Abstract: Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Abstract: Provided are systems, methods, and computer-readable medium for a simulation platform that can generate simulated activity data for testing a security monitoring and control system. In various examples, the simulation platform can parse the activity data from a cloud service to generate a template, where each entry in the template describes an action and the fields associated with the action. The simulation platform can further generate a configuration that describes a test scenario. The simulation platform can use the configuration and the template to generate the particular action, including randomizing some or all of the fields of the action. When input into the security monitoring and control system, the system can operate on the simulated activity data in the same way as when the system ingests live activity data.

Abstract: A computer system of a security management system may obtain activity data from a service provider system, where the activity data may describe actions performed by users during use of a cloud service. The security management system may then provide the activity data to a model that is trained to receive the activity data and classify privileged users from among the users that performed the actions in the activity data. Both supervised and unsupervised models may be used. The security management system may generate a list of privileged users of the service provider system based on output from the model.

Abstract: Systems and methods for restricting access and visibility to sensitive personal data during ingestion and storing within a data repository are disclosed. In one embodiment, a process for determining whether to grant access to protected data includes defining risk thresholds for predetermined data access patterns of a data repository, monitoring new data access patterns to build a security data profile based on quantifiable characteristics as risk factors, receiving a second request for data from a client device at the data repository, determining if any access control policies applies to the second request generating a risk score for the second request for data based on the security data profile, determining whether to grant access to the second request for data based upon at least one applicable access control policy and the risk score, and providing the requested data in response to the second request for data when access is granted.

Abstract: In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.

Abstract: Provided are systems, methods, and computer-readable medium for a simulation platform that can generate simulated activity data for testing a security monitoring and control system. In various examples, the simulation platform can parse the activity data from a cloud service to generate a template, where each entry in the template describes an action and the fields associated with the action. The simulation platform can further generate a configuration that describes a test scenario. The simulation platform can use the configuration and the template to generate the particular action, including randomizing some or all of the fields of the action. When input into the security monitoring and control system, the system can operate on the simulated activity data in the same way as when the system ingests live activity data.

Abstract: Techniques for discovery and management of applications in a computing environment of an organization are disclosed. A security management system discovers use of applications within a computing environment to manage access to applications for minimizing security threats and risks in a computing environment of the organization. The security management system can obtain network data about network traffic to identify unique applications. The security management system performs analysis and correlation, including using one or more data sources, to determine information about an application. The system computes a measure of security for an application (“an application risk score”) and a user (“a user risk score”). The score is analyzed to determine a threat of security posed by the application based on use of the application. The security system performs one or more instructions to configure access permitted by an application, whether access is denied or restricted.

Abstract: Provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis can include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service. When the security monitoring and control system generates security alerts, the actions that resulted in the alerts can be compared to the graph to determine whether the actions are in accordance with prior behavior of the users. When the actions do correspond to the graph, the system can recommend that the security control or security policy that triggered the alert be modified. In various examples, the graphs can also be used to determine whether any user's actions are anomalous as compared to earlier behavior.

Abstract: Provided are systems, methods, and computer-readable medium for a simulation platform that can generate simulated activity data for testing a security monitoring and control system. In various examples, the simulation platform can parse the activity data from a cloud service to generate a template, where each entry in the template describes an action and the fields associated with the action. The simulation platform can further generate a configuration that describes a test scenario. The simulation platform can use the configuration and the template to generate the particular action, including randomizing some or all of the fields of the action. When input into the security monitoring and control system, the system can operate on the simulated activity data in the same way as when the system ingests live activity data.

Abstract: Provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis can include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service. When the security monitoring and control system generates security alerts, the actions that resulted in the alerts can be compared to the graph to determine whether the actions are in accordance with prior behavior of the users. When the actions do correspond to the graph, the system can recommend that the security control or security policy that triggered the alert be modified. In various examples, the graphs can also be used to determine whether any user's actions are anomalous as compared to earlier behavior.

Abstract: Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Abstract: Systems and methods for restricting access and visibility to sensitive personal data during ingestion and storing within a data repository are disclosed. In one embodiment, a process for protecting personal data includes establishing a connection from a personal data protection system to a data source, retrieving raw data comprising personal data from the data source, classifying pieces of information within the personal data into one or more levels of sensitivity, storing the raw data in a data repository, enforcing one or more privacy policies on the personal data by obfuscating pieces of information that are at one of the levels of sensitivity using the personal data protection system, and enforcing one or more access control policies for one or more user accounts having access to the data repository by limiting visibility of the personal data to a subset of the personal data, based upon attributes of the user account.

Abstract: Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Abstract: Provided are systems, methods, and computer-readable medium for a simulation platform that can generate simulated activity data for testing a security monitoring and control system. In various examples, the simulation platform can parse the activity data from a cloud service to generate a template, where each entry in the template describes an action and the fields associated with the action. The simulation platform can further generate a configuration that describes a test scenario. The simulation platform can use the configuration and the template to generate the particular action, including randomizing some or all of the fields of the action. When input into the security monitoring and control system, the system can operate on the simulated activity data in the same way as when the system ingests live activity data.

Abstract: In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.

Abstract: Provided are systems, methods, and computer-readable medium for a simulation platform that can generate simulated activity data for testing a security monitoring and control system. In various examples, the simulation platform can parse the activity data from a cloud service to determine the fields associated with each action in the activity data. The simulation platform can then generate a template, where each entry in the template describes an action and the fields associated with the action. The simulation platform can further generate a configuration that describes a test scenario. The simulation platform can use the configuration and the template to generate the particular action, including randomizing some or all of the fields of the action. When input into the security monitoring and control system, the system can operate on the simulated activity data in the same way as when the system ingests live activity data.

Abstract: In various implementations, a security management and control system for monitoring and management of security for cloud services can include automated techniques for identifying the privileged users of a given cloud service. In various examples, the security management and control system can obtain activity logs from the cloud service, where the activity logs record actions performed by users of an organization in using the cloud service. In various examples, the security management and control system can identify actions in the activity logs that are privileged with respect to the cloud service. In these and other examples, the security management and control system can use the actions in the activity log to identify privileged users. Once the privileged users are identified, the security management and control system can monitor the privileged users with a higher degree of scrutiny.

Abstract: Techniques for discovery and management of applications in a computing environment of an organization are disclosed. A security management system discovers use of applications within a computing environment to manage access to applications for minimizing security threats and risks in a computing environment of the organization. The security management system can obtain network data about network traffic to identify unique applications. The security management system performs analysis and correlation, including using one or more data sources, to determine information about an application. The system computes a measure of security for an application (“an application risk score”) and a user (“a user risk score”). The score is analyzed to determine a threat of security posed by the application based on use of the application. The security system performs one or more instructions to configure access permitted by an application, whether access is denied or restricted.

Abstract: Provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis can include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service. When the security monitoring and control system generates security alerts, the actions that resulted in the alerts can be compared to the graph to determine whether the actions are in accordance with prior behavior of the users. When the actions do correspond to the graph, the system can recommend that the security control or security policy that triggered the alert be modified. In various examples, the graphs can also be used to determine whether any user's actions are anomalous as compared to earlier behavior.

Abstract: Techniques for discovery and management of applications in a computing environment of an organization are disclosed. A security management system discovers use of applications within a computing environment to manage access to applications for minimizing security threats and risks in a computing environment of the organization. The security management system can obtain network data about network traffic to identify unique applications. The security management system can perform analysis and correlation, including use of one or more data sources, to determine information about an application. The system can compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”). The score may be analyzed to determine a threat of security posed by the application based on use of the application. The security system can perform one or more instructions to configure access permitted by an application, whether access is denied or restricted.