuration information includes a plurality of domains to be monitored by the plugin or browser extension, wherein the plugin or browser extension is configured to monitor and/or determine real user monitoring (RUM) statistics when a given user device accesses one of the plurality of domains; and receive the RUM statistics from any of the plurality of user devices.

Abstract: Systems and methods include obtaining historical data of traffic for a plurality of locations for a cloud service; labeling the historical data as one of human and server based on a plurality of features; and utilizing the labeled historical data to train a machine learning model to classify traffic as one of human and server. The steps can further include utilizing the trained machine learning model to classify unauthenticated traffic, for the cloud service, from a specific location or a specific IP address.

Abstract: Systems and methods for determining the egress of networks and identifying routers associated with networks and ISPs include determining an egress of a network; determining a prefix associated with the egress of the network; performing a trace to a destination through the network; and identifying one or more private routers belonging to the network based on the trace and the prefix associated with the egress of the network.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: Systems and methods include receiving content for classification; classifying the content as one of benign and malicious utilizing a model that has been trained with a training set of data including benign data and malicious data; determining a first pattern associated with the content; comparing the first pattern with a second pattern that is associated with one of the benign data and the malicious data; and determining an uncertainty of the classifying based on a distance between the first pattern and the second pattern. The systems and methods can include discarding the classification if the distance is greater than a configurable threshold.

Abstract: Systems and methods for providing identity services are provided. A method, according to one implementation, includes a step of assuming unified and centralized responsibility for performing identity-related services for a plurality of network security products. In response to an end user device attempting to initiate a session with a selected network security product of the plurality of network security products, the method may perform the identity-related services to manage or authenticate an identity of the end user device or a user of the end user device. Then, the method includes a step of enabling the end user device to establish the session with or receive a service from the selected network security product after performing the identity-related services.

Abstract: Systems and methods for Large Language Models (LLMs) to generate an Artificial Intelligence (AI) business insight report using business insight data include obtaining business insight data for an organization where the business insight data is from a plurality of sources including from monitoring of a plurality of users associated with the organization; inputting the business insight data to a first Large Language Model (LLM) to generate an initial output for a business insight report; inputting the initial output to a second LLM for critiquing the initial output against a set of rules to check for predefined flaws and to check for what was done correctly to generate a critique; resolving the initial output and the critique to generate a final output; and providing the final output for the business insight report.

Abstract: Systems and methods for analyzing cybersecurity data to determine financial risk include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a plurality of users associated with the organization; determining a current cyber risk posture of the organization based on the cybersecurity monitoring data; determining inputs for a Monte Carlo simulation to characterize financial losses of the organization due to a cyber event in a predetermined time period based on (1) an associated industry of the organization, (2) a size of the organization, and (3) the current cyber risk posture of the organization; performing a plurality of trials of the Monte Carlo simulation utilizing the inputs; and displaying a risk distribution curve based on results of the plurality of trials where the risk distribution curve plots a curve of losses versus a probability.

Abstract: Systems and methods for collecting and displaying business insights in a cloud-based system. Steps include obtaining data from a cloud-based system associated with any of applications, infrastructure, and employees of an organization, wherein the cloud-based system includes a plurality of organizations with the applications, infrastructure, and employees each assigned thereto; processing the data associated with the organization to determine a plurality of insights; and displaying the plurality of insights on a per-organization basis based on the processing.

Abstract: Systems and methods are provided for protecting identity information in a directory, such as Active Directory. A method, according to one implementation, include the step of conducting a scan of a directory of a network domain to gain visibility of one or more vulnerabilities of the directory. The one or more vulnerabilities define a potential security risk that would allow an attacker to leverage identity-related information from the directory. The method further includes the step of guiding an administrator regarding management of the directory to reduce the potential security risk. Also, the method includes the step of monitoring the directory for one or more attacks to leverage the identity-related information.

Abstract: Systems and methods for sing Large Language Models (LLMs) to generate an Artificial Intelligence (AI) report on security risk using the cybersecurity data include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a plurality of users associated with the organization; inputting the cybersecurity monitoring data to a first Large Language Model (LLM) to generate an initial output for a security report; inputting the initial output to a second LLM for critiquing the initial output against a set of rules to check for predefined flaws and to check for what was done correctly to generate a critique; resolving the initial output and the critique to generate a final output; and providing the final output for the security report.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of, responsive to establishing a connection with a user device having a user associated with a tenant and obtaining policy for the user, monitoring traffic between the user device and the Internet where the monitoring is at a middle location, inline between the user device and an endpoint; responsive to the traffic being encrypted as a tunnel, performing one or more operations to enable accessing the encrypted traffic; analyzing the traffic based on the policy, including at least checking for malicious traffic and Data Loss Prevention (DLP) for the tenant; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Systems and methods include causing a scan by Cloud Access Security Broker (CASB) system of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application where the scan includes any of identifying malware in content in the SaaS application and identifying confidential data in the content in the SaaS application; during the scan which is covering historical data in the SaaS application, receiving notifications of the content being actively modified by any of the plurality of users; and including the content being actively modified in the scan with the historical data. The systems and methods can further include maintaining geolocation of the any of the plurality of users; and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation.

Abstract: Systems and methods for dynamic session aggregation detection include receiving session logs for one of a plurality of machines operating in a cloud-based system; determining a plurality of time intervals between activities based on the session logs; determining a probability of a new log to be received after each time interval of the plurality of time intervals; calculating a slope from a shortest break interval and a slope to a longest break interval for each log of the session logs; calculating a slope ratio for each log of the session logs; and determining an optimal maximum session duration based on the slope ratios. The steps further include defining a new applicative session each time the machine experiences a break larger than the optimal maximum session duration.