Abstract: Systems and methods are disclosed for detecting nonlegitimate communications in a hybrid cloud system. An example method comprises receiving a request from a service on a public cloud platform, calculating a unique signature for the service, and verifying the calculated unique signature against a local signature table on the public cloud platform. If the calculated unique signature is verified, then the calculated unique signature is sent to a security signature service on a private cloud platform. If the calculated unique signature is also verified against a global signature table on the private cloud platform, then a response to the request is received from the security signature service.

Abstract: Methods, system, and non-transitory processor-readable storage medium for a location verification system are provided herein. An example method includes detecting an attempt to access a network from a computerized device located at a physical location. The location verification system determines access status based on a distance requirement between the computerized device and another computerized device.

Abstract: Data encrypted using a first device-specific key of a first host device is written to a first logical storage device of a storage system. The storage system generates a copy of the first logical storage device, and associates the copy of the first logical storage device with a second logical storage device of the storage system. Data encrypted using a second device-specific key of a second host device is written to the second logical storage device of the storage system. Responsive to a request from the second host device for particular data of the second logical storage device, the storage system determines if the particular data was encrypted using the first key or the second key, and provides the second host device with the particular data and an indication of a result of the determination.

Abstract: Methods and systems for detecting ransomware attacks on an SMB (Server Message Block) file sharing system are disclosed. A user’s request for access to the SMB file sharing system is authenticated and an SMB session for the user is initiated. During the SMB session, SMB commands issued by the user are detected and logged. The detected commands are evaluated against a profile of normal file sharing activity by this user. In case a deviation from the user’s activity profile is detected, recent SMB commands from the user are evaluated against a library of patterns of SMB commands indicative of ransomware activity. In case the recent SMB commands from the user match a ransomware command pattern, the user’s SMB session is immediately terminated, thus mitigating further damage by the ransomware.

Abstract: The technologies described herein are generally directed toward monitoring file sharing commands between network equipment to identify adverse conditions. According to an embodiment, a system can comprise a processor and a memory that can enable performance of operations including monitoring resource sharing communication between first network equipment and second network equipment via a network. In one or more embodiments, the method can additionally include based on the resource sharing communication, detecting a condition of the resource sharing communication that has a likelihood of indicating a defined adverse event that has at least a threshold likelihood. Further, the method can include, but are not limited to, in response to detecting the condition, facilitating suspending the resource sharing communication between the first network equipment and the second network equipment.

Abstract: The technologies described herein are generally directed toward monitoring file sharing commands between network equipment to identify adverse conditions. According to an embodiment, a system can comprise a processor and a memory that can enable performance of operations including identifying a resource allocation communication between first network equipment and second network equipment via a network, with the resource allocation communication including a command authority and an allocation command. In an additional operation, based on the resource allocation communication, a validation source can be selected to validate the command authority for execution of the allocation command by the second network equipment.

Abstract: Techniques are provided for device protection using a configuration lockdown mode. One method comprises receiving a configuration command from a user for a device; determining, responsive to receiving the configuration command, if the device is in a configuration lockdown mode that limits an execution of one or more configuration commands; and performing one or more automated remedial actions in response to determining that the device is in the configuration lockdown mode, such as generating a configuration lockdown alert. A configuration manager associated with the device may (i) determine if a duration of a disabling of the configuration lockdown mode violates one or more duration limits, and/or (ii) determine if the device is in the configuration lockdown mode.

Abstract: Methods and systems for managing the operation of data processing systems are disclosed. The data processing systems may provide computer implemented services to any type and number of other devices and/or users of the data processing systems. To improve the likelihood of the data processing systems being able to provide the computer implemented services, a system may proactively attempt to identify and remediate attempts to limit access to data stored in the data processing systems. To do so, multiple layers of monitoring may be deployed to the data processing systems. A first deployed layer of monitoring may identify information regarding encryption types and/or characteristics of encryption being performed. A second deployed layer of monitoring may identify telemetry for storage devices on which data subject to encryption is deployed. The information collected via theses layers may be used to infer whether any encryption being performed is authorized or unauthorized.

Abstract: Methods, system, and non-transitory processor-readable storage medium for a secure development lifecycle compliance system are provided herein. An example method includes verifying secure development lifecycle (SDL) compliance by executing an SDL system in communication with an application development pipeline. The SDL system comprises a user interface, an application development pipeline interface, and at least one SDL verification module. The method verifies successful execution of the SDL system prior to advancing from a previous stage to a subsequent stage within the application development pipeline.

Abstract: Techniques are provided for pattern-based identification of sensitive data in a storage system. One method comprises obtaining, in a storage system, one or more patterns indicating sensitive data; evaluating whether one or more files of the storage system comprise sensitive data by searching for the one or more patterns in the one or more files; and classifying, in the storage system, at least one of the one or more files as comprising sensitive data based on a result of the evaluating. In response to a file type of a file being written supporting text, an identifier of the file being written can be stored in a list of files to be evaluated, and the one or more files subject to the evaluating can be identified using the list. The evaluating may be performed in response to a load of the storage system satisfying one or more sensitive data evaluation criteria.

Abstract: Techniques are provided for detecting violations of user physical location constraints. One method comprises obtaining a constraint on a physical location of a user within a building; evaluating a network signal from a processing device of the user to identify a physical port that connects the processing device of the user to a network; obtaining a mapping of the physical port to a physical location within the building to determine the physical location of the user within the building; determining if the physical location of the user within the building violates the constraint; and initiating an automated remedial action in response to a result of the determining. The user can be identified using a device signature of the processing device of the user (e.g., based on one or more identifiers of hardware, software and/or network elements associated with the processing device).

Abstract: Data protection techniques are provided that use encryption and inserted execution code. One method comprises obtaining, by a user device, a request from a user to access data, wherein the requested data comprises (i) an environment-based signature indicating an environment where the data can be accessed and (ii) execution code that interacts with a data protection agent; in response to the request to access the data: determining whether the user device comprises a data protection agent; and providing, via the data protection agent, the requested data based on an evaluation of an environment-based signature generated by the data protection agent relative to the environment-based signature included in the requested data. The requested data may be created by a given data protection agent that generates the environment-based signature using identifiers of hardware elements, software elements and/or network elements associated with a device that executes the given data protection agent.

Abstract: Techniques are provided for access control using user behavior profiles and storage system-based multi-factor authentication. One method comprises obtaining a behavior profile for a user; obtaining an input/output request from the user; determining whether the input/output request exhibits anomalous user behavior relative to the behavior profile; initiating a multi-factor authentication of the user in response to the input/output request exhibiting anomalous user behavior to obtain a verification result; and processing the input/output request based at least in part on the verification result. The behavior profile for the user may be obtained by obtaining behavioral information from the user and/or monitoring a plurality of input/output requests of the user to learn at least a portion of the behavior profile for the user. The multi-factor authentication may comprise an out-of-band authorization request (e.g., to approve the input/output request) sent to a user associated with the input/output request.

Abstract: Techniques are provided for detection of anomalous backup files using known anomalous file fingerprints (or other file-dependent values such as hash values, signatures and/or digest values). One method comprises obtaining first file-dependent values corresponding to respective known anomalous files; obtaining a second file-dependent value for a stored backup file; comparing the second file-dependent value to the first file-dependent values; and performing an automated remedial action in response to a result of the comparing. The second file-dependent value for the stored backup file may be determined by a backup server in response to a source file corresponding to the stored backup file being backed up by the backup server, and may be stored as part of metadata associated with the stored backup file.

Abstract: Techniques are provided for access control of protected data using storage system-based multi-factor authentication. One method comprises obtaining, in a storage system, an input/output request for data; determining, by the storage system, whether a multi-factor authentication is required for the requested data; initiating, by the storage system, a multi-factor authentication of a user associated with the input/output request, in response to a result of the determining, to obtain a verification result; and processing, in the storage system, the input/output request for the data based at least in part on the verification result. The data may be marked as protected data using a manual process and/or an automated process that processes one or more smart tags associated with the data. The marking of the data as protected data may comprise marking a partition comprising the data, marking a protected folder comprising the data, and/or marking a protected file comprising the data.

Abstract: Techniques are provided for detection of unauthorized encryption in a storage system using key length evaluation. One method comprises determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system; evaluating the key length relative to an expected key length; and performing one or more automated remedial actions, such as generating an alert notification, in response to the key length being different than the expected key length. A count of a number of write operations in a given folder can be compared to a number of files in the given folder and an alert notification can be generated in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.

Abstract: Techniques are provided for basic input/output system (BIOS) protection using multi-factor authentication (MFA) based on digital identity values. One method comprises obtaining, by a BIOS of a hardware device, from a user device, (i) a request to access the BIOS, and (ii) a token based on a digital identity value for the user device; providing the token to an MFA chip on the hardware device, wherein the MFA chip evaluates the token and provides a verification result to the BIOS; and allowing the user device to access the BIOS based on the verification result. The digital identity value for the user device may be stored by the MFA chip during a fabrication of the MFA chip and/or a registration of the user device. The MFA chip may compare the digital identity value from the token received from the BIOS with the digital identity value for the user device stored by the MFA chip.

Abstract: Decrypting data at a first storage system that has been encrypted at a second, separate, storage system includes the first storage system requesting a key that decrypts the data from the second storage system, the second storage system determining if the first storage system is authorized for the key, the second storage system providing the key to the first storage system in response to the first storage system being authorized, a host that is coupled to the first storage system obtaining the key from the first storage system, and the host using the key to decrypt and access the data at the first storage system. The host and the first storage system may provide failover functionality for a system that includes the second storage system. The host may obtain the key from the first storage system in response to a failure of the system that includes the second storage system.

Abstract: Data encrypted using a first device-specific key of a first host device is written to a first logical storage device of a storage system. The storage system generates a copy of the first logical storage device, and associates the copy of the first logical storage device with a second logical storage device of the storage system. Data encrypted using a second device-specific key of a second host device is written to the second logical storage device of the storage system. Responsive to a request from the second host device for particular data of the second logical storage device, the storage system determines if the particular data was encrypted using the first key or the second key, and provides the second host device with the particular data and an indication of a result of the determination.

Abstract: Techniques are provided for system protection using verification of software digital identity values. One method comprises obtaining a first software digital identity value for a system, wherein the first software digital identity value aggregates software identifiers of software components of the system at a first time; comparing a second software digital identity value to the first software digital identity value, wherein the second software digital identity value aggregates software identifiers of the plurality of software components of the system at a second time subsequent to the first time; and performing an automated remedial action based on a result of the comparison. The comparison may be performed: (i) when the system attempts to connect to a service over a network and/or (ii) when the system is installed, configured and/or activated at a remote location.