Abstract: A computing system performs real-time mitigations for unfamiliar threat scenarios by identifying a particular threat scenario for a client system that has not previously experienced the threat scenario and for which a remediation process is unknown. The computing system responds to the unknown threat scenario by generating and providing the client system a mitigation file that includes a predictive set of mitigation processes for responding to the threat scenario. The mitigation file is generated by first generating a threat vector that identifies a plurality of different threat scenario characteristics for the particular threat scenario. Then, a classification model is applied to the threat vector to identify a predictive set of mitigation processes that are determined to be a best fit for the threat vector and that are included in the mitigation file.

Abstract: A computing system utilizes crowd sourcing to generate remediation files for systems experiencing alert conditions. During the generation of the remediation files the computing system identifies a plurality of different types of alerts associated with a plurality of different client systems. The computing system also generates a plurality of different client remediation process sets for each type of alert based on a correlation of process proximity and time to the alert conditions and determines which of the plurality of processes are related to the identified alert based on values in a correlation vector. Then, client remediation process sets are created to include the processes that are determined to be related to the identified alert and are clustered together to identify the processes to include in the generated composite remediation file for each type of alert, based on correlations existing between the plurality of different client remediation process sets.

Abstract: Methods, systems, and media are shown for reducing the vulnerability of user accounts to attack that involve creating a rule for a user account that includes a permitted parameter corresponding to a user account activity property, monitoring the account activity of the user account. If it is determined that account activity property is inconsistent with the permitted parameter, then the user account is disabled. An example of a permitted parameter is a permitted time period, such as a start time, an end time, a recurrence definition, a days of the week definition, a start date, an end date, and a number of occurrences definition. Other examples are a physical parameter, such as a permitted geographic location, device, or network, or a permitted usage parameter, such as a permitted application, data access, or domain.

Abstract: A security service utilizes a machine learning model to detect unused open ports. A security agent on client machines tracks the operating executables and the open ports on a machine. A machine learning model is trained for a specific port number using the more commonly-used executables that run on machines having the port opened from a large and diverse population of machines. The model is then used to determine the ports that an executable is likely to be associated with which is then used to determine if a particular machine has an unused open port.

Abstract: An access configuration for an access control manager is generated. Access data including users, resources, and actions the users performed on the resources is received into a matrix. Clusters of the matrix are formed to produce ranges of the users and ranges of the resources having selected permission levels based on the actions. Administrator-modifiable security groups are created based on the ranges of users and administrator-modifiable resources groups based on the ranges of resources.

Abstract: A security configuration for a firewall is generated. Network traffic data, network reputation data, and endpoint protection data are received from a network environment. A reputation score for a network address is generated from the network traffic data and the network reputation data. An endpoint protection configuration is generated from a routine based on the network traffic data and the endpoint protection data. A set of security rules is provided from the endpoint configuration and the reputation score.

Abstract: Methods, systems, and apparatuses are provided for managing an execution of applications in a computing environment. A whitelist list of applications that are permitted to execute in a computing environment is obtained. For one or more of the applications on the whitelist, a temporal rule is assigned that specifies a time period in which the application is permitted to execute in the computing environment. For instance, the temporal rule may be obtained via a user input or may be determined automatically by analyzing an execution history of the application. Applications are permitted to execute in the computing environment during the time period specified by the temporal rule, and are prevented from executing outside of the time period. By restricting the time period in which an application can execute, the overall vulnerability to malware attacks in a computing environment may be reduced.

Abstract: Described technologies automatically detect candidate networks having external nodes which communicate with nodes of a local network; a candidate external network can be identified even when the external nodes are owned by a different entity than the local network's owner. A list of network addresses which communicated with local network nodes is culled to obtain addresses likely to communicate in the future. A graph of local and external nodes is built, and connection strengths are assessed. A candidate network is identified, based on criteria such as connection frequency and duration, domain membership, address stability, address proximity, and others, using cutoff values that are set by default or by user action. The candidate network identification is then utilized as a basis for improved security though virtual private network establishment, improved bandwidth allocation, improved traffic anomaly detection, or network consolidation, for example.

Abstract: A computing system for generating allowed lists of applications for machines is provided. The system, for each machine, identifies a set of executed applications that were executed by that machine. The system then clusters the machines based on similarity between the sets of executed applications so that machines with similar sets are in the same cluster. The system then, for each cluster of machines, creates an allowed list of applications for the cluster that includes the applications in the sets of executed applications of the machines of the cluster. An allowed list for a cluster indicates that only applications in the allowed list are allowed to be executed by a machine in the cluster. The system then distributes the allowed list for a cluster to the machines of that cluster so that the machines execute only applications in the allowed list for their cluster.