Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network, determining, for each asset, a criticality of the respective asset to operation of a process, determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph, determining a path value representative of a criticality in preventing an attack through the lateral movement path, and providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

Abstract: Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for determining where to store a version of an object in an isolated environment. In one aspect, a method include actions of obtaining, from a process running in an isolated environment, a request to access an object and determining a frequency that changes to a version of the object stored in the isolated environment will be mapped back to a version of the object stored in the non-isolated environment. Additional actions include determining, based on the frequency that changes to a version of the object stored in the isolated environment are mapped back to a version of the object stored in the non-isolated environment, whether to store the version of the object in primary memory associated with the isolated environment or secondary memory associated with the isolated environment.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating secure communication. A system for facilitating secure communication includes an enterprise network, one or more operational technology networks, and a management server. Each of the operational technology networks can include one or more controller devices operable to control one or more operational devices, and can include a respective site security server and a respective security relay server. The security relay server can be operable to facilitate secure communication between controller devices of the operational technology network and its corresponding site security server. The management server can be a node on the enterprise network and can be operable to communicate with each site security server.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network.

Abstract: In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for transforming representations of network activity data. A data structure that represents communication events between computing devices of one or more networks is received. The data structure is analyzed and a set of potential attack paths represented in the data structure is determined. A score is assigned to each potential attack path in the set of potential attack paths. Potential attack paths that have scores that do not meet a predetermined threshold are removed from the set of potential attack paths. Potential attack paths that remain in the set of potential attack paths are ranked, based on each score assigned to each potential attack path, and the data structure that includes a ranked set of potential attack paths is provided.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.

Abstract: In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.

Abstract: In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for determining where to store a version of an object in an isolated environment. In one aspect, a method include actions of obtaining, from a process running in an isolated environment, a request to access an object and determining a frequency that changes to a version of the object stored in the isolated environment will be mapped back to a version of the object stored in the non-isolated environment. Additional actions include determining, based on the frequency that changes to a version of the object stored in the isolated environment are mapped back to a version of the object stored in the non-isolated environment, whether to store the version of the object in primary memory associated with the isolated environment or secondary memory associated with the isolated environment.

Abstract: In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.