Abstract: Systems and methods disclosed can evaluate security detection rules in a network security computing environment. Results for a processed log of security events can be retrieved. The results can identify determined outcomes for instances triggering security detection rules. The security detection rules can detect specific behavior on a network by being processed against a log of security events. Scores for the security detection rules can be determined based on the results of the processed log of security events and the determined outcomes. The security detection rules can be ranked based on the scores, from highest to lowest score. The highest score can indicate that a corresponding rule is performing worst among the security detection rules and the lowest score can indicate that a corresponding rule is performing best among the security detection rules. A rules score report can be generated based on the ranked rules.

Abstract: Disclosed are techniques for associating users of a network infrastructure to network or endpoint events within the network infrastructure. A method can include receiving, by a network security system that monitors and protects the network infrastructure, a packet for a network event, the packet including (i) information identifying a user device from which the network event originates and (ii) a payload, determining whether the packet triggers at least one association rule in a group of association rules, determining candidate users to be associated with the network event based on the rule triggered by the packet, determining confidence values for the candidate users to be associated with the network event based on the rule triggered by the packet, and returning the candidate users to associate with the network event and the corresponding confidence values.

Abstract: Disclosed are techniques for monitoring and identifying attempts to subvert a security wall within a network infrastructure.

Abstract: Disclosed are techniques for monitoring internal security vulnerabilities in an enterprise based on determining composite risk scores for enterprise users. A method can include receiving information about an enterprise user, such as their role, identifying risks associated with the role, determining, based on the risks, a role-based risk score for the user, receiving, event alerts from a network security detection system, each event alert having been generated by the network security detection system identifying network activity on the enterprise's network that satisfies one or more security event rules indicative of a potential network security issue, determining that one or more of the event alerts are associated with the user in the enterprise to generate user-event pairings, determining, based on the user-event pairings, an event-based risk score for the user, and generating a composite risk score for the user based on aggregating the role-based risk score and the event-based risk score.

Abstract: Disclosed are techniques for identifying users within an enterprise who pose heightened security risks to the enterprise. A method can include receiving, by a computing system, information about users in the enterprise, grouping the users into groups based on at least one grouping feature and the user information, the at least one grouping feature including, for each of the users, behavior, activity, role, department, region, role-based risk score, event-based risk score, and/or composite risk score, identifying, for each group, normalized behavior of users in the group, generating, for each user in each group, a composite risk score based on deviation of the user's activity from the normalized behavior of the group, identifying, for each group, a subset of users in the group to be added to a watch list, and adding the subset of users to the watch list.

Abstract: Systems and methods disclosed can evaluate security detection rules in a network security computing environment. Results for a processed log of security events can be retrieved. The results can identify determined outcomes for instances triggering security detection rules. The security detection rules can detect specific behavior on a network by being processed against a log of security events. Scores for the security detection rules can be determined based on the results of the processed log of security events and the determined outcomes. The security detection rules can be ranked based on the scores, from highest to lowest score. The highest score can indicate that a corresponding rule is performing worst among the security detection rules and the lowest score can indicate that a corresponding rule is performing best among the security detection rules. A rules score report can be generated based on the ranked rules.

Abstract: A system for testing an alerting pipeline of a security network can include a synthetics computing device, a network analysis computing device, and an alerting computing device. The synthetics computing device can generate a synthetic event, a non-malicious version of an actual security event, to test one or more detection signatures of the security network and inject the synthetic event into a network log of events. The network analysis computing device can scan the network log of events, identify an event that triggers a detection signature of the security network, identify the event as the injected synthetic event, and generate a notification identifying the synthetic event and an associated detection signature triggered in response to the injected synthetic event. The alerting computing device can receive the notification and flag the synthetic event. The synthetics computing device can also validate the flagged synthetic event.