Abstract: The disclosed technology teaches recovering a first virtual machine or an instance with an Internet Protocol address, a first root volume and one or more data volumes that are corrupted. The first virtual machine is hosted by a first cloud server that hosts plurality of virtual machines. The disclosed technology includes instructing the first cloud server to launch a recovery virtual machine. The recovery virtual machine launches one or more new data volumes based upon captured file system images in one or more snapshots taken of corrupted data volumes of the first virtual machine prior to becoming corrupted. The recovery virtual machine detaches the corrupted data volumes and attaches the new data volumes launched to the first virtual machine. The Internet Protocol address of the first virtual machine remains unchanged.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor, a memory, and a network interface; and instructions encoded within the memory to instruct the processor to: receive an incoming packet via the network interface; extract from the incoming packet a source port and a source internet protocol (IP) address; correlate the source port and source IP to a device identifier (ID); receive a network policy for the device ID; and apply the network policy to the incoming packet.

Abstract: Methods, apparatus, systems and articles of manufacture for communicating encrypted data via a virtual private network are disclosed. An example computer system disclosed herein includes a memory including instructions that, when executed, cause one or more processors to establish a first tunnel and a second tunnel between a VPN client and a VPN server. The instructions further cause the one or more processors to access a request message to be sent via the VPN and determine, in response to a payload being formatted using a first protocol, whether a packet associated with the request message includes an encrypted server name indication (SNI). The instructions further cause the one or more processors to, in response to the packet including the encrypted SNI, encrypt the header of the request message to form an encrypted header, create an encrypted message including the encrypted header and the payload of the request message, and transmit the encrypted message through the first tunnel.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: There is disclosed in one example a gateway apparatus, including: a hardware platform including a processor and a memory; and instructions stored within the memory to instruct the processor to: provide a domain name system (DNS) server, the DNS server to provide an encrypted DNS service, and to cache resolved domain names; receive an outgoing network packet; determine a destination address of the outgoing network packet; and upon determining that the destination address was not cached, apply a security policy.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that determine a dynamic password update notification interval based on a breach risk classification and an automatic password update mechanism of an online service with which a user has an account. The disclosed methods, apparatus, systems, and articles of manufacture generate a password update suggestion and/or an automatic password update for the user at the dynamic password update notification interval determined by the processor circuitry.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to optimize telemetry collection and processing of Transport Layer Security (TLS) parameters. An example apparatus includes at least one memory, instructions, and at least one processor to execute the instructions to generate a TLS client sub-profile based on first telemetry data associated with a client device, generate a TLS server sub-profile based on second telemetry data associated with a first server, generate a hash value based on at least one of the TLS client sub-profile or the TLS server sub-profile, compare the hash value to a plurality of hash values corresponding to known TLS profiles, and, in response to identifying the at least one of the TLS client sub-profile or the TLS server sub-profile as a unique TLS profile based on the comparisons, transmit the at least one of the first or second telemetry data to a second server.

Abstract: There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to improve the inspection of network data flows. An example apparatus includes memory, and processor circuitry to execute machine readable instructions to at least identify network domains accessible by at least one client device in a geographic location of interest, associate the identified network domains with Autonomous System Numbers (ASNs), create a list of respective ones of the ASNs that include a non-malicious status corresponding to Internet protocol (IP) addresses associated with respective ones of the identified network domains, and in response to receiving a reputation request corresponding to a destination IP address, cause inspection of a data flow to be skipped when the destination IP address is associated with the list of non-malicious ASNs.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify sensitive user data stored in the memory by a first application, determine a risk exposure score for the sensitive user data, apply, based on a determination that the risk exposure score is above a threshold, a security policy to restrict access to the sensitive user data, receive a request from a second application to access the sensitive user data, determine whether the first application and the second application are similar applications, and allow access based on a determination that the first application and the second application are similar applications.

Abstract: The disclosed technology teaches recovering a first virtual machine or an instance with an Internet Protocol address, a first root volume and one or more data volumes that are corrupted. The first virtual machine is hosted by a first cloud server that hosts plurality of virtual machines. The disclosed technology includes instructing the first cloud server to launch a recovery virtual machine. The recovery virtual machine launches one or more new data volumes based upon captured file system images in one or more snapshots taken of corrupted data volumes of the first virtual machine prior to becoming corrupted. The recovery virtual machine detaches the corrupted data volumes and attaches the new data volumes launched to the first virtual machine. The Internet Protocol address of the first virtual machine remains unchanged.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: System and computer-implemented method for license management of virtual appliances in a computing system uses an activated virtual appliance in the computing system to forward an activation license from a license server on behalf of an unactivated virtual appliance in the computing system.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: In an example, there is disclosed an end-user computing apparatus, including a hardware platform, having a processor and a memory; and instructions encoded within the memory to provide two or more network activity scanners for a user's network activity; operate the two or more network activity scanners to locally analyze the user's network activity, identify a plurality of online accounts associated with the user, and compute respective account identities and usage contexts for the accounts; and send the account identities and usage contexts to an analysis service for identification of accounts to modify.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to identify, on an electronic device, a phone number of an incoming caller device; request, via an out-of-band control channel, a digital certificate for the phone number from the incoming caller device; receive, via the out-of-band control channel, the digital certificate for the phone number from the incoming caller device; determine whether the digital certificate for the phone number is authentic; and indicate, on the electronic device, based on a determination that the digital certificate for the phone number is authentic or not authentic, whether the phone number is authentic or not authentic.

Abstract: Mechanisms for split tunneling are provided. The mechanisms identify user devices and determine that communications for a first device of the user devices are to be tunneled. These mechanisms also receive a DNS request from a second device of the user devices, modify the DNS request to request meta information corresponding to a domain identified in the DNS request, and send the DNS request to a DNS server. The mechanisms further receive a response to the DNS request, wherein the response includes the meta information, determine that communications for the second device are not to be tunneled based at least in part on the meta information, and cause the communications for the first device to be tunneled and the communications for the second device to not be tunneled.

Abstract: There is disclosed in an example a gateway device, including a hardware computing platform, and a secure domain name system (DNS) engine having circuitry and stored instructions to-program the circuitry, the secure DNS engine to communicatively couple to an endpoint via a local network, begin a secure DNS transaction with the endpoint, determine whether the endpoint supports delegated credentials, and after determining that the endpoint supports delegated credentials, establish a secure DNS session with the endpoint using a delegated credential.

Abstract: There is disclosed in one example a network gateway device, including: a hardware platform including a processor and a memory; a network interface, including network interface hardware; and instructions encoded within the memory to instruct the processor to: receive from an endpoint device, via the network interface, a signed security posture data structure, the signed security posture data structure including information about a security posture of the endpoint device; cryptographically verify the signed security posture data structure; and according to the signed security posture data structure, assign a network security policy to the endpoint device.