Abstract: Systems and methods are provided for evaluating the effectiveness of network security tools for mitigating network security risks. According to one implementation, a method includes the step of analyzing a network to measure security parameters associated with the use of one or more network security tools that are configured for mitigating risk with respect to network compromise, data loss, lateral movement, and asset exposure. Based on the measured security parameters, the method further includes the step of quantifying the one or more network security tools to determine an effectiveness score defining an ability of the one or more network security tools, in combination, to counteract the network compromise, data loss, lateral movement, and asset exposure.

Abstract: Systems and methods are provided for performing risk assessment activities and preparing attained risk data for display on one or more user interfaces. In one implementation, a method may include the step of detecting one or more cybersecurity risk factors associated with an organization to determine a risk posture of the organization. The method may further include the step of attaining one or more remediation recommendations for enabling a person associated with the organization to select one or more actions for mitigating the one or more cybersecurity risk factors and improving the risk posture of the organization. Then, the method is configured to communicate display information to a user device associated with the organization, the display information including at least the one or more cybersecurity risk factors and the one or more remediation recommendations to be exhibited on a Graphical User Interface (GUI) of the user device.

Abstract: Systems and methods for in-memory malware unpacking and deobfuscation in a sandbox include, responsive to receiving unknown content, scanning an image of the unknown content for packed, obfuscated, or encrypted code; responsive to detecting the packed, obfuscated, or encrypted code performing steps of unpacking, deobfuscating, or decrypting the packed, obfuscated, or encrypted code; executing the unpacked, deobfuscated, or decrypted code; monitoring execution of the unpacked, deobfuscated, or decrypted code; obtaining events during the scanning and the execution; and providing the obtained events to the sandbox for use in a sandbox analysis for classifying the content as one of malware and clean.

Abstract: Systems and methods include performing inline monitoring of production traffic between users, the Internet, and cloud services via a cloud-based system; utilizing a trained machine learning model to inspect static properties of files in the production traffic; and classifying the traffic as one of malicious or benign based on the trained machine learning model.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Systems and methods of sandboxing a file include responsive to receiving a file associated with a user, obtaining policy for the user; analyzing the file with a machine learning model; and based on a combination of the policy for the user and a verdict of the machine learning model, one of quarantining the file for analysis in a sandbox and allowing the file to the user. The present disclosure presents a smart quarantine with a goal of minimizing the number of files quarantined, the number of malicious files passed through to an end user, and a number of files scanned by a sandbox.

Abstract: Breach prediction via machine learning includes, responsive to (1) training one or more machine learning models in a breach prediction engine, (2) monitoring one or more users associated with an enterprise, and (3) detecting an incident that is one or more of a threat and a policy violation for a first user of the one or more users, analyzing details related to the incident with the breach prediction engine; displaying a breach prediction likelihood score for the enterprise based on the analyzing; and providing one or more recommendations for the enterprise based on the incident and the analyzing.

Abstract: Systems and methods include receiving network transaction data for a plurality of users monitored by a cloud-based system; creating a relationship graph based on the plurality of user's recent network transactions for a time period, wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having some number of transaction in the time period; and analyzing the relationship graph to detect previously undetected suspicious anomalies. The weights on each edge are based on a relationship between two domains where the relationship includes any of malware, Internet Protocol (IP) addresses, Autonomous System Number (ASN), registration, and redirects.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include receiving a list of web sites; anonymously browsing to each web site in the list; receiving a response based on the browsing; and analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation. The systems and methods can further include providing a blacklist of web sites classified as malicious. The systems and methods can further include determining the list of web sites periodically based on a plurality of factors. The JS obfuscation detection can be performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious, and the heuristics can include a presence of any of a new JS function and a domain in the de-obfuscated JS content.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.

Abstract: Systems and methods include obtaining data from a log system storing historical transactions monitored by a security system; creating one or more mock transactions based on the data; and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions. The one or more mock transactions can have a header based on the data from corresponding historical transactions. The systems and methods can include performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates, or determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions.

Abstract: Systems and methods include, based on monitoring of content including Office documents, determining distribution of malicious Office documents between documents having malicious macros and documents having malicious embedded objects; determining features for the documents having malicious macros and for the documents having malicious embedded objects; selecting training data for a machine learning model based on the distribution and the features; and training the machine learning model with the selected training data.

Abstract: Systems and methods include determining a plurality of features associated with executable files, wherein the plurality of features are each based on static properties in predefined structure of the executable files; obtaining training data that includes samples of benign executable files and malicious executable files; extracting the plurality of features from the training data; and utilizing the extracted plurality of features to train a machine learning model to detect malicious executable files.

Abstract: Systems and methods include obtaining a Uniform Resource Locator (URL) for a site on the Internet; analyzing the URL with a Machine Learning (ML) model to determine whether or not the site is suspicious for phishing; responsive to the URL being suspicious for phishing, loading the site to determine whether or not an associated brand of the site is legitimate or not; and, responsive to the site being not legitimate for the brand, categorizing the URL for phishing and performing a first action based thereon. The systems and methods can further include, responsive to the URL being not suspicious for phishing or the site being legitimate for the brand, categorizing the URL as legitimate and performing a second action based thereon.

Abstract: Systems and methods include receiving a domain for a determination of a likelihood the domain is a command and control site; analyzing the domain with an ensemble of a plurality of trained machine learning models including a Uniform Resource Locator (URL) model that analyzes lexical features of a hostname of the domain and an artifact model that analyzes content features of a webpage associated with the domain; and combining results of the ensemble to predict the likelihood the domain is a command and control site.

Abstract: Systems and methods include receiving a domain for a determination of a likelihood the domain is malicious or benign; obtaining data associated with the domain including log data from a cloud-based system that performs monitoring of a plurality of users; analyzing the domain with a plurality of components to assess the likelihood, wherein at least one of the plurality of components is a trained machine learning model; and combining results of the plurality of components to predict the likelihood the domain is malicious or benign.

Abstract: Systems and methods include, responsive to starting a plurality of listener modules, receiving a Uniform Resource Locator (URL) for a site on the Internet into a database; loading the URL; receiving artifacts based on the loading; using the plurality of listener modules to run rules based on the received artifacts; scoring the URL based on the rules and the received artifacts; and determining whether the URL is one of benign, suspicious, or malicious based on the scoring. The steps can include any of blocking the URL, allowing the URL, further analyzing the URL, adding the URL to a whitelist or blacklist, and providing a notification, based on whether the URL is benign, suspicious, or malicious.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Systems and methods include receiving a list of web sites; anonymously browsing to each web site in the list; receiving a response based on the browsing; and analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation. The systems and methods can further include providing a blacklist of web sites classified as malicious. The systems and methods can further include determining the list of web sites periodically based on a plurality of factors. The JS obfuscation detection can be performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious, and the heuristics can include a presence of any of a new JS function and a domain in the de-obfuscated JS content.