Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.

Abstract: Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving, at a crowdsourcing security policy server, a security policy from a first user account, and providing a crowdsourced security policy user interface including a section corresponding to the security policy configured to make the security policy available for use by other user accounts. The method may also include receiving from one or more of the other user accounts, a security policy rating corresponding to the security policy, and receiving, from one or more of the other user accounts, a user account rating corresponding to the first user account.

Abstract: Phishing attacks attempt to solicit valuable information such as personal information, account credentials, and the like from human users by disguising a malicious request for information as a legitimate inquiry, typically in the form of an electronic mail or similar communication. By tracking a combination of outbound web traffic from an endpoint and inbound electronic mail traffic to the endpoint, improved detection of phishing attacks or similar efforts to wrongly obtain sensitive information can be achieved.

Abstract: A network address translation device or similarly situated network device can cooperate with endpoints on a subnet of an enterprise network to secure endpoints within the subnet. For example, the network address translation device may be configured, either alone or in cooperation with other network devices, to block traffic from a compromised endpoint to destinations outside the subnet, and to direct other endpoints within the subnet to stop network communications with the compromised endpoint.

Abstract: Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving, at a crowdsourcing security policy server, a security policy from a first user account, and providing a crowdsourced security policy user interface including a section corresponding to the security policy configured to make the security policy available for use by other user accounts. The method may also include receiving from one or more of the other user accounts, a security policy rating corresponding to the security policy, and receiving, from one or more of the other user accounts, a user account rating corresponding to the first user account.

Abstract: Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving network information corresponding to a first network, and programmatically analyzing the network information. The method may also include programmatically determining one or more security policies from a library of security policies, the programmatically determining based on a result of programmatically analyzing the network information. The method may further include providing a recommendation to a user, wherein the recommendation includes at least one of the one or more security policies.

Abstract: Endpoints and a corresponding switch within a heterogeneous network work cooperatively to respond to notifications of compromise in order to protect the enterprise network. Endpoints self-isolate when a local security agent detects a compromise, and shun a compromised one of the other endpoints in response to a corresponding notification. The switch forwards a notice of compromise from an endpoint to a threat management facility for the enterprise network and prevents communications from a compromised endpoint through the switch in response to receiving a corresponding request from the threat management facility.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: Endpoints within a subnet of a heterogeneous network are configured to cooperatively respond to internal or external notifications of compromise in order to protect the endpoints within the subnet and throughout the enterprise network. For example, each endpoint may be configured to self-isolate when a local security agent detects a compromise, and to shun one of the other endpoints in response to a corresponding notification of compromise in order to prevent the other, compromised endpoint from communicating with other endpoints and further compromising other endpoints either within the subnet or throughout the enterprise network.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: Attempts at lateral movement are detected by monitoring failed login attempts across a number of endpoints in a network. By configuring endpoints across the network to report unsuccessful login attempts and monitoring these login attempts at a central location, patterns of attempts and failures may advantageously be detected and used to identify malicious attempts at lateral movement within the network before any unauthorized lateral movement is achieved.

Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.

Abstract: An endpoint in an enterprise network is configured to respond to internal and external detections of compromise in a manner that permits the endpoint to cooperate with other endpoints to secure the enterprise network. For example, the endpoint may be configured to self-isolate when local monitoring detects a compromise on the endpoint, and to respond to an external notification of compromise of another endpoint by restricting communications with that other endpoint.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: A credential store for an endpoint contains credentials for accessing a remote service. In general, the credentials will not have an ordinary, legitimate use for the endpoint, serving instead to log in to a dedicated trapping service or the like. In the event that the endpoint becomes compromised and an attacker gains access to the credential store, the presentation of the credentials to the remote service can provide an indication of compromise to the endpoint and any suitable remediation may be taken.

Abstract: Secure management of an enterprise network is improved by creating a network adapter fingerprint for an endpoint that identifies all of the network adapters for that endpoint. With this information, the location and connectivity of the endpoint can be tracked and managed independent of the manner in which the endpoint is connecting to the enterprise network.

Abstract: Network devices within an enterprise are configured to pass out-of-band security information such as heartbeats, notifications of compromise, device identification information, and so forth between logical or physical network partitions such as subnets, routing domains, access points, and so forth. This technique can advantageously facilitate integrated management of endpoints across network boundaries that might otherwise interfere with the identification and management of specific devices.