Abstract: Similar assets across a digital attack surface are identified. Extracting detail information and related edge information enables a network analysis system to provide indexed assets. A user of a network analysis system may provide additional data sources to enhance indexed assets. New data sources are processed in bulk to update existing assets. Edge information is pre-computed to provide on-demand access to a global inventory of mapped domain infrastructure assets.

Abstract: A system for inspecting data, the system comprising: at least one processor configured to: establish a trusted relationship between a source account in a cloud environment and a scanner account; using the established trust relationship, utilize at least one cloud provider API to identify workloads in the source account; use the at least one cloud provider API to query a geographical location of at least one of the identified workloads; receive an identification of the geographic location; use the cloud provider APIs to access block storage volumes of the at least one workload; determine a file-system of the at least one workload; mount the block storage volumes on a scanner based on the determined file-system; activate a scanner at the geographic location; reconstruct from the block storage volumes a state of the workload; and assess the reconstructed state of the workload to extract insights.

Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification to facilitate causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform.

Abstract: A method, system, and computer program product for generating personalized security testing simulations is provided. The method identifies a user of a communications system. The user is associated with a user profile. The method generates a simulated attack communication based on the user, the user profile, and an attack personalization model. The simulated attack communication is transmitted to the user via the communications system. The method identifies a user response to the simulated attack communication and modifies the attack personalization model based on the user response.

Abstract: Systems and methods are provided to build a machine learned exploitability risk model that predicts, based on the characteristics of a set of machines, a normalized risk score quantifying the risk that the machines are exploitable by a set of attacks. To build the model, a training dataset is constructed by labeling characteristic data of a population of machines with exploitation test results obtained by simulating a set of attacks on the population. The model is trained using the training data to accurately predict a probability that a given set of machines is exploitable by the set of attacks. In embodiments, the model may be used to make quick assessments about how vulnerable a set of machines are to the set of attacks. In embodiments, the model may be used to compare the effectiveness of different remediation actions to protect against the set of attacks.

Abstract: Systems, methods, and related technologies for improving classification use multiple classification resources. Network traffic from a network may be accessed and an entity may be selected. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. A first classification result of the entity based on accessing one or more local profiles is determined by a processing device. In response to the first classification result meeting a condition, one or more values associated with one or more properties associated with the entity may be sent (e.g., to a cloud based classification resource). A second classification result may be received. The second classification result may be determined based one accessing at least one remote profile. At least one of the first classification result or the second classification result may be stored.

Abstract: The disclosed computer-implemented method for identifying security risks posed by application bundles may include (i) intercepting, using a VPN client of the computing device, network traffic of the computing device, wherein an operating system of the computing device restricts applications into a sandboxed environment, (ii) storing, on the computing device, a copy of at least a portion of the network traffic of the computing device within a sandbox associated with the VPN client, (iii) identifying, by analyzing the copy of the network traffic, an application bundle within the network traffic, (iv) determining, by analyzing the application bundle in the sandbox associated with the VPN client, that the application bundle poses a security risk, and (v) in response to determining that the application bundle poses a security risk, performing a security action to remedy the security risk. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Apparatus and methods for providing content to packet-enabled devices in a content distribution network. In one embodiment, a network architecture is disclosed which enables delivery of content to IP-enabled devices such as mobile smartphones and tablet computers using a traditional high-speed data connection. This capability allows the managed network operator to provide content services to an IP-enabled device associated with a non-data subscriber. In one variant, a cable modem is provided which is limited to only retrieve content for delivery to the devices, yet which performs no other functions/services (including provision of high-speed data services). Alternatively, a “media server” modem is utilized to enable delivery of content from the managed network to a client or user device which is also able to obtain high-speed data service from a non-managed or third party managed network via a third-party access point. Security and authentication mechanisms for the transmitted content are also disclosed.

Abstract: Provided is a process that includes: obtaining, with one or more processors, a query identifying a user identification; retrieving, with one or more processors, via an application programming interface, from a database, one or more passwords associated with one or more user identification entries in the database that matches the user identification in response to the obtained query; determining, with one or more processors, whether the one or more passwords matches a password associated with the user identification; blocking, with one or more processors, access to a user account associated with the user identification and the password when the one or more passwords matches the password associated with the user identification; and notifying, with one or more processors, a user associated with the user account to reset the password when the one or more passwords matches the password associated with the user identification.

Abstract: Systems and methods for accountless device control are disclosed. For example, a smart device may be acquired and plugged in for use. The smart device may gain network connectivity and a system associated with the smart device may request enablement of an application for use with the smart device from another system, such as a system associated with a voice-enabled device. The other system may generate and send user identifier data, and the system associated with the smart device may generate a shadow account in association with the user identifier data. The application may be enabled in association with the shadow account, and access credentials may be exchanged to securely send and receive information associated with operation of the access device.

Abstract: A method and system for managing IoT-based devices in an Internet-of-Things (IoT) environment is disclosed. The method includes determining violation of at least one pre-defined security requirement by at least one IoT-based device. Then, the method includes generating a unique signature of the IoT-based device based on information associated with the IoT-based device. The method includes terminating communication between the IoT-based device and an IoT-cloud platform. Also, the method includes sending a first notification indicating that the IoT-based device violates the at least one pre-defined security requirement to the IoT-based devices connected to the IoT-cloud platform. The first notification includes the unique signature of the IoT-based device.

Abstract: A system provides for generation and implementation of resiliency controls for securing technology resources. In particular, the system may generate a model for securing technology resources based on compromise vectors that may affect the integrity or security of the resources, along with resiliency controls which may be used by the system to protect the resources. Based on the above information, the system may determine the impact that certain vectors may have on certain resources and assess the resistance of the resources to the impacts. In this way, the system may provide an efficient way to assess resiliency of resources and implement resiliency controls to protect such resources.

Abstract: A method prompts a user to provide first credentials, receives the first credentials, and using an initial verification process including at least one of validity, a uniqueness, a suspicious contextual detection, or statistical recurrence verification, to verify the first credentials based on stored data. Based on a negative result of the initial verification process, the method prompts the user to provide second credentials, receives the second credentials, and validates the second credentials based on the stored data. The method registers the user for a service based on a positive result of the initial verification process or a positive result of the second strong validation process, refusing to register the user for the service based on a negative result of the initial verification process and the negative result of the second strong validation process, and blacklisting the verified second credentials upon registering the user.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a uniform resource locator (URL) reputation store; a network interface; and instructions encoded within the memory to instruct the processor to: receive via the network interface a request for a reputation for a URL; query the URL reputation store and determine that the URL does not have a known reliable reputation; add the URL to a URL analysis queue; perform a rough analysis of the URL, and determine from the rough analysis that the URL potentially is for a phishing website; and move the URL ahead in the analysis queue.

Abstract: Masking a data rate of transmitted data is disclosed. As data is transmitted from a production site to a secondary site, the data rate is masked. Masking the data rate can include transmitting at a fixed rate, a random rate, or an adaptive rate. Each mode of data transmission masks or obscures the actual data rate and thus prevents others from gaining information about the data or the data owner from the data transfer rate.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify and report cloud-based security vulnerabilities. An apparatus comprising: a security vulnerability detector to, in response to a resource monitor monitoring a threshold amount of activity in a resource of a cloud computing environment, determine one or more security vulnerabilities associated with the resource and the cloud computing environment; a vulnerability processor to correlate the one or more security vulnerabilities with one or more kill chains to exploit at least one security vulnerability in the cloud computing environment; and a report generator to generate a report including a story graph indicating a subset of at least one of: (a) the one or more security vulnerabilities associated with the one or more kill chains, (b) one or more remediation actions to obviate the one or more security vulnerabilities, or (c) threat intelligence feeds associated with the one or more security vulnerabilities.

Abstract: Methods and systems for generating an attack path based on user and system risk profiles are presented. The method comprises determining user information associated with a computing device; determining system exploitability information of the computing device; determining system criticality information of the computing device; determining a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information; and generating an attack path based on the risk profile. The attack path indicates a route through which an attacker accesses the computing device. The system exploitability information indicates one or more of: the vulnerability associated with the computing device, an exposure window associated with the computing device, and a protection window associated with the computing device.

Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.

Abstract: Systems and methods for risk assessment of a computer network are described. In one embodiment a first static risk score corresponding to a first computing device is computed. A connectivity map corresponding to the first computing device is determined. Communication performed by the first computing device via the connectivity map is analyzed, and a first dynamic risk score corresponding to the first computing device is computed. The first static risk score and the first dynamic risk score are combined to generate a first total risk score for the first computing device. A second total risk score for a second computing device is determined. The first total risk score and the second total risk score are aggregated into an aggregate risk score. A risk assessment of the computer network is determined based on the aggregate risk score.

Abstract: A method of scanning a plurality of ports at one or more target IP addresses is disclosed. Each of the plurality of ports corresponds to a port number at one of the one or more target IP addresses, for example an IPv4 or IPv6 address. The method comprises assigning each port to one of a plurality of sets of ports and executing a plurality of port scanning processes at the same time on a common source machine (virtual or physical). Each port scanning process sends port probe requests to the ports of a respective set of the plurality of sets from a different respective source IP addresses. Thus, a different respective source IP address is associated with each set of the plurality of sets of ports, different from the source IP addresses associated with the remaining sets, and each set of target IP addresses receives probe requests from a different respective source IP address. The sets may be aligned with target addresses or may spread several target addresses or only part of the ports of a target address.