Abstract: A technique to provide early detection of ransomware is disclosed. Message traffic from secure gateways is monitored. Statistical anomaly detection and behavioral anomaly detection is performed. Visualization and alerts may be generated to aid operators to identify ransomware attacks and take proactive measures. In one implementation, the early detection of ransomware is performed in the cloud.

Abstract: Systems and methods for identifying device type within a network include receiving data associated with monitoring network communication traffic associated with a plurality of devices; analyzing the data of the plurality of devices, wherein the analyzing includes identifying one or more features of the data of each of the plurality of devices; and labeling each of the plurality of devices as one of a user device and a non-user device based on the one or more features.

Abstract: Systems and methods for providing zero-trust connectivity for Subscriber Identity Module (SIM) enabled user equipment include responsive to a device having a SIM card equipped therein connecting to a cellular network, intercepting traffic associated with the device traversing the cellular network; forwarding the traffic through a cloud-based system; and processing the traffic from the device according to policy enforced by the cloud-based system.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication by overwriting the DHCP responses. A high availability cluster of the gateways is utilized to distribute traffic and implement load balancing amongst the gateways.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined. A disposable jump box may be utilized to provide an additional layer of protection against ransomware.

Abstract: Systems and methods include, responsive to a scan by the CASB system of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application where the scan includes identifying malware in content in the SaaS application and performing Data Loss Prevention (DLP) in the content in the SaaS application, maintaining records associated with a plurality of incidents for the malware and the DLP; providing a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents for the malware and the DLP for the tenant; and providing the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents.

Abstract: Systems and methods include, responsive to a request to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet, determining if a user of the user device is permitted to access the application and whether the application should be provided in an isolated browser; responsive to the determining, initiating an isolation session by creating secure tunnels between the user device, an isolation service operating the isolated browser, and the application based on connection information; loading the application in the isolated browser, via the secure tunnels; and responsive to traffic associated with the isolation session being to an external destination, forwarding the traffic to a cloud monitoring system.

Abstract: Systems and methods include obtaining a profile for an application, wherein the profile includes one or more tenants, rules for use of the application by the one or more tenants, and users for the rules; monitoring a user of a tenant of the one or more tenants inline via a node in a cloud-based system; identifying an application of the one or more applications based on the monitoring and associated rules for the user; and enforcing the associated rules for the user for the application.

Abstract: The present disclosure relates to systems and methods for egress handling for networks with Public Internet Protocol (IP) address. The disclosure includes identifying if a public Internet Protocol (IP) is used on a private network; performing a traceroute to an originating point of a tunnel; responsive to no reply to the traceroute, making a location call to an end node, wherein the end node identifies the origin of the location call, the identity of the origin being an egress IP; and responsive to a reply to the traceroute, using the IP to show the origin of the tunnel. The disclosure further includes, responsive to no tunnel being present, providing a continuous network path from a client to a destination.

Abstract: Systems and methods include responsive to receiving a request at a remote node, determining whether the request is to be sent directly or via a cloud-based system; establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between the remote node and a local node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier.

Abstract: The present disclosure relates to systems and methods for synchronizing device states across two distributed systems. Various embodiments include a convergence mechanism also referred to as a device resync engine. The basis of the present system and methods is that any and every operation done between the two distributed systems, via Application Programming Interfaces (API's), pushes the system towards re-synchronization. This is achieved by providing an active feedback of the user's device state on every user action. For example, a user performs an authentication on one device; the two systems complete the authentication and additionally ensure all states of all devices owned by the user are in sync. By performing these small corrections for every user, the present systems and methods are able to re-converge into a synchronized state while keeping compute expanses low and process efficient.

Abstract: Systems and methods include obtaining log data for a plurality of users of an enterprise, wherein the log data relates to usage of a plurality of applications by the plurality of users; analyzing the log data to determine one or more relations between the plurality of users and the plurality of applications; determining one or more app-segments that are groupings of application of the plurality of applications based on the log data and the one or more relations between the plurality of users and the plurality of applications; and providing access policy of the plurality of applications based on the one or more app-segments.

Abstract: Systems and methods for protecting sensitive mobile applications from attack include incorporating private application access software in a mobile application that operates on a user device to provide functionality to an end user, the functionality is separate from the private application access; deploying application connectors in front of a private application that is accessed by the mobile application; responsive to a request to access the private application, authenticating the end user through the mobile application; and, responsive to authentication, providing access to the private application through the mobile application via a plurality of secure tunnels. The application connectors are configured to only provide outbound connections, thereby protecting the private application from the attack. The request to access is received via a cloud-based system which is configured to drop any invalid request, thereby protecting the private application from the attack.

Abstract: Cloud-based 5G security, implemented in a Multi-Access Edge Compute (MEC) system, includes steps of receiving a request for a workload from User Equipment (UE); determining a type of traffic for the workflow and querying a machine learning engine based on the traffic type; informing the UE of how the workflow should be accessed; and receiving an updated request for the workflow and steering the traffic based on how the workflow should be steered. The steps can include receiving policy updates from a cloud-based system, related to how workloads should be steered.

Abstract: Systems and methods include obtaining trusted network rules for a plurality of networks, wherein the trusted network rules include whether a network is untrusted or one of a plurality of trusted networks; obtaining policy configurations for each of the trusted network rules, wherein the policy configurations define configurations for a cloud-based system to use with a user device based on a corresponding network where the user device is connected; communicating with the user device and determining which network of the plurality of network the user device is connected; and applying the configurations in the cloud-based system for the user device based on the network the user device is connected. The steps can further include obtaining forwarding policies for each of the plurality of networks; and providing the forwarding policies to a connector application executed on the user device.

Abstract: A method performed by a Cloud Access Security Broker (CASB) service includes scanning data stored in one of a cloud provider and a Software-as-a-Service (SaaS) application, wherein the data is for a user associated with a company of a plurality of companies; detecting an incident in a file or email in the data during the scanning; maintaining details of the incident in an in-memory data store, including a current snapshot of the file or email; and providing a notification to the tenant of the incident. The method can further include, subsequent to the incident and while the file or email is being updated, updating the details of the incident in the in-memory data store.

Abstract: Systems and methods of Exact Data Matching (EDM) include receiving customer specific sensitive data for a customer, wherein the customer specific sensitive data are converted into a plurality of tokens; receiving a configuration for exact data matching of the plurality of tokens; performing inline monitoring of a user associated with the customer; detecting a presence of one or more tokens of the plurality of tokens based on the inline monitoring; and, responsive to the detecting, performing an action based on the configuration.

Abstract: Systems and methods include, responsive to a request to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet, determining if a user of the user device is permitted to access the application and whether the application should be provided in an isolated browser; responsive to the determining, creating secure tunnels between the user device, an isolation service operating the isolated browser, and the application based on connection information; loading the application in the isolated browser, via the secure tunnels; and providing image content for the application to the user device, via the secure tunnels.

Abstract: Systems and methods include intercepting traffic on the user device; forwarding the traffic to a cloud-based system for security processing therein; and, responsive to unavailability of the cloud-based system preventing the forwarding, performing local security processing of the traffic at the user device including determining whether the traffic is allowed based on a cache at the user device, forwarding the traffic separate from the cloud-based system when it is allowed, and blocking the traffic when it is not allowed.

Abstract: Systems and methods include responsive to a user initiating a session with a resource, determining a master fingerprint of a device associated with the user; collecting, at predefined time intervals, one or more additional fingerprints during the session; comparing the one or more additional fingerprints with the master fingerprint; and performing one or more actions based on the comparing.