Abstract: Cloud-based data loss prevention (DLP) systems and methods include monitoring a file to be checked for sensitive data from a user associated with a tenant; obtaining one or more dictionaries for the tenant; identifying a DLP match based on any of identifying exact document matches between the file and files in the one or more dictionaries, identifying same text in the file as in an indexed document in the one or more dictionaries, identifying content in the file that contains a subset of text in an indexed document in the one or more dictionaries, and identifying content that is similar but not exact as the text in an indexed document in the one or more dictionaries; and, responsive to the DLP match, blocking the file in the cloud-based system.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Disclosed is a computer implemented method for malware detection that analyses a file on a per packet basis. The method receives a packet of one or more packets associated a file, and converting a binary content associated with the packet into a digital representation and tokenizing plain text content associated with the packet. The method extracts one or more n-gram features, an entropy feature, and a domain feature from the converted content of the packet and applies a trained machine learning model to the one or more features extracted from the packet. The output of the machine learning method is a probability of maliciousness associated with the received packet. If the probability of maliciousness is above a threshold value, the method determines that the file associated with the received packet is malicious.

Abstract: Systems and methods for policy based agentless file transfer in zero trust private networks. Various systems and methods include receiving a request for a file transfer; determining a file transfer protocol; evaluating one or more criteria associated with the request, the criteria being associated with any of an end user and the contents of the file; and allowing or denying the file transfer based on the evaluating. Responsive to an end user's policy including a requirement for file inspection, the steps can further include sending the file to a sandbox for inspection, and receiving a result of the inspection from the sandbox.

Abstract: Techniques for deep tracing of one or more users via a cloud-based system include receiving a request from an administrator to actively troubleshoot a user; causing a user device associated with the user to create a deep tracing session based on the request; assisting the user device in performing one or more traces of a plurality of traces to a destination; receiving results from any of the plurality of traces and results from metrics collected at the user device; and displaying a network map between the user device and the destination.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include identifying one or more of a proxy and a tunnel in a network path, determining a relative location of the proxy and the tunnel in the network path, performing a plurality of traces, for a plurality of legs of the network path based on the locations of the proxy and the tunnel, and aggregating details related to the plurality of legs of the network path to provide a holistic view of the network. The different protocols include Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

Abstract: Systems and methods for Data Loss Prevention (DLP) on images include detecting an image in monitored user traffic; scanning the image to identify any text and extracting any identified text therein; responsive to the extracting, scanning the extracted text with a plurality of DLP techniques including one or more DLP engines where the extracted text is checked to trigger the one or more DLP engines, Exact Data Matching (EDM) where the extracted text is matched to see if it matches specific content, and Indexed Data Matching (IDM) where the extracted text is matched to some part of a document from a repository of documents; and performing one or more actions based on results of the plurality of DLP techniques.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include providing a user interface to an administrator associated with a tenant of a cloud-based system, wherein the tenant has a plurality of users each having an associated user device; receiving a plurality of client forwarding policies for the plurality of users, wherein each client forwarding policy of the client forwarding policies define rules related to how application requests from the plurality of users are forwarded for zero trust access; and providing the rules to corresponding user devices of the plurality of users.

Abstract: Systems and methods include receiving a list of web sites; anonymously browsing to each web site in the list; receiving a response based on the browsing; and analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation. The systems and methods can further include providing a blacklist of web sites classified as malicious. The systems and methods can further include determining the list of web sites periodically based on a plurality of factors. The JS obfuscation detection can be performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious, and the heuristics can include a presence of any of a new JS function and a domain in the de-obfuscated JS content.

Abstract: Systems and methods include obtaining a set of policies to in the serverless computing system, wherein the set of policies specify which applications are authorized for communication with the serverless computing system; and modifying rules in a network Access Control List (ACL) associated with the serverless computing system based on the set of policies, wherein the network ACL includes rules that specify allowing and blocking communication. The serverless computing system includes having underlying hardware abstracted therefrom. The network ACL is provided by a cloud provider that hosts the serverless computing system.

Abstract: Systems and methods include obtaining unused user accounts associated with a cloud application where an unused user account is one where a corresponding user has not accessed the cloud application in a certain period of time; determining a subset of the unused user accounts that are abnormal user accounts, wherein an abnormal user account is one that is anomalous compared to similar users; scoring and ranking the unused and abnormal user accounts; and remediating a set of the ranked unused and abnormal user accounts.

Abstract: Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include determining a number of hops from a source that is the user device and a destination, including determining metrics from the source to the destination; performing a trace to all intermediate nodes between the source and the destination, including determining metrics from the source to each of the intermediate nodes; and combining and presenting the metrics from the source to the destination and from the source to each of the intermediate nodes.

Abstract: Systems and methods include obtaining file identifiers associated with files in production data; obtaining lab data from one or more public repositories of malware samples based on the file identifiers for the production data; and utilizing the lab data for training a machine learning process for classifying malware in the production data. The obtaining file identifiers can be based on monitoring of users associated with the files, and only the file identifiers are maintained based on the monitoring. The lab data can include samples from the one or more public repositories matching the corresponding file identifiers for the production data. The lab data can include samples from the one or more public repositories that have features closely related to features of the production data.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods implemented by a traceroute application implementing a Transmission Control Protocol (TCP) stack in a processing device include sending a plurality of TCP packets via a raw socket to perform a trace to a destination; receiving responses to the plurality of TCP packets; detecting the responses in the TCP stack and diverting the responses to the raw socket; and aggregating the responses by the traceroute application to determine details of a service path from the processing device to the destination.

Abstract: A Multi-Access Edge Compute (MEC) system includes a plurality of compute resources including one or more processors configured to implement services; wherein the services include any of edge services, routing functions, and hosted services; and wherein the services further include cloud-based security services implemented in the MEC in conjunction with a cloud-based security system that includes a plurality of nodes and offers multi-tenant cloud-based security services, and wherein the cloud-based security services implemented in the MEC are for subscribers of a service provider associated with the MEC.

Abstract: Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include obtaining policy information related to a trace; performing a plurality of traces, from a start point to an end point in a network, using the different protocols based on the policy information; evaluating which of the plurality of traces reach the end point, and evaluating any of average latency of the plurality of traces, average loss of the plurality of traces, and a number of hops found, for each of the plurality of traces that reach the end point; and selecting a protocol of the different protocols to use for the trace based on the evaluating. The different protocols include Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of establishing a connection with a user device having a user associated with a tenant; obtaining policy for the user; monitoring traffic between the user device and the Internet including snooping session keys for any encrypted traffic; analyzing the traffic based on the policy including utilizing the session keys on the encrypted traffic; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Cloud Security Posture Management (CSPM) systems and methods include, in a node in a cloud-based system, obtaining a plurality of security policies and one or more compliance frameworks for a tenant of a cloud provider where the tenant has a cloud application deployed with the cloud provider, wherein each security policy defines a configuration and an expected value, and wherein each compliance framework includes one or more of the security policies; obtaining configurations of the cloud application; identifying misconfigurations of the cloud application based on a comparison of the obtained configurations with the plurality of security policies; analyzing the misconfigurations to determine risks including prioritization of the risks based on their likelihood of exposure to security breaches; and causing remediation of the identified misconfigurations and the determined risks, wherein the cloud-based system performs the CSPM service in addition to one or more additional cloud services.