Abstract: A computer security system provides for auto-populating process-connection whitelists using process wildcarding and connection wildcarding. Process wildcarding involves grouping process-connection requests together in a process* group without regard to the presence of distinct process arguments; in contrast, some process-connection requests may be separated both by process and by argument into process?argument groups. The process-connection requests may then be analyzed on a group-by-group basis to determine which processes can be mapped to wildcarded connection in a respective process-connection whitelist.

Abstract: A security system for a customer computer site includes a cloud-based manager (CBM) and on-site components. The on-site components include a manager appliance, guest agents of the CBM installed within respective virtual machines, and host agents of the CBM installed on hypervisors on which the virtual machines. The guest agents have a many-to-one relationship with the host agents, which have a many-to-one relationship with the appliance. In a scenario, many guest agents may generate alarms and send them to the host agents. Each host agent consolidates alarms across the different virtual machines it hosts and pushes the consolidated alarms to the manager appliance. The appliance batch processes the consolidated alarms across host agents, and pushes the batched alarms to the CBM, which deduplicates the alarms and notifies an administrator.

Abstract: A security system for a distributed application obtains and, in effect, preserves provisioning information for the purpose of auto-populating whitelists used to protect the distributed application from intrusions. The provisioning information identifies allowable connections on a software-package level. Entries mapping processes to connection destinations are added to a whitelist if a process requesting a connection results from execution of an executable file installed as part of a software package for which the connection was allowed according to the provisioning information.

Abstract: A security system for a distributed application obtains and, in effect, preserves provisioning information for the purpose of auto-populating whitelists used to protect the distributed application from intrusions. The provisioning information identifies allowable connections on a software-package level. Entries mapping processes to connection destinations are added to a whitelist if a process requesting a connection results from execution of an executable file installed as part of a software package for which the connection was allowed according to the provisioning information.

Abstract: A computer security system provides for auto-populating process-connection whitelists using process wildcarding and connection wildcarding. Process wildcarding involves grouping process-connection requests together in a process* group without regard to the presence of distinct process arguments; in contrast, some process-connection requests may be separated both by process and by argument into process argument groups. The process-connection requests may then be analyzed on a group-by-group basis to determine which processes can be mapped to wildcarded connection in a respective process-connection whitelist.

Abstract: A security system for a customer computer site includes a cloud-based manager (CBM) and on-site components. The on-site components include a manager appliance, guest agents of the CBM installed within respective virtual machines, and host agents of the CBM installed on hypervisors on which the virtual machines. The guest agents have a many-to-one relationship with the host agents, which have a many-to-one relationship with the appliance. In a scenario, many guest agents may generate alarms and send them to the host agents. Each host agent consolidates alarms across the different virtual machines it hosts and pushes the consolidated alarms to the manager appliance. The appliance batch processes the consolidated alarms across host agents, and pushes the batched alarms to the CBM, which deduplicates the alarms and notifies an administrator.