Abstract: A system and method for the detection and mitigation of data source compromises in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. Data quality analysis is conducted on the data as it is ingested in order to identify various data source metrics and determine if a data source may be compromised. The results of the data quality analysis, the identified metrics, the gathered data, and meta-data are used to manage the reputation of the contributing data sources. The system can make recommendations on data sources based on the data source reputation scoring.

Abstract: A system and methods for sandboxed software analysis with automated vulnerability detection and patch development, deployment and validation, comprising a business operating system, vulnerability scoring engine, binary translation engine, sandbox simulation engine, at least one network endpoint, at least one database, a network, and a combination of machine learning and vulnerability probing techniques, to analyze software, locate any vulnerabilities or malicious behavior, and attempt to patch and prevent undesired behavior from occurring, autonomously.

Abstract: A system and method for technology analysis utilizing high-performance, scalable, multitenant, dynamically specifiable, knowledge graph information storage and utilization. The system uses an in-memory associative array for high-performance graph storage and access, with a non-volatile distributed database for scalable backup storage, a scalable, distributed graph service for graph creation, an indexing search engine to increase searching performance, and a graph crawler for graph traversal. One or more of these components may be in the form of a cloud-based service, and in some embodiments the cloud-based services may be containerized to allow for multitenant co-existence with no possibility of data leakage or cross-over. The system uses a cyber-physical graph to represent an enterprise's cyber-physical system and can provide graph analysis, graph security, and graph fusion related tasks to identify potential operational risks.

Abstract: A system and method for cybersecurity reconnaissance, analysis, and scoring that uses distributed, cloud-based computing services to provide sufficient scalability for analysis of enterprise IT networks using only publicly available characterizations. The system and method comprise an in-memory associative array which manages a queue of vulnerability search tasks through a public-facing proxy network. The public-facing proxy network has search nodes configurable to present the network to search tools in a desired manner to control certain aspects of the search to obtain the desired results. A distributed data processing engine and cloud-based storage are used to provide scalable computing power and storage. Each of the cloud-based computing services is containerized and orchestrated for management and efficient scaling purposes.

Abstract: A system and methods for detecting and mitigating SAML forgery and manipulation attacks against services is provided, comprising a policy manager configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a unique identifier for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid unique identifier.

Abstract: A system and method for cybersecurity analysis utilizing high-performance, scalable, multi-tenant, dynamically specifiable, knowledge graph information storage and utilization. The system uses an in-memory associative array for high-performance graph storage and access, with a non-volatile distributed database for scalable backup storage, a scalable, distributed graph service for graph creation, an indexing search engine to increase searching performance, and a graph crawler for graph traversal. One or more of these components may be in the form of a cloud-based service, and in some embodiments the cloud-based services may be containerized to allow for multi-tenant co-existence with no possibility of data leakage or cross-over. The system uses a cyber-physical graph to represent an enterprise's cyber-physical system and can provide graph analysis, graph security, and graph fusion related tasks to identify potential cybersecurity threats.

Abstract: A system and method that uses midservers located between an enterprise network and an external network to provide mass scanning network traffic detection and analysis capabilities for the enterprise network. The midserver may be loaded with configurations that allow it to operate as a mass scan event detector capable of detecting network sniffers, botnets, and malicious peer-to-peer connections which can lead to security vulnerabilities. In such configurations, midserver may receive and analyze network traffic to determine if the network traffic is suspicious based on heuristic and signature-based techniques, and then generate an appropriate response action which can be implemented to mitigate the risk.

Abstract: A system and method for implementation of zero trust computer network security combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a master ledger for use in stateful deterministic authentication object tracking, and running detection functions that compare authentication objects presented for access to network resources with the master ledger. In an embodiment, an authentication object agent is installed at the domain controller level. In another embodiment, a log extension utility is installed at the local host computer level to provide additional log data for additional cyberattack detections.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information and trigger-based network remediation to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Triggers may be based on risks or anomalous behavior and associated with a remediation action executed on the network by a security mitigation engine.

Abstract: A system for detecting and mitigating forged authentication object attacks in federated environments using attestation is provided, comprising an event inspector to monitor logs and detect vulnerable events, an authentication object inspector configured to observe a new authentication object generated by an identity provider, and intercept the new authentication object; and a hashing engine configured to calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in the SAML response; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and method for predictive cyber-physical resource management, including a business operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and the ability to represent data in Markov State Models and finite state machines.

Abstract: A system and method for cyber exploitation path analysis and response using federated networks to minimize network exposure and maximize network resilience, with the ability to simulate complex and large scale network traffic through the use of federated training networks, by gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network.

Abstract: A system and method for cyber exploitation path analysis and task plan optimization to minimize network exposure and maximize network resilience. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Lastly, network attack path analysis and automated task planning for minimizing network exposure and maximizing resiliency is performed with machine learning, generative adversarial networks, hierarchical task networks, and Monte Carlo search trees.

Abstract: A system and methods for network action classification and analysis using widely distributed lightweight honeypot sensor nodes, comprising a plurality of network traffic sensors each configured to monitor visible network traffic, analyze monitored traffic to identify patterns, communicate with other network sensors to correlate their respective traffic data, and produce a threat landscape based on the correlated traffic data. The system and method may comprise an emulation engine configured to simulate limited services or functionalities, emulating vulnerabilities or weak points in systems. Emulation engine may comprise one or more modules configured to provide use-case specific emulation capabilities. Emulation engine may receive network traffic data from network sensors, route the network traffic to an appropriate simulated destination service associated with the network traffic, and monitor the interactions between an attacker and the simulated destination.

Abstract: A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Abstract: A system and method for scoring and enforcing authentication standards that actually enable zero trust network security principles when combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a centralized location for use in stateful deterministic authentication object tracking, scoring the completeness of the authentication observations, assessing the quality of the authentication observations, and assigning organization-specific penalty functions.

Abstract: A system for network traffic classification using distributed sensor nodes is provided, comprising a plurality of network traffic sensors each configured to monitor visible network traffic, analyze the monitored traffic to identify patterns, communicate with other network sensors to correlate their respective traffic data, produce a threat landscape based on the correlated traffic data, identify a potential cybersecurity threat based on the threat landscape, and export the analyzed traffic and threat landscape for use by external systems.

Abstract: A system and method for operational and cyber risk assessment that utilizes a data-driven approach to evaluate the current security posture and identify areas for improvement based on the user's desired target profile. This process involves estimating the costs and benefits associated with various security program enhancements, increased, hiring, and control uplifts. The system and method then quantify these benefits in terms of reduction in tail value at risk, expected losses, cyber insurance premiums, and the amount of risk capital set aside. The system simulates attack paths associated with various risk scenarios and uses a risk scenario model to compute losses associated with each attack path for each risk scenario. The results of the simulation may be used to determine one or more business outcomes associated with the costs and benefits of implementing security enhancements.

Abstract: A system and method that uses midservers located between the business enterprise computer infrastructure and the cloud-based infrastructure to collect, aggregate, analyze, transform, and securely transmit data from a multitude of computing devices and peripherals at an external network to a cloud-based service. The system and method make use of a plurality of virtual and physical worker agents which can be dynamically instantiated by a transformation engine to carry out one or more transformation sequences, based on pipeline instructions, to a received data stream to prepare the data for transmission as a target data stream format.

Abstract: A system for detecting and mitigating forged authentication attacks is provided, comprising an authentication inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.