Abstract: Systems and methods are disclosed for data owner control in Data Loss/Leakage Prevention (DLP). A data owner system processes sensitive data from a structured data source, normalizes fields, and generates an index comprising one-way hash representations of tokens. The index, including schema and primary key information, is uploaded via a secure channel to a cloud-based monitoring system. The cloud system distributes the index to enforcement nodes and performs inline monitoring of network traffic. Content is tokenized and normalized, and tokens are compared against the hashed index using index lookup tables and token windows to detect violations. Policies specify actions such as reporting, blocking, quarantining, or allowing authenticated personally identifiable information (PII) of a data owner. Incremental updates are supported through row hash-based deltas without regenerating the entire index.

Abstract: Systems and methods for implementing a service identity platform with cloud-based Public Key Infrastructure (PKI) include providing security as a service via a cloud-based system for a plurality of tenants, wherein the cloud-based system includes a plurality of components communicatively coupled and adapted to communicate with one another based on mutual Transport Layer Security (mTLS) authentication; responsive to a new component requiring deployment within the cloud-based system, performing an enrollment process for the new component; and subsequent to the enrollment process, utilizing the new component within the cloud-based system for providing security as a service.

Abstract: The present disclosure relates to systems and methods for automatically bypassing SSL connections responsive to client SSL handshake failures. Various embodiments include detecting a first failed client SSL connection, creating a cache entry including a traffic fingerprint of the first failed client SSL connection, and bypassing subsequent connections matching the cached fingerprint of the first failed client SSL connection. Embodiments further include cache entries that include a TTL, wherein connections can be matched to the entries during the configured TTL. The present systems and methods are provided to alleviate issues associated SSL traffic interruptions and breakdowns.

Abstract: A method for inspecting encrypted network traffic in a cloud-based security system is provided. A node receives a request from a user device targeting a server and obtains a domain certificate corresponding to the server. The method establishes a first encrypted tunnel between the user device and the node, and a second encrypted tunnel between the node and the server using the obtained certificate. The encrypted traffic flowing between the user device and the server is inspected at the node. The method leverages a cloud-based hardware security module (HSM) to securely generate and store intermediate certificate authority keys compliant with FIPS 140-2 Level 3 standards, facilitating secure man-in-the-middle (MITM) inspection. The method also enables caching and synchronization of domain certificates across distributed nodes, providing scalable and secure traffic monitoring.

Abstract: Systems and methods for implemented by a user device for Real User Monitoring (RUM) include operating an add on for a web browser; receiving a list of domains or Uniform Resource Locators (URLs) to calculate RUM data thereon; responsive to the web browser accessing any of the domains or URLs in the list, calculating and storing RUM data; and periodically sending the stored RUM data to a cloud-based system. The RUM data can include statistics, metrics, and errors that are detected based on any of start of navigation, redirects, Domain Name System (DBS), connection establishment and teardown, Hypertext Transfer Protocol (HTTP) request and response start and end, Document Object Model (DOM) load time, page load time, and Java Script and AJAX error detection.

Abstract: A method of providing cloud-based security services includes receiving, at one or more distributed processing nodes in a cloud-based system, network traffic from a plurality of endpoints associated with at least one tenant; applying, by each distributed processing node, at least one cloud-based security inspection function configured to detect threats or enforce policy controls in the received network traffic; determining, via a policy engine whether to block, allow, or further analyze the network traffic based on per-tenant security policies; logging, in a cloud-based logging repository, inspection results, policy decisions, and rule matches for subsequent reporting and analytics; and updating the security inspection function at the distributed processing nodes, in real time, with newly discovered threat signatures and policy changes to provide continuous protection across the cloud-based system.

Abstract: A method implemented by a cloud-based system includes steps of, responsive to connecting to a user device with a user associated with a first tenant of a plurality of tenants, obtaining security policies for the user that are configured for the tenant, wherein the security policies for the user are the same regardless of connection type, location of the user, and device type and operating system of the user device; stream scanning traffic between the user device and the Internet based on the security policies, wherein the security policies are for firewall and intrusion prevention functions; and one of allowing and blocking the traffic based on the stream scanning.

Abstract: Systems and methods for cloud-based inline encrypted traffic inspection include monitoring a plurality of users having associated user devices communicating over the Internet and the plurality of users are each associated with a plurality of organizations; responsive to traffic being encrypted by any user of the plurality of users, performing operations to enable inline access to the encrypted traffic for the any of the plurality of users; obtaining policy for the any user where the policy is determined by an associated organization of the any user and policy defines how the encrypted traffic is inspected; inspecting the encrypted traffic for the any user based on the obtained policy; and performing actions on the encrypted traffic based on the inspecting.

Abstract: A cloud service is executed on a plurality of nodes, each including at least one processor, and the cloud service is configured to communicate with a plurality of user devices, each user device associated with a user from an organization of a plurality of organizations, and each user device includes a plugin or browser extension installed thereon, provide configuration information to any of the plurality of user devices where the configuration information includes a plurality of domains to be monitored by the plugin or browser extension, wherein the plugin or browser extension is configured to monitor and/or determine real user monitoring (RUM) statistics when a given user device accesses one of the plurality of domains; and receive the RUM statistics from any of the plurality of user devices.

Abstract: Systems and methods for providing zero trust access to source applications, implemented in a cloud-based system. The method includes steps of, intercepting client application information; identifying if the application is a known application based on an application catalog, and collecting known information of the application from the application catalog; sending the application information to an enforcement node of a cloud-based system in a first packet; and sending only an application Identification (ID) in subsequent packets, wherein the application ID is used for policy enforcement.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of, responsive to establishing a connection with a user device having a user associated with a tenant and obtaining policy for the user, monitoring traffic between the user device and the Internet where the monitoring is at a middle location, inline between the user device and an endpoint; responsive to the traffic being encrypted as a tunnel, performing one or more operations to enable accessing the encrypted traffic; analyzing the traffic based on the policy, including at least checking for malicious traffic and Data Loss Prevention (DLP) for the tenant; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Systems and methods include responsive to receiving a request at a remote node, determining whether the request is to be sent directly or via a cloud-based system; establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between the remote node and a local node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier.

Abstract: Techniques for determining the path of User Datagram Protocol (UDP) traceroute probes using Transmission Control Protocol (TCP) and Internet Control Message Protocol (ICMP). Various embodiments include sending a plurality of probes to one or more legs in a network path; obtaining measurements from each of the plurality of probes for each of the one or more legs in the network path; and performing one or more actions based on the measurements from each of the plurality of probes. The steps further include overlapping the measurements to determine latency to a destination and identifying throttling of UDP traffic based on the overlapping of measurements from the plurality of probes.

Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of, responsive to establishing a connection with a user device having a user associated with a tenant and obtaining policy for the user, monitoring traffic between the user device and the Internet where the monitoring is at a middle location, inline between the user device and an endpoint; responsive to the traffic being encrypted as a tunnel, performing one or more operations to enable accessing the encrypted traffic; analyzing the traffic based on the policy, including at least checking for malicious traffic and Data Loss Prevention (DLP) for the tenant; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Systems and methods of Exact Data Matching (EDM) for identifying related tokens in data content using structured signature data implemented in a cloud-based system receiving data sets and customer configuration from a customer, wherein the data sets include customer specific sensitive data from a structured data source with each token represented by a hash value and the customer configuration includes one or more primary keys for a plurality of records in the data sets; distributing the data sets and the customer configuration to a plurality of nodes in the cloud-based system; performing monitoring of content between a client of the customer and an external network; detecting a presence of a plurality of tokens associated with a record in the customer specific sensitive data based on the monitoring; and performing a policy-based action in the cloud-based system based on the detecting.

Abstract: Systems and methods include connecting to and authenticating a plurality of user devices; utilizing a plurality of RESTful (Representational State Transfer web service) endpoints to communicate with the plurality of user devices; providing any of policy and configuration to the plurality of user devices utilizing version number via a RESTful endpoint; caching the any of policy and configuration for each device of the plurality of user devices; and receiving metrics based on measurements at the plurality of user devices according to corresponding policy and configuration, via a RESTful endpoint.

Abstract: A cloud service is executed on a plurality of nodes, each including at least one processor, and the cloud service is configured to communicate with a plurality of user devices, each user device associated with a user from an organization of a plurality of organizations, and each user device includes a plugin or browser extension installed thereon, provide configuration information to any of the plurality of user devices where the configuration information includes a plurality of domains to be monitored by the plugin or browser extension, wherein the plugin or browser extension is configured to monitor and/or determine real user monitoring (RUM) statistics when a given user device accesses one of the plurality of domains; and receive the RUM statistics from any of the plurality of user devices.

Abstract: Techniques for deep tracing of one or more users via a cloud-based system include receiving a request from an administrator to actively troubleshoot a user; causing a user device associated with the user to create a deep tracing session based on the request; assisting the user device in performing one or more traces of a plurality of traces to a destination; receiving results from any of the plurality of traces and results from metrics collected at the user device; and displaying a network map between the user device and the destination.

Abstract: The present disclosure relates to systems and methods for automatically bypassing SSL connections responsive to client SSL handshake failures. Various embodiments include detecting a first failed client SSL connection, creating a cache entry including a traffic fingerprint of the first failed client SSL connection, and bypassing subsequent connections matching the cached fingerprint of the first failed client SSL connection. Embodiments further include cache entries that include a TTL, wherein connections can be matched to the entries during the configured TTL. The present systems and methods are provided to alleviate issues associated SSL traffic interruptions and breakdowns.