Abstract: The disclosed computer-implemented method for providing integrated security management may include (1) identifying a computing environment protected by security systems and monitored by a security management system that receives event signatures from the security systems, where a first security system uses a first event signature naming scheme that differs from a second event signature naming scheme used by a second security system, (2) observing a first event signature that originates from the first security system and uses the first event signature naming scheme, (3) determine that the first event signature is equivalent to a second event signature that uses the second event signature naming scheme, and (4) performing, in connection with observing the first event signature, a security action associated with the second event signature and directed to the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for predicting security incidents triggered by security software may include (i) collecting, by a computing device, telemetry data from a set of security products deployed by a set of client machines, (ii) identifying, by the computing device, a selected security product within the set of security products that is missing telemetry data for a target client machine, (iii) building a classifier, by the computing device using the telemetry data, that predicts information about security incidents triggered by the selected security product, (iv) determining, by the computing device and based on the classifier, that the selected security product triggers a new security incident on the target client machine, and (v) performing a security action, by the computing device, to secure the target client machine against the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying non-malicious files on computing devices within organizations may include (1) identifying a file on at least one computing device within multiple computing devices managed by an organization, (2) identifying a source of the file based on examining a relationship between the file and the organization, (3) determining that the source of the file is trusted within the organization, and then (4) concluding, based on the source of the file being trusted within the organization, that the file is not malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for labeling automatically generated reports may include (i) identifying incident reports that describe incidents that each involve at least one computing system and that comprise automatically collected information about the incidents and a manually analyzed subset of incident reports that comprise manually generated information, (ii) assigning at least one label to at least one incident report in the manually analyzed subset based on applying a machine learning model to the manually generated information, (iii) deriving, from the automatically collected information, a set of features that describe incident reports, (iv) propagating at least one label from a labeled incident report to an incident report that is not in the manually analyzed subset and that comprises similar features with the labeled incident report, and (v) performing an action related to the label on the incident report. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method may include (i) monitoring computing activity, (ii) detecting, during a specific time period, at least one malicious network connection that involves a computing device within a network, (iii) determining that no malicious network connections involving the computing device were detected during another time period, (iv) identifying a feature of the computing activity that (a) occurred during the specific time period and (b) did not occur during the other time period, (v) determining that the feature is likely indicative of malicious network activity due at least in part to the feature having occurred during the specific time period and not having occurred during the other time period, and in response to detecting the feature at a subsequent point in time, (vi) performing a security action on a subsequent network connection attempted around the subsequent point in time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting security blind spots may include (i) detecting, via an endpoint security program, a threat incident at a set of client machines associated with a security vendor server, (ii) obtaining an indication of how the set of client machines will respond to the detecting of the threat incident, (iii) predicting how a model set of client machines would respond to the threat incident, (iv) determining that a delta exceeds a security threshold, and (v) performing a security action by the security vendor server, in response to determining that the delta exceeds the security threshold, to protect the set of client machines at least in part by electronically notifying the set of client machines of information about the prediction of how the model set of client machines would respond to the threat incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for whitelisting file clusters in connection with trusted software packages may include (1) identifying a trusted file cluster that includes a set of clean files, (2) identifying an additional file cluster that includes a set of additional files that typically co-exist with the set of clean files included in the trusted file cluster on computing systems, (3) determining that the trusted file cluster and the additional file cluster represent portions of a single trusted software package, and then, in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package, (4) merging the trusted file cluster and the additional file cluster into a merged file cluster and (5) whitelisting the merged file cluster. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for determining sandbox configurations for malware analysis is described. In one embodiment, the method may include receiving a plurality of files, extracting at least one element from at least one file from the plurality of files, identifying one or more properties associated with an endpoint, determining a correlation between the at least one extracted element and the one or more properties of the endpoint, and determining one or more sandbox configurations based at least in part on the determined correlation. In some cases, the endpoint is related to at least one of the plurality of files.

Abstract: The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed for dynamically managing hardening policies in a client computer (e.g., of an enterprise network). A hardening management application monitors activity on the client computer that is associated with a first hardening policy. The monitored activity is evaluated based on one or more metrics. Upon determining that at least one of the metrics is outside of a tolerance specified in the first hardening policy, the client computer is associated with a second hardening policy. The client computer is reconfigured based on the second hardening policy.

Abstract: A computer-implemented method for predicting security threat attacks may include (1) identifying candidate security threat targets with latent attributes that describe features of the candidate security threat targets, (2) identifying historical attack data that describes which of the candidate security threat targets experienced an actual security threat attack, (3) determining a similarity relationship between latent attributes of at least one specific candidate security threat target and latent attributes of the candidate security threat targets that experienced an actual security threat attack according to the historical attack data, (4) predicting, based on the determined similarity relationship, that the specific candidate security threat target will experience a future security threat attack, and (5) performing at least one remedial action to protect the specific candidate security threat target in response to predicting the future security threat attack.

Abstract: Techniques are disclosed for detecting security incidents based on low confidence security events. A security management server aggregates a collection of security events received from logs from one or more devices. The security management server evaluates the collection of security events based on a confidence score assigned to each distinct type of security event. Each confidence score indicates a likelihood that a security incident has occurred. The security management server determines, based on the confidence scores, at least one threshold for determining when to report an occurrence of a security incident from the collection of security events. Upon determining that at least one security event of the collection has crossed the at least one threshold, the security management server reports the occurrence of the security incident to an analyst.

Abstract: The disclosed computer-implemented method for curating file clusters for security analyzes may include (1) identifying a suspicious file that exists on at least one computing system within a computing community, (2) clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, (3) prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster, (4) providing, for presentation to a security analyst, a graphical representation of the file cluster that highlights the prioritized file relative to the file cluster, and then (5) performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of security event generated by the group of endpoint devices and each type of malware infection within the group of endpoint devices, (3) identifying a set of security events generated on a target endpoint device that potentially has a malware infection, and (4) detecting, based on both the set of security events generated on the target endpoint device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection likely present on the target endpoint device.

Abstract: The disclosed computer-implemented method for generating contextually meaningful animated visualizations of computer security events may include (1) detecting a security-related event that involves an actor and a target within a computing environment, (2) identifying certain characteristics of the security-related event that collectively describe a context of the security-related event with respect to the actor and the target within the computing environment, (3) generating, based at least in part on the certain characteristics of the security-related event, a graphical animation of the security-related event that graphically represents the context of the security-related event with respect to the actor and the target within the computing environment, and then (4) providing, for presentation to a user, the graphical animation of the security-related event to facilitate visualizing the context of the security-related event with respect to the actor and the target.

Abstract: The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for file classification may include (1) identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis, (2) identifying ground truth files to which the computer security system has previously assigned a security score, (3) determining that a file in the cluster of files shares an item of file metadata with another file in the ground truth files, (4) assigning a security score to the file in the cluster of files based on a security score of the other file in the ground truth files that shares the item of file metadata, and (5) assigning an overall security score to the entire cluster of files based on the security score assigned to the file in the cluster. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.