Abstract: In an example, a method is described. The method comprises receiving a log comprising information about a computing system. The log is sent by a computing device associated with the computing system. The computing device comprises a first identity bound to a third identity of a certificate authority (CA) and a second identity bound to the first identity. The method further comprises receiving a signature for the log. The method further comprises verifying a certificate indicative of the second identity having been certified. The method further comprises verifying the received signature.

Abstract: In an example there is provided a method, comprising generating a token in response to an interaction between a user device associated to a user and a service device associated to a service. The token comprises record data indicative of the interaction and verification data to verify the record data. The token is communicated to the user device. The token is stored at the service device. The verification data is generated on the basis of the record data and identification data associated to the user.

Abstract: In an example there is provided a method for initiating an auxiliary access protocol in an authentication session. The method comprises providing attestation data attesting to a cause of an outcome of an authentication attempt in an authentication session, accessing a policy to initiate an auxiliary access protocol, determining if the attestation data fulfils a criterion according to the policy and initiating the auxiliary access protocol on the basis of said determination.

Abstract: In some examples, a method for data management, the method comprises booting a trusted diskless operating system image via a device firmware component, accessing a non-volatile storage of the device using the trusted diskless operating system image; and retrieving user data from the non-volatile storage of the device, and/or writing user data received from a remote location to the non-volatile storage of the device.

Abstract: In some example, a method for accessing a cryptographic recovery key of an encryption system of a device comprises mapping a device identity received at a key management system to a recovery key stored in the key management system, specifying at least one device-related operation to which the recovery key is linked, generating an encrypted message for the device, the encrypted message comprising the recovery key, and transmitting the encrypted message and a signed message to the device.

Abstract: An apparatus and method is described comprising: classifying service ticket data relating to a service request into a service topic, wherein the service ticket data is obtained from the service request relating to a device; determining, for the service request, an extent to which the service topic matches a telemetry data class, wherein the telemetry data class relates to activities at the device; and providing an output according to said determination.

Abstract: A method is disclosed. The method comprises analyzing, using a processing apparatus, event log entries of a plurality of devices, the plurality of devices forming part of a group of devices sharing a common attribute, wherein event log entries of a device relate to events that have taken place during a first period of interest in respect of that device. The method also comprises determining, using the processing apparatus, for a given device in the group of devices, based on the analysis of event log entries, a predicted entry that is expected to appear in the event log of the given device during the first period of interest. An apparatus and a machine-readable medium are also disclosed.

Abstract: In some examples, a method for performing an out-of-band security inspection of a device comprises generating a snapshot of the state of the device, storing data representing the snapshot to a non-volatile storage of the device, and storing a hash of the snapshot in a device BIOS, transitioning the power state of the device, triggering boot of a trusted diskless operating system image, providing the data representing the snapshot and the hash of the snapshot to the trusted diskless operating system image, and executing a script selected on the basis of a trigger event and the hash of the snapshot to analyse at least a portion of the non-volatile storage of the device.

Abstract: A method of validating software including maintaining, in a trusted computing system, a copy of at least portions of data of the software, the software comprising data in an untrusted computing system. The method includes, with the trusted computing system, specifying selected data from data included in the copy as hash data, generating an executable file for generating a hash based on the specified hash data, executing the executable file to generate a check hash using the specified selected data from the copy as the hash data, and determining whether the software is valid based, at least in part, on a comparison of the check hash to an access hash generated by execution of the executable file by the untrusted computing system using the specified selected data from the untrusted computing system as the hash data.

Abstract: In an example, a method includes analysing data collected from a service. A value representative of the number of anomalies in the data is generated, this value then being compared with a threshold. Depending on whether the value is greater or less than the threshold, a performance parameter of the monitoring service may be evaluated.

Abstract: Configuring analytics to be performed at an endpoint device, comprising receiving at least one analytic input determined from instrumented processes operated at the endpoint device, performing at least one analytic of a set of analytics stored in the endpoint device, to produce a respective analytic output, transmitting the at least one analytic output to the server, receiving, from the server, at least one analytics configuration update, based on measures indicative of the usefulness of the analytics calculated at the server, to reconfigure at least one of the set of analytics stored in the endpoint device. Based on the received analytics configuration updates, the endpoint device reconfigures at least one of the set of analytics by at least one of: stopping or starting performing the analytic, and tuning how the analytic is performed.

Abstract: In examples, there is provided a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.

Abstract: In an example there is provided a method to certify a cryptographic key. The method comprises accessing an identifier stored at a secure location on the computing device, generating a cryptographic key according to a key generation process and certifying the cryptographic key is authentically generated during the boot process of the computing device, on the basis of the identifier.

Abstract: Apparatus and methods to process received results of an analytical process performed on first external data at a first computer at a server, to obtain sensitizing data; and provide the sensitizing data from the server to a second computer for use in performing a sensitized analytical process on second external data received at the second computer.

Abstract: An example computing device includes a user interface, a network interface, a non-volatile memory, a processor coupled to the user interface, the network interface, and the non-volatile memory, and a set of instructions stored in the non-volatile memory. The set of instructions, when executed by the processor, is to perform a hardware initialization of the computing device according to a setting, establish a local trust domain and a remote trust domain, use a local-access public key to issue a challenge via the user interface to grant local access to the setting, and use a remote-access public key to grant remote access via the network interface to remote access to the setting.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: In an example, a method includes receiving, at a server device, a record of an event transmitted from a client device which occurred on the client device. At the server device, a record of the event is generated, by a processor. The received record is compared with the record generated at the server device. When at least a portion of the record generated at the server device is not found in the received record, an alert is issued.

Abstract: In an example, a method includes analysing data collected from a service. A value representative of the number of anomalies in the data is generated, this value then being compared with a threshold. Depending on whether the value is greater or less than the threshold, a performance parameter of the monitoring service may be evaluated.

Abstract: In an example, there is provided a method for tracking domain name server (DNS) requests, wherein the method comprises determining whether a DNS request has resolved; and for each non-resolving DNS request decomposing the domain name of the request into multiple components, determining, for each component, a value of a metric representing the occurrence of the component in a corpus, generating a scaling factor for the request on the basis of the values for each component, and incrementing a count of the total number of non-resolving DNS requests by a scaled value on the basis of the scaling factor.

Abstract: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.