Abstract: Systems and methods are provided for synergistically combining network security technologies to detect compromised devices. According to one embodiment, an endpoint detection and response (EDR) agent of multiple endpoint security agents running on an endpoint device detects an incident. A security incident alert is generated by the EDR agent by proactively collecting data regarding the incident. Identification of a device coupled to a private network as potentially being compromised by a security service of a Managed Security Service Provider (MSSP) protecting the private network is facilitated by the EDR agent transmitting the security incident alert to the security service via a security agent of the multiple endpoint security agents corresponding to the security service.

Abstract: Methods and systems for a document-level attribute-based access control service are provided. The document-level attribute-based access control service may be positioned between a directory service and a search engine service. The directory service can manage information and permissions for users. The document-level attribute-based access control service can map security attributes to the user based on the information and permissions. Based on the mapping, it can be determined whether to permit the user making a query to the search engine service to access documents based on the query. Information and permissions attributes can be injected into queries dynamically via a template. Attributes may be combined with role query templates to create document-level attribute-based access control on top of role-based access control. The present technology can enable enforcement of security policies requiring all of a combination of attributes to be satisfied before permitting certain access.

Abstract: A method including configuring, by an infrastructure device, a user device to receive harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; configuring the user device to receive a first portion of given data; configuring the user device to determine a pattern associated with traits included in the first portion of the given data; configuring the user device to determine whether the first portion of the given data includes the malicious content based on comparing the determined pattern with the harmful patterns and the clean patterns; and configuring the user device to selectively receive a second portion of the given data based determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: Disclosed is a cyber threat intelligence platform configured to: a) designate a virtual machine as an attacker machine; b) designate a virtual machine as a victim machine; c) receive cyberattack data representative of a cyberattack executed by the attacker machine against the victim machine; e) receive defense action data representative of a defense action executed by the victim machine against the cyberattack; f) mark a first point in time when the cyberattack is executed, and mark a second point in time when the defense action is initiated; g) compare the first point in time with the second point in time to ascertain an attack-defense time lapse as a performance measure for computer system threat management of cyberattacks or defense actions, and h) view or analyze cyberattack and defense actions for effectiveness, including perspectives derived from the relative timing of the actions as indicated on the time lapse.

Abstract: According to one embodiment, a method of granting a remote device access to a smart home network connected device is disclosed. An example method includes receiving an access request including identifying information related to the remote device; generating a digital security token that is encrypted and provides the remote device with access to the smart home network connected device without divulging network credentials; transmitting the digital security token to the remote device; receiving the decrypted digital security token from the remote device, the decrypted digital security token validating permissions of the remote device to access the smart home network connected device; and transmitting a remote access authorization to the remote device based on the decrypted digital security token, the remote access authorization providing the remote device with access to the smart home network connected device to connect the smart home network connected device to the network.

Abstract: A system described herein may provide a technique for identifying and remediating potential threat vectors in a system, such as containers or applications in a virtual or cloud computing environment. Attributes of potential threat vectors may be identified, and the potential threat vectors may be scored based on the attributes. Values or scores of individual attributes may be determined through machine learning or other suitable techniques. Scores exceeding a threshold may indicate that a remedial measure should be performed. A remedial measure may be identified using machine learning or other suitable techniques. After the remedial measure is performed, the threat vector may be scored again, and a machine learning model may be refined based on whether the remedial measure was successful.

Abstract: Methods and apparatus for real-time security monitoring on a computing device are presented. A system may define privileges to access hardware interfaces for each process of a plurality of processes executing on a computing device. The privileges may be defined in a privileged operating system level that controls root access to an operating system. In response to a determination that a process is attempting to access a hardware interface, the system may determine whether the process is privileged to access the hardware interface by checking the privileges. In response to determining that the process is not privileged to access the hardware interface, the intrusion detection agent may terminate the process.

Abstract: A plurality of features associated with a message are determined. At least one feature included in the plurality of features is associated with a payload of the message. A determination is made that supplemental analysis should be performed on the message. The determination is based at least in part on performing behavioral analysis using at least some of the features included in the plurality of features. Supplemental analysis is performed.

Abstract: A system and method for adapting one or more cybersecurity microservices to accelerate cybersecurity threat mitigation includes constructing a subscriber-specific data corpus comprising a plurality of distinct pieces of computing environment-informative data of a target subscriber; adapting a subscriber-agnostic microservice of the cybersecurity service to a subscriber-specific microservice, wherein: the subscriber-agnostic microservice includes a plurality of subscriber-agnostic cybersecurity event handling instructions, and adapting the subscriber-agnostic microservice to the subscriber-specific microservice includes generating a plurality of context-informed cybersecurity event handling instructions; augmenting the subscriber-agnostic microservice to include the plurality of context-informed cybersecurity event handling instructions; computing for a target cybersecurity event a subscriber-specific threat severity level based on one or more of the plurality of context-informed cybersecurity event handling i

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a data store. By employing these techniques across all emails of an entity, insight may be gained into the aggregate nature of Internet services being used. A policy engine may act on an individual email to request further information or action, quarantine the email, or to pass the email to other security tools. An aggregate account analysis engine can update the data store to provide a broad picture of Internet service usage within the organization (e.g., by department).

Abstract: Aspects of the disclosure relate to dynamically generating activity prompts to build and refine machine learning authentication models. A computing platform may process a first set of login events associated with a first user account and may build a first user-specific authentication model for the first user account. Then, the computing platform may process a second set of login events associated with a second user account and may build a second user-specific authentication model for the second user account. The computing platform also may build a population-level authentication model for a plurality of user accounts. Thereafter, the computing platform may identify one or more activity parameters associated with at least one authentication model for refinement. Subsequently, the computing platform may generate and send one or more activity prompts to one or more client computing devices to request at least one user response.

Abstract: Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

Abstract: Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; receiving, by the user device, a first portion of given data; determining, by the user device, a pattern associated with traits included in the first portion of the given data; determining, by the user device, whether the first portion of the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns; and selectively receiving, by the user device, a second portion of the given data based at least in part on determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Methods, a user data node (120), a policy node (150), an application node (170) and an operator network (101) for enabling management of an attack towards an application (190) hosted by the application node (170) are disclosed. The policy node (150) receives (3) attack information and an identifier of the application (190) to which the attack information applies. The attack information relates to the management of the attack and the attack information comprises a type of attack, a set of detection conditions relating to detection of attacks of the type of attack, and a mitigation action to be invoked when at least one detection condition of the set of detection conditions is fulfilled. In this manner, degeneration of the application (190) caused by the attacks of the type of attack is mitigatable. The policy node (150) generates (13) at least one rule based on the attack information.

Abstract: A computing device detects that another computing device has connected to a network. The computing device determines whether the other computing device is valid and whether the computing device is being utilized for one or more suspicious activities. Based on determining that the other computing device is being utilized for one or more suspicious activities, the computing device determines a location of the other computing device, determines whether a user associated with the other computing device can be identified, and based on determining that the user associated with the other computing device cannot be identified, disables the other computing device, and transmits an alert to security personnel.

Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: A policy-controlled access system comprising a client device running a local application, A mid-link server monitors network traffic from the client device. The network traffic includes third-party content accessed by a user on the client device. A request for data from the end-user is received using the local application, a category associated with the request for the data is determined, and a policy associated with access to the data is determined based on the category. A risk score associated with the data is determined based on the policy using machine learning models. The machine learning models analyze user activities from the network traffic for the determination of the risk score. The risk score is compared with a threshold value and based on the comparison the request is authorized. Machine learning-based recommendations associated with the data are generated. The recommendations include modifications in the policy for access to the data.