Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: A technique for local proxy detection includes monitoring outbound traffic from the endpoint with remote network addresses outside the enterprise network, detecting use of a secure communication protocol with a request from the endpoint to one of the remote network addresses, identifying a plaintext network address within the request, and in response to identifying a plaintext network address in the request, initiating remediation of a potentially malicious local proxy on the endpoint.

Abstract: In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.

Abstract: A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.

Abstract: Phishing attacks attempt to solicit valuable information such as personal information, account credentials, and the like from human users by disguising a malicious request for information as a legitimate inquiry, typically in the form of an electronic mail or similar communication. By tracking a combination of outbound web traffic from an endpoint and inbound electronic mail traffic to the endpoint, improved detection of phishing attacks or similar efforts to wrongly obtain sensitive information can be achieved.

Abstract: Security is improved by adding a security heartbeat for and endpoint as a factor in a multi-factor authentication system. The security heartbeat may be used directly as an authentication factor, e.g., where the heartbeat provides a reliable and verifiable indication of identity, or the security heartbeat may be used as a gating input for some other verification method, e.g., where a text message with a temporary security code can only be transmitted to a user when the user's endpoint is providing a secure heartbeat.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.

Abstract: An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: Protocol suites such as hypertext transfer protocol (HTTP) using secure socket layer (SSL) can facilitate secure network communications. When using this type of secure communication, network addresses are typically expressed as numeric internet protocol addresses rather than the human-readable uniform resource locators (URLs) that are entered into a browser address bar by a human user. This property can be exploited to differentiate between secure and insecure communications, and to detect certain instances where a malicious proxy has been deployed to intercept network traffic with an endpoint.

Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.

Abstract: A first cryptographic device is authenticated by a second cryptographic device. The second cryptographic device stores an alternative version of a secret value associated with the first cryptographic device as a countermeasure to compromise of the secret value. In conjunction with a protocol carried out between the first cryptographic device and the second cryptographic device, the second cryptographic device determines the secret value based at least in part on the alternative version of the secret value, and utilizes the determined secret value to authenticate the first cryptographic device. The alternative version of the secret value may comprise a randomly-skewed version of the secret value. For example, the secret value may comprise a key or other parameter of the first cryptographic device and the alternative version of the secret value may comprise a randomly-skewed version of the key or other parameter.

Abstract: There is disclosed a user authentication device for generating time-varying authentication information for authenticating a user in an authentication system. The device comprising at least one sensor for sensing at least one of a biometric measurement of the user and a characteristic of the environmental surroundings of the device. There is also disclosed an authentication system and a method for authenticating a user in an authentication system.

Abstract: A method is used in managing security and wireless signal detection. Information is gathered about analog signal reception at a receiver. Based on the information, a result is produced for use in determining location information at the receiver. The result is used to affect a security decision.

Abstract: An improved technique involves sending a user's authentication information to a local authentication device that computes a risk score and sends the risk score to a remote authentication server that determines whether the user is able to be authenticated. When the user makes an authentication or transaction request from an electronic device such as a computer or smartphone, the electronic device sends predictor values such as geo location and wireless signal strength to the local authentication device. The local authentication device then computes a risk score based on the received predictor values and historical predictor values. The local authentication device sends this risk score to a remote authentication server which determines from this risk score and other factors whether the user is able to be authenticated.

Abstract: An apparatus comprises a processing device comprising a near field communication (NFC) network interface, a memory and a processor coupled to a memory. The processing device is configured under control of the processor to connect to a host device using the NFC network interface, receive an authentication request from another device through the NFC connection with the host device and authenticate the other device using information stored in the memory. A passcode is presented to the host device responsive to a successful authentication of the other device, the passcode being utilizable to authenticate to a resource protected by the other device.