Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.

Abstract: Security is improved by adding a security heartbeat for and endpoint as a factor in a multi-factor authentication system. The security heartbeat may be used directly as an authentication factor, e.g., where the heartbeat provides a reliable and verifiable indication of identity, or the security heartbeat may be used as a gating input for some other verification method, e.g., where a text message with a temporary security code can only be transmitted to a user when the user's endpoint is providing a secure heartbeat.

Abstract: An application executing on an endpoint accesses remote resources using a gateway. In response to a requested remote access, the application may be marked with a descriptor that specifies a target action and a pattern of occurrences of the target action. When a second observable action on the endpoint includes the pattern of events following the first observable action, a reportable event may be generated indicating a compromised state of the endpoint. The gateway can then regulate usage of the remote resource based on the reportable event.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that provides support to the user of the device while the device awaits admission to the enterprise network. As the user interacts with the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.

Abstract: A method for multi-track environmental fault monitoring for aerial platforms includes estimating a normalized squared residual error (NSRE) for each of one or more satellite-receiver tracks over time. The method also includes determining an averaged NSRE for each satellite-receiver track by averaging the NSRE over multiple time windows. The method further includes performing a threshold test on the averaged NSRE to determine a filter state. In addition, the method includes determining whether to apply a scale factor for each satellite-receiver track based on the filter state.

Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.

Abstract: An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.

Abstract: In embodiments, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation.

Abstract: A threat management system stores an attack matrix characterizing tactics and techniques, and provides threat detection based on patterns of traversal of the attack matrix. Where the threat management system provides a data lake of security events and a query interface for using the data lake to investigate security issues, useful inferences may also be drawn by comparing query activity in the query interface with the patterns of traversal of the attack matrix, such as by using a malicious pattern of traversal to identify a concurrent chain of queries indicative of a threat, or by presenting separate threat scores to an analyst based on query activity and patterns of traversal.

Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.

Abstract: An event graph associated with a root cause for a change in security state on an endpoint is used to facilitate malware detection on other endpoints.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.