Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for evaluating network security may include (1) receiving, by a security server, a request to report a network risk score for an organization based on telemetry data describing file downloads at computers managed by the organization over a specified period of time, (2) identifying the telemetry data describing file downloads at the computers managed by the organization over the specified period of time, (3) searching the telemetry data to match file downloads over the specified period of time to at least one file that was previously categorized, prior to the request, as a hacking tool, (4) calculating the network risk score based on the telemetry data, and (5) reporting, automatically by the security server in response to the request, the calculated network risk score. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining malicious-download risk based on user behavior may include (1) identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads, (2) determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users, (3) analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk, and (4) categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior. Various other methods, systems, and computer-readable media are also disclosed. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for analyzing zero-day attacks may include 1) identifying, within a database of known security vulnerabilities, disclosure timing information that indicates when a security vulnerability was publicly disclosed, 2) correlating a file with the security vulnerability by searching a database of file activity for at least one file that is associated with an attack that exploits the security vulnerability, 3) identifying, within the database of file activity, activity timing information indicating timing of one or more activities that involve the file and that occurred on endpoint computing devices before the security vulnerability was publicly disclosed, and 4) comparing the disclosure timing information with the activity timing information to investigate a potential zero-day attack that exploits the security vulnerability. Various other methods, systems, and computer-readable media are also disclosed.