Abstract: In an example, a method is described. The method comprises receiving identifying information associated with an occurrence of an activity within a computing network. The method further comprises receiving an indication of a sequence value generated by a sequence function that iterates the sequence value in response to a metric associated with activity of the computing network triggering iteration of the sequence value. The method further comprises producing a data element representative of the identifying information by using the indicated sequence value as an input to a transformation function for at least partially concealing the identifying information when producing the data element.

Abstract: Examples associated with ransomware attack monitoring are described herein. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated based on a sequence of file accesses that match the predefined pattern. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system based on the logging performed by the investigation module, and resumes legitimate processes.

Abstract: There is disclosed a method, computer program product and a system for regulating execution of a suspicious process, comprising determining a file system location of an executable file associated with the suspicious process, encrypting the file, and creating a wrapper for the file with the same file name and location as the file associated with the suspicious process.

Abstract: In some examples, a method for data management, the method comprises booting a trusted diskless operating system image via a device firmware component, accessing a non-volatile storage of the device using the trusted diskless operating system image; and retrieving user data from the non-volatile storage of the device, and/or writing user data received from a remote location to the non-volatile storage of the device.

Abstract: In some example, a method for accessing a cryptographic recovery key of an encryption system of a device comprises mapping a device identity received at a key management system to a recovery key stored in the key management system, specifying at least one device-related operation to which the recovery key is linked, generating an encrypted message for the device, the encrypted message comprising the recovery key, and transmitting the encrypted message and a signed message to the device.

Abstract: In some examples, a method for performing an out-of-band security inspection of a device comprises generating a snapshot of the state of the device, storing data representing the snapshot to a non-volatile storage of the device, and storing a hash of the snapshot in a device BIOS, transitioning the power state of the device, triggering boot of a trusted diskless operating system image, providing the data representing the snapshot and the hash of the snapshot to the trusted diskless operating system image, and executing a script selected on the basis of a trigger event and the hash of the snapshot to analyse at least a portion of the non-volatile storage of the device.

Abstract: In an example, a method includes determining an operating environment of a device based on sensor data from a sensor of the device that senses surroundings of the device. Access to a resource may be controlled based on the operating environment and a status of a security feature of the device.

Abstract: Examples associated with user authentication are described. One example system includes a set of authentication modules. A data store stores data describing disruption ratings of members of the set of authentication modules. A user confidence module maintains a confidence rating that a current user of a device is an authenticated user of the device. The confidence module controls execution of the authentication modules based on the confidence rating and on the disruption ratings of the authentication modules. The user confidence module controls execution of relatively less disruptive authentication modules when the user confidence module is confident that the current user of the device is the authenticated user of the device. The user confidence module maintains the confidence rating based on feedback received from authentication modules.

Abstract: In examples, there is provided a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.

Abstract: Examples associated with ransomware attack monitoring are described herein. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated based on a sequence of file accesses that match the predefined pattern. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system based on the logging performed by the investigation module, and resumes legitimate processes.

Abstract: Apparatus and methods to process received results of an analytical process performed on first external data at a first computer at a server, to obtain sensitizing data; and provide the sensitizing data from the server to a second computer for use in performing a sensitized analytical process on second external data received at the second computer.

Abstract: A non-transitory machine-readable storage medium encoded with instructions executable with a processor is described. The instructions comprise instructions to determine whether a received data item is required by an analytic process to make a determination; and instructions to, in response to determining that the received data item is required by the analytic process, store the received data item in a pre-analytic store.

Abstract: In an example, a machine-readable medium includes instructions that, when executed by a processor, cause the processor to order, as part of an execution of a trusted process, a plurality of processes into a sequence comprising a first process, at least one intermediate process, and a last process. The machine-readable medium may further comprise instruction to cause the processor to generate, as part of an execution of the first process, a value based on a code portion of the process following the first process in the sequence, and to generate, as part of an execution of each intermediate process, a respective value based on the value generated by the process preceding the intermediate process in the sequence and based on a code portion associated with the process following the intermediate process in the sequence.

Abstract: Examples associated with ransomware attack monitoring are described. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated when a number of sequences of file accesses that match the predefined pattern exceeds a first threshold. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system when the number of sequences of file accesses that match the predefined pattern exceeds a second threshold. The reaction module then identifies processes associated with a suspected ransomware attack based on the logging performed by the investigation module, and resumes legitimate processes.

Abstract: Examples associated with user authentication are described. One example system includes a set of authentication modules. A data store stores data describing disruption ratings of members of the set of authentication modules. A user confidence module maintains a confidence rating that a current user of a device is an authenticated user of the device. The confidence module controls execution of the authentication modules based on the confidence rating and on the disruption ratings of the authentication modules. The user confidence module controls execution of relatively less disruptive authentication modules when the user confidence module is confident that the current user of the device is the authenticated user of the device. The user confidence module maintains the confidence rating based on feedback received from authentication modules.

Abstract: In an example, there is provided a method for tracking domain name server (DNS) requests, wherein the method comprises determining whether a DNS request has resolved; and for each non-resolving DNS request decomposing the domain name of the request into multiple components, determining, for each component, a value of a metric representing the occurrence of the component in a corpus, generating a scaling factor for the request on the basis of the values for each component, and incrementing a count of the total number of non-resolving DNS requests by a scaled value on the basis of the scaling factor.

Abstract: In an example, a method includes monitoring, by at least one processor, a computing system. An alert related to the computing system may be generated based on a threshold value. An analysts handling of the alert may be monitored and, based on the analysts handling of the alert, the threshold value for generating alerts may be adjusted.

Abstract: A method for address resolution request control in a network device of a network, the method comprises comparing address resolution requests submitted to network nodes from the network device against a predetermined threshold profile for the network device, and regulating a flow of address resolution requests from the network device in response to the comparison.

Abstract: There is disclosed a method, computer program product and a system for regulating execution of a suspicious process, comprising determining a file system location of an executable file associated with the suspicious process, encrypting the file, and creating a wrapper for the file with the same file name and location as the file associated with the suspicious process.

Abstract: In an example, a method includes determining an operating environment of a device based on sensor data from a sensor of the device that senses surroundings of the device. Access to a resource may be controlled based on the operating environment and a status of a security feature of the device.