Abstract: A computing system performs adaptive clustering of machines (e.g., computing devices) and/or machine users in an organization for attack surface reduction (ASR) responsively to event feedback including system-based exclusion events and user-based requests for exclusion. The cluster adaptation may be applied to conventional vector-quantization clustering algorithms, for example K-Means, expectation-maximization (EM) clustering, or affinity clustering, to provide adaptable clusters of machines or users. The adaptation enables aggregation or disaggregation of endpoints into clusters to minimize negative business impacts on the organization while maximizing security in view of changes in the organization that occur dynamically such as varying roles for users, new applications and updates being released, and the like.

Abstract: A computing system performs adaptive clustering of machines (e.g., computing devices) and/or machine users in an organization for attack surface reduction (ASR) responsively to event feedback including system-based exclusion events and user-based requests for exclusion. The cluster adaptation may be applied to conventional vector-quantization clustering algorithms, for example K-Means, expectation-maximization (EM) clustering, or affinity clustering, to provide adaptable clusters of machines or users. The adaptation enables aggregation or disaggregation of endpoints into clusters to minimize negative business impacts on the organization while maximizing security in view of changes in the organization that occur dynamically such as varying roles for users, new applications and updates being released, and the like.

Abstract: Features of the present disclosure solve the above-identified problem by implementing user and entity behavior analytics (UEBA) system to group one or more computer machines into different clusters based on monitored behavior of the one or more computer machines. Specifically, a network device (e.g., administrator computer system) may monitor the activity of the one or more computer machines for a predetermined time period in order to identify the applications that the computer machines utilize. Based on the clustering and the identifying, the network device may automatically apply different access control policies for different clusters of machines and review those access control policies against future behavior periodically. By clustering machines based on usage behavior patterns and automatically recommending a rule set for deployment, the UEBA system may reduce potential points of failure for cybersecurity breaches.

Abstract: Embodiments are directed to determining a risk of encountering malware based on social context, to determining malware threats based on social associations and to ranking antimalware programs according to the program's ability to protect against specific threats. In one scenario, a computer system receives a malware notification associated with a user that identifies a type of malware encountered by the user. The computer system identifies various persons that are part of a social group associated with the user and determines that at least one of the identified persons associated with the user has an increased likelihood of encountering the identified type of malware, based on information derived from identifying the persons that are part of the social group. Optionally, the computer system notifies the identified persons of the increased likelihood of encountering the identified type of malware.

Abstract: Embodiments are directed to determining a risk of encountering malware based on social context, to determining malware threats based on social associations and to ranking antimalware programs according to the program's ability to protect against specific threats. In one scenario, a computer system receives a malware notification associated with a user that identifies a type of malware encountered by the user. The computer system identifies various persons that are part of a social group associated with the user and determines that at least one of the identified persons associated with the user has an increased likelihood of encountering the identified type of malware, based on information derived from identifying the persons that are part of the social group. Optionally, the computer system notifies the identified persons of the increased likelihood of encountering the identified type of malware.