Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

Abstract: Aspects of the subject matter described herein relate to tuning detection components of a security system. In aspects, a history of alerts is collected. This history is then used together with knowledge about tunable objects of the system to determine parameters of the tunable objects that can be changed to improve detection of the system. Parameters of tunable objects are adjusted in a simulator that determines an effect on alerts in the history based on the adjusted parameters. A recommendation of one or more tuning actions may be provided together with information regarding the effect of each tuning action.

Abstract: A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

Abstract: Tracking malware state information assigned to computers in an enterprise network is described. A computer may transition from a current malware state to a new malware state in accordance with a plurality of stored rules and detection of an anti-malware event on the computer. Examples of anti-malware events include, but are not limited to, detection of new malware on the computer or cleaning of the computer. The malware state information for computers on the network may be mapped to a risk level representing an amount of risk that infected computers present to other computers on the network. The results of a risk level assessment for the computers on the network may be output via a user interface to enable an administrator of the network to prioritize servicing of computers with detected malware.

Abstract: A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

Abstract: Aspects of the subject matter described herein relate to tuning detection components of a security system. In aspects, a history of alerts is collected. This history is then used together with knowledge about tunable objects of the system to determine parameters of the tunable objects that can be changed to improve detection of the system. Parameters of tunable objects are adjusted in a simulator that determines an effect on alerts in the history based on the adjusted parameters. A recommendation of one or more tuning actions may be provided together with information regarding the effect of each tuning action.

Abstract: Semantic networks are generated to model the operational behavior of an enterprise network to provide contextual interpretation of an event or a sequence of events that are observed in that specific enterprise network. In various illustrative examples, different semantic networks may be generated to model different behavior scenarios in the enterprise network. Without the context provided by these semantic networks malicious events may inherently be interpreted as benign events as there is typically always a scenario where such events could be part of normal operations of an enterprise network. Instead, the present semantic networks enable interpretation of events for a specific enterprise network. Such interpretation enables the conclusion that a sequence of events that could possibly be part of normal operations in a theoretical enterprise network is, in fact, abnormal for this specific enterprise network.

Abstract: A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

Abstract: Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”.

Abstract: Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.