Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Abstract: A method and apparatus for using a remote delegate is described. In one embodiment, the method comprising evaluating information that identifies at least one of software packages resident in a client computer or licenses associated with the software packages using a remote delegate and enabling use of a resource at the client computer based on the information through use of the remote delegate.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: A method, apparatus and computer-readable medium for extending the functionality of an operating system is described. The method comprises installing an installable file system as a root file system of the operating system, mounting a default file system of the operating system as a folder accessible by the installable file system and using the installable file system to process data between the operating system and the default file system. The apparatus is a system for extending the functionality of an operating system comprising a computing device comprising a processor and a memory for executing the operating system, wherein the operating system mounts an installable file system other than a default file system of the operating system as a root file system and the installable file system mounts the default file system of the operating system as a folder.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: Computer-implemented methods and systems for creating or updating approved-file and trusted-domain databases and verifying the legitimacy of files are disclosed. A method for creating or updating an approved-file database may include intercepting a first file, identifying a source domain associated with the first file, identifying a trusted-domain database, determining whether a database record for the source domain associated with the first file exists within the trusted-domain database, creating a hash value for the first file if a database record for the source domain associated with the first file exists within the trusted-domain database, and storing the hash value for the first file in an approved-file database. Methods and systems for verifying the legitimacy of a file and for creating or updating a trusted-domain database are also disclosed.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Abstract: A computer-implemented method for detecting misplaced applications using functional categories may include (1) identifying a functional category assigned to an application located on a computing system, the functional category describing a field of functionality that the application performs, (2) identifying an additional functional category assigned to at least one of the computing system and another application located on the computing system, (3) applying a security policy to both the functional category assigned to the application and the additional functional category to determine whether the application belongs on the computing system according to the security policy, and (4) performing a security action to protect users based on the application of the security policy to the functional category assigned to the application and the additional functional category. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for updating generic file-classification definitions may include (1) identifying at least one generic file-classification definition deployed in a software product installed on a client device, (2) classifying at least one data sample encountered by the client device based at least in part on the generic file-classification definition, (3) querying at least one verification server in an attempt to verify the correctness of the classification of the data sample, (4) determining that the classification of the data sample is incorrect based at least in part on the query, and then (5) modifying the generic file-classification definition deployed in the software product based at least in part on the data sample. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for identifying malicious downloadable applications are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for identifying malicious downloadable applications comprising receiving a signature of a downloadable application, identifying, using at least one computer processor, a known good application having at least one attribute in common with the downloadable application and having a signature different from the signature of the downloadable application, analyzing the downloadable application to evaluate one or more risk factors based at least in part on the at least one common attribute and the difference in signatures, and determining, based on the evaluated one or more risk factors, one or more responsive actions.

Abstract: A method, apparatus and system for using login information includes an account where login information is used to access the account, a login information usage data for storing the login information used on the account and a manager application coupled to the accounts through a network. The manager application is configured to access the login information and determine at least one potentially or actually compromised account, determine login information related to the at least one potentially or actually compromised account, determine at least one other account having similar login information and notify a user regarding a potential threat to the at least one other account.

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Abstract: Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

Abstract: A computer-implemented method for clustering data may include (1) identifying a plurality of samples, (2) locating a sample, from within the plurality of samples, that is a centroid of a cluster, (3) locating another sample that is, among the plurality of samples, next closest to the centroid relative to a most-recently located sample, (4) determining whether an attribute of the next-closest sample matches an attribute of the centroid, (5) determining whether to adjust a radius of the cluster based on whether the attribute of the next-closest sample matches the attribute of the centroid, and (6) repeating the steps of locating the next-closest sample, determining whether the attributes match, and determining whether to adjust the radius of the cluster, until the attribute of the next-closest sample does not match the attribute of the centroid. Various other methods, systems, and computer-readable media are also disclosed.