Abstract: Systems and methods are provided for quantifying and visualizing an organizations risk, the systems and methods including detecting one or more cybersecurity risk factors associated with an organization to determine a risk posture of the organization, wherein the one or more cybersecurity risk factors include vulnerabilities of Customer-Premises Equipment (CPE) devices associated with employees of the organization; quantifying a risk score of the organization based on the one or more cybersecurity risk factors, wherein the risk score contextualizes a security posture of a network associated with the organization; and communicating display information to a user device associated with the organization, the display information including at least the one or more cybersecurity risk factors, one or more remediation recommendations, and the risk score.

Abstract: Systems and methods include performing inline monitoring of traffic within a network environment; requesting a Uniform Resource Identifier (URI) associated with a request within the traffic; responsive to receiving a URI in a response, identifying one or more similar URIs, the one or more similar URIs being associated with known legitimate network traffic; and determining if the request is one of benign or malicious based on a comparison between the received URI and the one or more similar URIs.

Abstract: Systems and methods for structural similarity based hash for sample identification and detection include, monitoring traffic associated with a cloud-based system; identifying a unique file within the traffic and computing a Structural Similarity Hash (SSHash) for the file, wherein the SSHash is based on auxiliary information and a complexity of the file; identifying one or more similar files based on the SSHash; and defining the file as belonging to one or more groups based on the one or more similar files.

Abstract: Systems and methods for differential dynamic memory scanning include, responsive to execution of a program, performing a baseline memory scan of the program; storing data associated with a plurality of memory regions of the program based on the baseline memory scan; performing one or more subsequent memory scans of the program during execution of the program to determine if one or more of the plurality of memory regions incurred a modification; and monitoring one or more altered memory regions based thereon.

Abstract: Kill-chain reconstruction via machine learning includes, responsive to (1) training one or more machine learning models for kill-chain reconstruction, (2) monitoring one or more users associated with an enterprise, and (3) detecting an incident that is one or more of a threat and a policy violation for a user of the one or more users, identifying a transaction associated with the threat and a policy violation as a seed transaction; retrieving transactions of the user from a preconfigured time window leading up to and occurring after the seed transaction; and reconstructing a kill-chain based on the seed transaction and the time window.

Abstract: Systems and methods are provided for protecting identity information in a directory, such as Active Directory. A method, according to one implementation, include the step of conducting a scan of a directory of a network domain to gain visibility of one or more vulnerabilities of the directory. The one or more vulnerabilities define a potential security risk that would allow an attacker to leverage identity-related information from the directory. The method further includes the step of guiding an administrator regarding management of the directory to reduce the potential security risk. Also, the method includes the step of monitoring the directory for one or more attacks to leverage the identity-related information.

Abstract: Systems and methods include performing inline monitoring of production traffic between users, the Internet, and cloud services via a cloud-based system; utilizing a trained machine learning model to inspect static properties of files in the production traffic; and classifying the traffic as one of malicious or benign based on the trained machine learning model.

Abstract: Cloud-based deception systems and methods with zero trust include hosting a decoy cloud environment for a customer that contains a plurality of decoys and that is hosted and separated from a real environment of the customer; receiving traffic from a user associated with the customer; detecting the traffic is related to accessing a fake asset on a user device associated with the user; rerouting the traffic to the decoy cloud environment; and monitoring activity associated with the fake asset in the decoy cloud environment.

Abstract: Systems and methods are provided for calculating a security risk score. In one implementation, a method includes the step of analyzing a network to assess a license status of the network, where the license status is related to one or more security licenses procured for providing security protection to the network. The method also includes the step of analyzing the network to assess a configuration status of the network, where the configuration status is related to configurations settings of one or more security policies currently operating with respect to the network. Based on the assessed license status and configuration status, the method further includes the step of calculating a security risk score indicating a current level of risk that the network faces against threats, intrusions, cyber-attacks, breaches, and/or data loss.

Abstract: Systems and methods are provided for evaluating the effectiveness of network security tools for mitigating network security risks. According to one implementation, a method includes the step of analyzing a network to measure security parameters associated with the use of one or more network security tools that are configured for mitigating risk with respect to network compromise, data loss, lateral movement, and asset exposure. Based on the measured security parameters, the method further includes the step of quantifying the one or more network security tools to determine an effectiveness score defining an ability of the one or more network security tools, in combination, to counteract the network compromise, data loss, lateral movement, and asset exposure.

Abstract: Systems and methods are provided for performing risk assessment activities and preparing attained risk data for display on one or more user interfaces. In one implementation, a method may include the step of detecting one or more cybersecurity risk factors associated with an organization to determine a risk posture of the organization. The method may further include the step of attaining one or more remediation recommendations for enabling a person associated with the organization to select one or more actions for mitigating the one or more cybersecurity risk factors and improving the risk posture of the organization. Then, the method is configured to communicate display information to a user device associated with the organization, the display information including at least the one or more cybersecurity risk factors and the one or more remediation recommendations to be exhibited on a Graphical User Interface (GUI) of the user device.

Abstract: Systems and methods include performing inline monitoring of production traffic between users, the Internet, and cloud services via a cloud-based system; utilizing a trained machine learning model to inspect static properties of files in the production traffic; and classifying the traffic as one of malicious or benign based on the trained machine learning model.

Abstract: Systems and methods for in-memory malware unpacking and deobfuscation in a sandbox include, responsive to receiving unknown content, scanning an image of the unknown content for packed, obfuscated, or encrypted code; responsive to detecting the packed, obfuscated, or encrypted code performing steps of unpacking, deobfuscating, or decrypting the packed, obfuscated, or encrypted code; executing the unpacked, deobfuscated, or decrypted code; monitoring execution of the unpacked, deobfuscated, or decrypted code; obtaining events during the scanning and the execution; and providing the obtained events to the sandbox for use in a sandbox analysis for classifying the content as one of malware and clean.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Systems and methods of sandboxing a file include responsive to receiving a file associated with a user, obtaining policy for the user; analyzing the file with a machine learning model; and based on a combination of the policy for the user and a verdict of the machine learning model, one of quarantining the file for analysis in a sandbox and allowing the file to the user. The present disclosure presents a smart quarantine with a goal of minimizing the number of files quarantined, the number of malicious files passed through to an end user, and a number of files scanned by a sandbox.

Abstract: Breach prediction via machine learning includes, responsive to (1) training one or more machine learning models in a breach prediction engine, (2) monitoring one or more users associated with an enterprise, and (3) detecting an incident that is one or more of a threat and a policy violation for a first user of the one or more users, analyzing details related to the incident with the breach prediction engine; displaying a breach prediction likelihood score for the enterprise based on the analyzing; and providing one or more recommendations for the enterprise based on the incident and the analyzing.

Abstract: Systems and methods include receiving network transaction data for a plurality of users monitored by a cloud-based system; creating a relationship graph based on the plurality of user's recent network transactions for a time period, wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having some number of transaction in the time period; and analyzing the relationship graph to detect previously undetected suspicious anomalies. The weights on each edge are based on a relationship between two domains where the relationship includes any of malware, Internet Protocol (IP) addresses, Autonomous System Number (ASN), registration, and redirects.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include receiving a list of web sites; anonymously browsing to each web site in the list; receiving a response based on the browsing; and analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation. The systems and methods can further include providing a blacklist of web sites classified as malicious. The systems and methods can further include determining the list of web sites periodically based on a plurality of factors. The JS obfuscation detection can be performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious, and the heuristics can include a presence of any of a new JS function and a domain in the de-obfuscated JS content.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.