Abstract: A parallel network architecture connects among providers, subscribers, and storage networks to pull clinical records in an automated and verifiable electronic context. Messages, alerts, or data updates from a healthcare event such as a discharge are received, and example embodiment networks calculate patient clinical data target from the same and query the target for the patient to solicit records for the patient of the event, proximate to the event. The received records may be clinical, with diagnostic and treatment records for the patient, to be automatically delivered back to a subscribing user. Example embodiment networks may improve record quality and data match by verifying a target stores records for the patient, timing queries and requested data to those found most successful for a target, and/or not delivering records that contain errors, no clinical data, are duplicative or unreadable, and/or are not for the patient or healthcare event.

Abstract: A parallel network architecture connects among providers, subscribers, and storage networks to pull clinical records in an automated and verifiable electronic context. Messages, alerts, or data updates from a healthcare event such as a discharge are received, and example embodiment networks calculate patient clinical data target from the same and query the target for the patient to solicit records for the patient of the event, proximate to the event. The received records may be clinical, with diagnostic and treatment records for the patient, to be automatically delivered back to a subscribing user. Example embodiment networks may improve record quality and data match by verifying a target stores records for the patient, timing queries and requested data to those found most successful for a target, and/or not delivering records that contain errors, no clinical data, are duplicative or unreadable, and/or are not for the patient or healthcare event.

Abstract: A payload conducted electrical weapon (“CEW”) may include a housing configured to house at least a plurality of electrodes and a signal generator. The payload CEW may be removably inserted into a bay of a launcher. The launcher may be mounted on a vehicle. The plurality of electrodes may be configured to be launched from the housing. The housing may be configured to be launched from the bay of the launcher simultaneously with or after the plurality of electrodes are launched. The signal generator may be configured to transmit a stimulus signal through the plurality of electrodes. The signal generator may be configured to transmit the stimulus signal before, during, and/or after the housing is launched.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing deception networks. One of the systems includes a threat information server configured to monitor and control security threats, a management process orchestration server configured to receive one or more identified security threats from the threat information server and develop a response process applicable to each identified security threat, a network switching controller in communication with one or more network switching devices, a target computing device connected to one of the network switching devices, and an indicator analytics processor configured to generate threat intelligence based on activity observed on the target device and provide the observed threat intelligence to the threat information server. The threat information server can receive threat intelligence information, identify key indicators, and generate identified security threats.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network path between computer assets. One of the methods includes receiving an asset topology that includes an identifier for each computer-related asset that may be an entry point for an attack simulation, receiving threat data that identifies vulnerabilities of computer-related assets, determining a first computer-related asset that may be an entry point for an attack simulation, identifying one or more first vulnerabilities of the first computer-related asset, determining a path from the first computer-related asset to a second computer-related asset, determining one or more second vulnerabilities of the second computer-related asset, determining a probability that the second computer-related asset will be compromised by an adversary, and determining a change to the asset topology to reduce the probability that the second computer-related asset will be compromised by an adversary.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing deception networks. One of the systems includes a threat information server configured to monitor and control security threats, a management process orchestration server configured to receive one or more identified security threats from the threat information server and develop a response process applicable to each identified security threat, a network switching controller in communication with one or more network switching devices, a target computing device connected to one of the network switching devices, and an indicator analytics processor configured to generate threat intelligence based on activity observed on the target device and provide the observed threat intelligence to the threat information server. The threat information server can receive threat intelligence information, identify key indicators, and generate identified security threats.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network path between computer assets. One of the methods includes receiving an asset topology that includes an identifier for each computer-related asset that may be an entry point for an attack simulation, receiving threat data that identifies vulnerabilities of computer-related assets, determining a first computer-related asset that may be an entry point for an attack simulation, identifying one or more first vulnerabilities of the first computer-related asset, determining a path from the first computer-related asset to a second computer-related asset, determining one or more second vulnerabilities of the second computer-related asset, determining a probability that the second computer-related asset will be compromised by an adversary, and determining a change to the asset topology to reduce the probability that the second computer-related asset will be compromised by an adversary.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing threat intelligence information. One of the methods includes receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats, identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed, determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component, and communicating the indicators of compromise to the management process orchestration server.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network path between computer assets. One of the methods includes receiving an asset topology that includes an identifier for each computer-related asset that may be an entry point for an attack simulation, receiving threat data that identifies vulnerabilities of computer-related assets, determining a first computer-related asset that may be an entry point for an attack simulation, identifying one or more first vulnerabilities of the first computer-related asset, determining a path from the first computer-related asset to a second computer-related asset, determining one or more second vulnerabilities of the second computer-related asset, determining a probability that the second computer-related asset will be compromised by an adversary, and determining a change to the asset topology to reduce the probability that the second computer-related asset will be compromised by an adversary.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing threat intelligence information. One of the methods includes receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats, identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed, determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component, and communicating the indicators of compromise to the management process orchestration server.