Abstract: Novel tools and techniques are provided for implementing data and source validation for equipment output data and/or for equipment failure predict. In various embodiments, in response to receiving a first request for first data that is output by first equipment, a computing system might retrieve and analyze the first data to determine whether the first data can be trusted. If so, the computing system might send the first data to the requesting device. If not, the computing system might send a second request for identifying a blockchain containing a block containing a copy of the first data. In response to the blockchain system identifying such a blockchain, the computing system might receive the identified blockchain; might abstract the block containing the copy of the first data from the identified blockchain; might abstract the first data from the block; and might send the first data to the requesting device.

Abstract: Embodiments described herein are generally directed to integration of multiple services across multiple clouds within a unified IAM control plane. According to an example, an MSP provides (i) a user interface through which users of multiple tenants are able to configure permissions for and access multiple resources of a set of services associated with a hybrid cloud; and (i) a unified IAM control plane across the set of services, each of which potentially uses a different IAM protocol or scheme. A centralized IAM service is maintained by the MSP containing information regarding the permissions for the resources. Multiple service integrations for the set of services are supported by the MSP, including providing a first set of APIs that facilitate a direct integration with the unified IAM control plane in which the centralized IAM service maintains access control information for resources associated with a first service of the set of services.

Abstract: A system and method for the contextualization and management of collaborative databases in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. The gathered data and meta-data is used to manage the reputation of the contributing data sources. The system links each successive data set, algorithm, or meta-data which might pertain to its unique identification and to its ultimate reputation, utility, or fitness for purpose.

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

Abstract: A data anonymization computer system selectively anonymizes data items from data structures prior to forwarding the data structures to a third-party network service. The data anonymization computer system identifies at least a respective data item of the data structure that meets a set of conditions, including at least a first condition in which at least a portion of the respective data item has a format that coincides with the predetermined format and replaces a set of characters of the respective data item having the format with a string of characters of a respective token of a pool of tokens. The data anonymization computer system forwards the data structures to the third-party network service with each of the respective data items having the string of characters of the respective token in place of the replaced set of characters.

Abstract: Some embodiments of the invention provide a method of upgrading a firewall module executing on a host computer to process traffic sent to and from machines executing on the host computer. While a first version of the firewall module executes on the host computer to process the traffic to and from the machines, the method loads a second version of the firewall module alongside the first version of the firewall module. For each of multiple ports associated with machines executing on the host computer for which the firewall module processes traffic sent to and from the port, the method saves a runtime state of the first version that relates to the port, transfers association of a firewall filter associated with the port from the first version to the second version, and restores the saved runtime state for the port to the second version.

Abstract: A method of performing out-of-band commissioning is provided. The method may include enabling a pairing mode on a commissioning device, generating a gesture code on the commissioning device, receiving a gesture input on a node device, verifying an agreement between the gesture code and the gesture input, and commissioning the node device based on the agreement.

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

Abstract: A network is secured by managing domain name requests such that client devices are restricted from visiting malicious or undesirable domains. An endpoint Domain Name Server (DNS) agent is installed on client devices on a local network, and the endpoint DNS agents intercept DNS requests from the client devices and process the received DNS request in the endpoint DNS agent based on a security policy set for the client device via the endpoint DNS agent. In a further example, the endpoint DNS agent receives an HTTP message from a client browser including a Server Name Identifier tag, and generates a signed certificate spoofing the domain identified in the Server Name Identifier tag to insert itself as a man-in-the-middle between the identified domain and the client browser.

Abstract: A method of monitoring traffic by a router acting as a gateway between a first and second network is described. The router can receive data packets sent from the first device over the TCP connection and can send a TCP ACK packet to the first device in response to each data packet. The data packets can be stored without sending them to the second device. The stored data packets can be examined in order to determine whether to block or allow the TCP connection. In the event that it is determined to allow the TCP connection, the router can send each of the stored data packets to the second device. In the event that it is determined to block the TCP connection, the router can send a TCP RST message to each of the first and second devices in order to close the TCP connection.

Abstract: A method for providing evidential data is described includes obtaining data items, generating a respective first hash value for each data item, generating a second hash value for a data set comprising the first hash values but excluding the one or more data items, obtaining one or more transaction identifiers including one or more static identifiers, generating a respective third hash value for each of the one or more static identifiers, transmitting a first message comprising the one or more data items, the one or more first hash values, the second hash value, and the one or more third hash values to a server.

Abstract: A system and method for self-adjusting cybersecurity analysis and score generation, wherein a reconnaissance engine gathers data about a client's computer network from the client, from devices and systems on the client's network, and from the Internet regarding various aspects of cybersecurity. Each of these aspects is evaluated independently, weighted, and cross-referenced to generate a cybersecurity score by aggregating individual vulnerability and risk factors together to provide a comprehensive characterization of cybersecurity risk using a transparent and traceable methodology. The scoring system itself can be used as a state machine with the cybersecurity score acting as a feedback mechanism, in which a cybersecurity score can be set at a level appropriate for a given organization, and data from clients or groups of clients with more extensive reporting can be used to supplement data for clients or groups of clients with less extensive reporting to enhance cybersecurity analysis and scoring.

Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application the command is ignored and a simulated acknowledgment is sent or, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.

Abstract: A method includes receiving, at a native application, access credential data and providing the access credential data from the native application to a headless browser. The method also includes initiating a secured connection from the headless browser to a remote server that hosts a website. The remote server supports access to secured data without relying on an application programming interface. The method also includes sending, by the headless browser via the secured connection, the access credential data to the remote server. The method also includes receiving first web page data of the website from the remote server via the secured connection and parsing the first web page data to identify user-specific data. The method further includes receiving, by the headless browser via the secured connection, at least a portion of the secured data.

Abstract: A transaction platform including at least one or more public, public-private and/or private distributed ledgers or blockchains that together enable the secure effectuation and recordation of one or more transactions while maintaining transaction party confidentiality. The private distributed ledgers or blockchains are able to store, maintain and provide information about the parties related to the transactions which the distributed blockchains or databases are able to utilize in order to securely and quickly validate, execute and record the transactions in a manner that is GDPR and other data privacy law complaint.

Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Abstract: A method, system, and apparatus for managing digital certificates, managing a certificate authority (CA), and cross-referencing CA hierarchies. The method includes receiving, by a processor of a CA computing system, at least one of a digital certificate generation request and a digital certificate revocation from a user via a user computing device, the digital certificate generation request including a user public key and a user identity. The method further includes generating a digital certificate for the user and signing the digital certificate with a CA private key, wherein the CA private key is associated with a known CA public key. The method further includes publishing the digital certificate signed with the CA private key to a digital certificate blockchain, determining a certificate status of the digital certificate, and publishing an update to the digital certificate blockchain to reflect the certificate status of the digital certificate.

Abstract: The disclosure provides an approach for network security. Embodiments include receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine Embodiments include generating a metadata object for the connection based on at least a subset of the one or more packets. Embodiments include adding the one or more packets to a queue accessible by a security component of the first machine. Embodiments include determining, based on the metadata object, whether to continue capturing additional packets of the connection. Embodiments include receiving, from the security component, a security determination regarding the connection based on the one or more packets. Embodiments include performing an action with respect to the connection based on the security determination.

Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence.

Abstract: A method and system for continuously configuring a web application firewall (WAF) are provided. The method includes receiving a request directed at a protected web application, wherein the request is received from a client device associated with a trusted user account, and wherein the protected web application is protected by the WAF; validating the received request based on at least a signature included in a header of the received request; when the received request is validated, generating an authorization rule based on the received request, wherein the authorization rule allows access to a resource of the protected web application designated in the received request, wherein the generated authorization rule is included in at least one whitelist the WAF is configured with; and configuring the WAF with the generated authorization rule to allow the received request and subsequent request to be directed to the resource of the protected web application.