Abstract: A system and method for providing stringent tamper resistant protection against changes to key system security features. The tamper protection is configured such that any changes to the policy can only occur from a configuration manager console, thereby preventing local device admin users or other malicious actors from altering the setting. Thus, tamper protection locks the selected service and prevents security settings from being changed through third-party apps and methods. When a system administrator enables the feature for an enterprise's workstations, only administrators will be able to change the service settings across a company's computers. The tamper protection policy is digitally signed in the backend before being deployed to endpoints, and the endpoint verifies the validity and intent of the policy, establishing that it is a signed package that only security operations personnel with the necessary administrator rights can control.

Abstract: A system and method for providing stringent tamper resistant protection against changes to key system security features. The tamper protection is configured such that any changes to the policy can only occur from a configuration manager console, thereby preventing local device admin users or other malicious actors from altering the setting. Thus, tamper protection locks the selected service and prevents security settings from being changed through third-party apps and methods. When a system administrator enables the feature for an enterprise's workstations, only administrators will be able to change the service settings across a company's computers. The tamper protection policy is digitally signed in the backend before being deployed to endpoints, and the endpoint verifies the validity and intent of the policy, establishing that it is a signed package that only security operations personnel with the necessary administrator rights can control.

Abstract: Embodiments provide for a security information and event management (SIEM) system utilizing distributed agents that can intelligently traverse a network to exfiltrate data in an efficient and secure manner. A plurality of agent devices can dynamically learn behavioral patterns and/or service capabilities of other agent devices in the networking environment, and select optimal routes for exfiltrating event data from within the network. The agent devices can independently, selectively, or collectively pre-process event data for purposes of detecting a suspect event from within the network. When a suspect event is detected, agent devices can select a target device based on the learned service capabilities and networking environment, and communicate the pre-processed event data to the target device. The pre-processed event data is thus traversed through the network along an optimal route until it is exfiltrated from the network and stored on a remote server device for storage and further analysis.

Abstract: Methods and devices for recovering data may include receiving an identification of at least one file on the computer device impacted by a cyber threat. The methods and devices may include receiving a last known good time stamp for the at least one file that identifies a point in time prior to the cyber threat. The methods and devices may also include transmitting, to a remote backup provider associated with the at least one file, a restore request to restore the at least one file with restored content based at least on the last known good time stamp. The methods and devices may include receiving, from the remote backup provider, a restored file with the restored content.

Abstract: A system for operating system remediation intercepts input/output (I/O) requests to write to one or more files and stores, as file restore data, (i) a restore copy of the one or more files to the system cache prior to performing write operations of the I/O requests and (ii) identification information for one or more processes or entities making the corresponding I/O requests in the system cache. The system reverts to the restore copy of the one or more files using the file restore data and based at least on a later determination that one or more processes making the corresponding I/O requests was malware. A current version of the one or more files is thereby replaced with the restore copy of the one or more files with improved automatic remediation support and a greater likelihood that data can be restored from the cache in the case of malware attacks.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Embodiments provide for a security information and event management (SIEM) system utilizing distributed agents that can intelligently traverse a network to exfiltrate data in an efficient and secure manner. A plurality of agent devices can dynamically learn behavioral patterns and/or service capabilities of other agent devices in the networking environment, and select optimal routes for exfiltrating event data from within the network. The agent devices can independently, selectively, or collectively pre-process event data for purposes of detecting a suspect event from within the network. When a suspect event is detected, agent devices can select a target device based on the learned service capabilities and networking environment, and communicate the pre-processed event data to the target device. The pre-processed event data is thus traversed through the network along an optimal route until it is exfiltrated from the network and stored on a remote server device for storage and further analysis.

Abstract: Disclosed are various examples for network management in hyper-converged infrastructures. In one example, tagged data is received by a switch. The tagged data includes a header that identifies that the tagged data is for replication. The switch generates replicated versions of the tagged data. The replicated versions of the tagged data can include modified header data. The replicated versions of the tagged data are transmitted to a plurality of hosts within the hyper-converged infrastructure.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: Methods and devices for recovering data may include receiving an identification of at least one file on the computer device impacted by a cyber threat. The methods and devices may include receiving a last known good time stamp for the at least one file that identifies a point in time prior to the cyber threat. The methods and devices may also include transmitting, to a remote backup provider associated with the at least one file, a restore request to restore the at least one file with restored content based at least on the last known good time stamp. The methods and devices may include receiving, from the remote backup provider, a restored file with the restored content.

Abstract: A system for operating system remediation intercepts input/output (I/O) requests to write to one or more files and stores, as file restore data, (i) a restore copy of the one or more files to the system cache prior to performing write operations of the I/O requests and (ii) identification information for one or more processes or entities making the corresponding I/O requests in the system cache. The system reverts to the restore copy of the one or more files using the file restore data and based at least on a later determination that one or more processes making the corresponding I/O requests was malware. A current version of the one or more files is thereby replaced with the restore copy of the one or more files with improved automatic remediation support and a greater likelihood that data can be restored from the cache in the case of malware attacks.