Abstract: Disclosed herein are methods, systems, and processes for generating, configuring, and implementing a data collection and analytics (DCA) pipeline to optimize the identification of anomalous or vulnerable computing assets and/or anomalous or vulnerable computing asset behavior in cybersecurity computing environments. Raw data from an agent executing on a computing asset is received. A baseline profile or a gold image associated with the computing asset is also received. A difference or delta between the raw data and the baseline profile or the gold image is identified, and an output providing context relating to the difference is generated. The difference relates to a keyed property that is common between the raw data and the base profile or the gold image, and the difference is further filtered to reduce noise in the output.

Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Systems and methods are disclosed to implement a delta data collection technique for collecting machine characteristics data from client machines. In embodiments, the collected data is used by a machine assessment service to maintain a virtual representation of the client machine for assessments. To initialize the collection process, the client uploads an initial copy of the data in full. Subsequently, the client determines periodic deltas between a current baseline of the data and a last reported baseline, and the deltas are uploaded as patches. The machine assessment service then applies these patches to update the virtual representation of the client machine. In embodiments, to facilitate the generation or uploading of the patches, the client may generate the baselines in a different encoding format as used by the data. For example, baselines in the new encoding format may be more easily compared and manipulated during the patch generation process.

Abstract: Systems and methods are disclosed to implement an endpoint command invocation system (“ECIS”). In some embodiments, ECIS can quickly dispatch a command to a large number of endpoint components, where the endpoint components are online. ECIS can receive an invocation of a command, which can include the command recipients. In some embodiments, ECIS determines that some of the command recipients are online, while some of the command recipients are offline. ECIS determines connections to the online command recipients based on a connection map, which is updated whenever an endpoint component opens a connection to ask for a command. ECIS can deliver the command to the online command recipients using the connections. ECIS can also deliver the command to dispatch queues corresponding to the offline command recipients, where the dispatch queues store the command as a pending command that can be delivered to their respective command recipients whenever they come online.

Abstract: Systems and methods are disclosed to implement a delta data collection technique for collecting machine characteristics data from client machines. In embodiments, the collected data is used by a machine assessment service to maintain a virtual representation of the client machine for assessments. To initialize the collection process, the client uploads an initial copy of the data in full. Subsequently, the client determines periodic deltas between a current baseline of the data and a last reported baseline, and the deltas are uploaded as patches. The machine assessment service then applies these patches to update the virtual representation of the client machine. In embodiments, to facilitate the generation or uploading of the patches, the client may generate the baselines in a different encoding format as used by the data. For example, baselines in the new encoding format may be more easily compared and manipulated during the patch generation process.

Abstract: Disclosed herein are methods, systems, and processes to perform self-dependent upgrades of Java Runtime Environments (JREs). A request to update a plugin to a new version with a new configuration that includes a location to download a new upgrader-executable is received from a platform computing device at an endpoint computing device. The plugin is uploaded to the new version. The new upgrader-executable that includes an executable with an executable table executed by the plugin is downloaded from the location. The executable is used to halt execution of a JRE application (e.g., a Collector) and download JRE files required for the upgrade. The JRE application (e.g., the Collector) is then re-started with the new configuration, which can be rolled back if the upgrade is unsuccessful.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.