Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: An apparatus comprises a cyber threat autonomous response engine configured to control connectivity between a first computing device and a second computing device and take one or more actions to mitigate a cyber threat. The cyber threat autonomous response engine is configured to determine that a connection between a first computing device and a second computing device needs to be modified. The cyber threat autonomous response engine is further configured to identify an indicator in a message transmitted via the connection in accordance with a communication protocol. The cyber threat autonomous response engine is further configured to determine, based on the indicator and knowledge about a previously observed sequence of messages communicated between the first computing device and the second computing device in accordance with the communication protocol, a plurality of triggers to be sent to one or both of the first computing device and the second computing device to modify the connection.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously.

Abstract: In an embodiment, an apparatus is described. The apparatus comprises an appliance extension configured to perform functions with i) a monitoring module configured to monitor metrics and receive alerts regarding potential cyber threats on a system including an email system, ii) an investigative module configured to retrieve the metrics and alerts, and iii) a remote response module configured observe the metrics and alerts and send one or more control signals to an autonomous response module to take one or more actions to counter one or more detected cyber threats on the system remotely from the appliance extension.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, in, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.

Abstract: A cyber security restoration engine takes one or more autonomous remediation actions to remediate one or more nodes in a graph of a system being protected back to a trusted operational state in order to assist in a recovery from the cyber threat. The cyber security restoration engine has a tracking component the operational state of each node in the graph of the protected system. The communication module also cooperates with the cyber security restoration engine to communicate with at least one of an external backup system and a recovery service to invoke backup remediation actions and/or recovery remediation actions to remediate one or more nodes potentially compromised by the cyber threat back to a trusted operational state, for example the state before the detected compromise by the cyber threat occurred in the protected system.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: The endpoint agent detects a cyber threat on an end-point computing device. The endpoint agent on the computing device has a communications module that communicates with a cyber defense appliance. A collections module monitors and collects pattern of life data on processes executing on the end-point computing-device and users of the end-point computing-device. The communications module sends the pattern of life data to the cyber defense appliance installed on a network. The cyber defense appliance at least contains one or more machine-learning models to analyze the pattern of life data for each endpoint agent connected to that cyber defense appliance. The endpoint agent and the cyber defense appliance may trigger one or more actions to be autonomously taken to contain a detected cyber threat when a cyber-threat risk score is indicative of a likelihood of a cyber-threat is equal to or above an actionable threshold.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Abstract: Embodiments of a cyber threat defense system protects a system from cyber threats with the following operations: Identifying unusual patterns of behavior within the plotted individual alerts and/or events in the multiple dimension space; Clustering the individual alerts and events that form the unusual pattern into a distinct item for cyber threat analysis of that cluster of distinct alerts and/or events; Applying machine learning models to infer for the cyber threat analysis what is possibly happening with the distinct item of the cluster, which came from the unusual pattern, and then assign a threat risk associated with that distinct item of the cluster; and Projecting on a user interface, based on the analysis by the one or more machine learning models, the assigned threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern.

Abstract: An analyzer module forms a hypothesis on what are a possible set of cyber threats that could include the identified abnormal behavior and/or suspicious activity with AI models trained with machine learning on possible cyber threats. The Analyzer analyzes a collection of system data, including metric data, to support or refute each of the possible cyber threat hypotheses that could include the identified abnormal behavior and/or suspicious activity data with the AI models. A formatting and ranking module outputs supported possible cyber threat hypotheses into a formalized report that is presented in 1) printable report, 2) presented digitally on a user interface, or 3) both.

Abstract: An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.

Abstract: The endpoint agent detects a cyber threat on an end-point computing device. The endpoint agent on the computing device has a communications module that communicates with a cyber defense appliance. A collections module monitors and collects pattern of life data on processes executing on the end-point computing-device and users of the end-point computing-device. The communications module sends the pattern of life data to the cyber defense appliance installed on a network. The cyber defense appliance at least contains one or more machine-learning models to analyze the pattern of life data for each endpoint agent connected to that cyber defense appliance. The endpoint agent and the cyber defense appliance may trigger one or more actions to be autonomously taken to contain a detected cyber threat when a cyber-threat risk score is indicative of a likelihood of a cyber-threat is equal to or above an actionable threshold.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.