Abstract: A method of detecting the onset of a ransomware attack is presented. In an example embodiment, file backup metadata for each of a plurality of computing devices is accessed and analyzed to detect anomalous file backup activity of individual ones of the computing devices. A determination is made as to whether the detected anomalous file backup activity of at least some of the computing devices is correlated in time. File description metadata for each of the computing devices is also accessed and analyzed to identify files in the computing devices that are anomalous to other files in the computing devices. A determination whether a ransomware attack has begun is based on a determination that the detected anomalous file backup activity of at least some of the computing devices is correlated in time, as well as on the identified anomalous files.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: A method of detecting the onset of a ransomware attack is presented. In an example embodiment, file backup metadata for each of a plurality of computing devices is accessed and analyzed to detect anomalous file backup activity of individual ones of the computing devices. A determination is made as to whether the detected anomalous file backup activity of at least some of the computing devices is correlated in time. File description metadata for each of the computing devices is also accessed and analyzed to identify files in the computing devices that are anomalous to other files in the computing devices. A determination whether a ransomware attack has begun is based on a determination that the detected anomalous file backup activity of at least some of the computing devices is correlated in time, as well as on the identified anomalous files.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: A method of detecting the onset of a ransomware attack is presented. In an example embodiment, file backup metadata for each of a plurality of computing devices is accessed and analyzed to detect anomalous file backup activity of individual ones of the computing devices. A determination is made as to whether the detected anomalous file backup activity of at least some of the computing devices is correlated in time. File description metadata for each of the computing devices is also accessed and analyzed to identify files in the computing devices that are anomalous to other files in the computing devices. A determination whether a ransomware attack has begun is based on a determination that the detected anomalous file backup activity of at least some of the computing devices is correlated in time, as well as on the identified anomalous files.