Abstract: Systems and methods for determining a user's presence on a network of an enterprise are provided. Traffic is collected to a network from devices and, over a period of time, login and logoff information from a user is determined from the collected network traffic. Network sessions are determined from a user's login and logoff information and timetable is generated specific to the user that contains the network sessions. The time table identifies when the user was active and when the user was not active based on the login and logoff information and, therefore, present at a particular location over a period of time.

Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.

Abstract: A system and method for performing IP to name resolution in organizational environments. IP addresses are determined for devices utilizing the corporate network. An IP address is resolved to a first device name and then the same IP address is subsequently resolved to a second device name. A profile is generated such as a timeline for the IP address including both the first and second device names. The timeline may be queried to determine whether the first device name or the second device name was associated with the IP address during a period of time.

Abstract: Determining impossible travel for a specific user entity associated with an on-premises site. A method includes identifying an estimated location of an on-premises site associated with an organization network. Identifying the estimated location of an on-premises site comprises aggregating connection information of remote devices, remote from the on-premises site connecting to the on-premises site. Information related to an on-premises connection event is identified including the estimated location, time information, and a first user identification for an entity. Information is identified related to a different connection event. The information comprises location information, time information and a second user identification for the entity. The information related to the on-premises connection event and the information related to the different connection event are used to detect impossible travel for the entity. An alert indicating an impossible travel condition is provided.

Abstract: The present disclosure provides for improved computational efficiency and security in a network by determining the physical location of network connected components, without requiring the components to self-locate. The locations of devices remotely connected to a site within the network are geolocated so that the physical location of that site may be inferred from a centralized point to the remote devices' locations. This calculate site location may be compared against a known site location to improve a generalized algorithm for determining the calculated location of a site with an unknown location, and may be applied to devices that are locally connected to the network, which may be otherwise incapable of being geolocated.

Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.

Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Abstract: Determining impossible travel for a specific user entity associated with an on-premises site. A method includes identifying an estimated location of an on-premises site associated with an organization network. Identifying the estimated location of an on-premises site comprises aggregating connection information of remote devices, remote from the on-premises site connecting to the on-premises site. Information related to an on-premises connection event is identified including the estimated location, time information, and a first user identification for an entity. Information is identified related to a different connection event. The information comprises location information, time information and a second user identification for the entity. The information related to the on-premises connection event and the information related to the different connection event are used to detect impossible travel for the entity. An alert indicating an impossible travel condition is provided.

Abstract: A system and method for performing IP to name resolution in organizational environments. IP addresses are determined for devices utilizing the corporate network. An IP address is resolved to a first device name and then the same IP address is subsequently resolved to a second device name. A profile is generated such as a timeline for the IP address including both the first and second device names. The timeline may be queried to determine whether the first device name or the second device name was associated with the IP address during a period of time.

Abstract: Systems and methods for determining a user's presence on a network of an enterprise are provided. Traffic is collected to a network from devices and, over a period of time, login and logoff information from a user is determined from the collected network traffic. Network sessions are determined from a user's login and logoff information and timetable is generated specific to the user that contains the network sessions. The time table identifies when the user was active and when the user was not active based on the login and logoff information and, therefore, present at a particular location over a period of time.

Abstract: The present disclosure provides for improved computational efficiency and security in a network by determining the physical location of network connected components, without requiring the components to self-locate. The locations of devices remotely connected to a site within the network are geolocated so that the physical location of that site may be inferred from a centralized point to the remote devices' locations. This calculate site location may be compared against a known site location to improve a generalized algorithm for determining the calculated location of a site with an unknown location, and may be applied to devices that are locally connected to the network, which may be otherwise incapable of being geolocated.

Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.