Abstract: The disclosure focuses on using a context-based insight system to determine security incident reports that include security incident insights and remediation actions based on various combinations of security alerts in cloud computing systems. The context-based insight system uses a security alert generative language model (GLM) to generate security incident reports based on correlated security alerts within a security incident and the attack-type contexts of those security alerts. By using the security alert GLM guided by attack-type contexts to generate security incident reports, the context-based insight system provides understandable text narratives that provide clear and accurate insights into security incidents including remediation actions to address the security incidents as a whole rather than just reporting individual security alerts of the security incident.

Abstract: Methods, systems, and computer storage media for providing security posture management using an artificial intelligence security engine in a security management system. Security posture management supports security management of a computing environment based on contextual information associated with artificial-intelligence-supported applications. The security management system provides an artificial intelligence security graph associated with the artificial-intelligence-supported applications. The artificial intelligence engine uses the artificial intelligence security graph to correlate artificial intelligence attack monitoring data with operational data of the artificial-intelligence-supported applications. In operation, artificial intelligence attack monitoring data is accessed. An artificial intelligence security graph associated with a plurality of artificial-intelligence-supported applications is accessed.

Abstract: Techniques are described herein that are capable of using graph enrichment to detect a potentially malicious access attempt. A graph that includes nodes and configuration-based links is generated. The nodes represent respective resources. Behavior-based links are added to the graph based at least in part on traffic logs associated with at least a subset of the resources. An attempt to create a new behavior-based link is identified. A probability of the new behavior-based link being created in the graph is determined. The probability is based at least in part on the configuration-based links and the behavior-based links. The new behavior-based link is identified as a potentially malicious link based at least in part on the probability being less than or equal to a threshold probability. A security action is performed based at least in part on the new behavior-based link being identified as a potentially malicious link.

Abstract: Methods, systems and apparatuses are described herein to provide adaptive severity functions for alerts, particularly security alerts. The adaptive severity functions may be aligned with an existing global security situation to upgrade or downgrade the severity of new and existing alerts. By taking into consideration the time factor along with other parameters, the alerts may be prioritized or reprioritized appropriately. The modification of the severity level for the alerts may be made based on rules and/or one or more triggering events or by using severity functions with or without the aid of artificial intelligence based on best-practice preferences.

Abstract: Methods, systems, and computer storage media for providing data security posture management using an application discovery engine in a security management system. Application discovery supports identifying and mapping various applications within a computing environment. In particular, application discovery can be provided as part of security management operations to assess security posture of applications, identify vulnerabilities, and ensure compliance with regulations. In operation, application discovery data associated with a plurality computing resources of a computing environment is accessed. An annotated application discovery graph comprising a plurality of entities that represent the plurality of computing resources is generated. The annotated application discovery graph is deployed to support generating security postures for computing environments. A request is received for a security posture of the computing environment.

Abstract: Context-aware security policies and incident identification, via automated cloud graph building with security overlays, are determined and performed by systems and platforms. Graph nodes, of a graph associated with a computing system, that represent resources associated with the computing system and entities associated with the computing system that have respective associations to the resources are generated. Security attributes are determined and assigned to the graph nodes that represent the entities and resources, and static and dynamic connections between the graph nodes are added to the graph. Additionally, possible connections in the graph between the graph nodes are added based on heuristic relational determinations of the graph nodes. From the graph, security incidents and kill chains are identified, context-aware security policies are generated and validated, and scopes and relationships of applications are identified. Accordingly, security actions are taken for the computing system.

Abstract: Methods, systems, and computer storage media for providing security posture management using a credential-based security posture engine in a security management system. Security posture management provides security operations-including identifying and remediating risk exposure—to securely manage resources and workloads in computing environments. Security posture management is provided using the credential-based security posture engine that is operationally integrated into the security management system. In operation, credential scan results associated with a computing device are accessed. The computing device is scanned using a credential-based security posture engine that supports generating a security posture of computing environments. Based on the scan results, an unsecured credential associated with accessing a resource in the computing environment is identified. A security posture visualization associated with the computing environment is generated.

Abstract: Methods, systems, and computer storage media for providing security incident management using a latent-context alert correlation engine in a security management system. Security incident management is provided using the latent-context alert correlation engine that is operationally integrated into the security management system. In operation, first security data of a first alert and second security data of a second alert are accessed. The first alert and the second alert do not share a common entity identifiable in a security graph. Using the first security data and the second security data, a determination is made that the first alert is connected to the second alert based on a latent-context connection. The latent-context connection is a known attack path connection that indirectly connects alerts. Based on determining that the first alert is connected to the second alert, a security incident is generated for the alert. A notification comprising the security incident is communicated.

Abstract: Context-aware security policies and incident identification, via automated cloud graph building with security overlays, are determined and performed by systems and platforms. Graph nodes, of a graph associated with a computing system, that represent resources associated with the computing system and entities associated with the computing system that have respective associations to the resources are generated. Security attributes are determined and assigned to the graph nodes that represent the entities and resources, and static and dynamic connections between the graph nodes are added to the graph. Additionally, possible connections in the graph between the graph nodes are added based on heuristic relational determinations of the graph nodes. From the graph, security incidents and kill chains are identified, context-aware security policies are generated and validated, and scopes and relationships of applications are identified. Accordingly, security actions are taken for the computing system.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for machine learning-based techniques for identifying a deployment environment in which computing resources (e.g., servers, virtual machines, databases, etc.) reside and for enhancing security for the identified deployment environment. For instance, usage data is collected from the computing resources. The usage data is featurized and provided to a machine learning-based classification model that determines a deployment environment in which the computing resources reside based on the featurized usage data. Once the deployment environment is identified, a security policy that is applicable for the identified deployment environment is determined. The security policy specifies a plurality of recommended security settings that should be applied to the computing resources included in the identified deployment environment. The recommended security settings may be provided to the user (e.g.

Abstract: Some embodiments select a machine learning model training duration based at least in part on a fractal dimension calculated for a training data dataset. Model training durations are based on one or more characteristics of the data, such as a fractal dimension, a data distribution, or a spike count. Default long training durations are sometimes replaced by shorter durations without any loss of model accuracy. For instance, the time-to-detect for a model-based intrusion detection system is shortened by days in some circumstances. Model training is performed per a profile which specifies particular resources or particular entities, or both. Realistic test data is generated on demand. Test data generation allows the trained model to be exercised for demonstrations, or for scheduled confirmations of effective monitoring by a model-based security tool, without thereby altering the model's training.

Abstract: Files uploaded to a cloud storage medium are considered. The files may include a mixture of files known to be malicious and known to be benign. The files are clustered using similarity of file features, e.g., based on distance in a feature space. File clusters may then be used to determine a threat status of an unknown file (a file whose threat status is unknown initially). A feature of the unknown file in the feature space is determined, and a distance in the feature space between the file and a file cluster is calculated. The distance between the unknown file and the file cluster is used to determine whether or not to perform a deep scan on the unknown file. If such a need is identified, and the deep scan indicates the unknown file is malicious, a cybersecurity action is triggered.

Abstract: Methods, systems and apparatuses are described herein to provide adaptive severity functions for alerts, particularly security alerts. The adaptive severity functions may be aligned with an existing global security situation to upgrade or downgrade the severity of new and existing alerts. By taking into consideration the time factor along with other parameters, the alerts may be prioritized or reprioritized appropriately. The modification of the severity level for the alerts may be made based on rules and/or one or more triggering events or by using severity functions with or without the aid of artificial intelligence based on best-practice preferences.

Abstract: Methods, systems and apparatuses are described herein to provide adaptive severity functions for alerts, particularly security alerts. The adaptive severity functions may be aligned with an existing global security situation to upgrade or downgrade the severity of new and existing alerts. By taking into consideration the time factor along with other parameters, the alerts may be prioritized or reprioritized appropriately. The modification of the severity level for the alerts may be made based on rules and/or one or more triggering events or by using severity functions with or without the aid of artificial intelligence based on best-practice preferences.

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

Abstract: Techniques are described herein that are capable of using graph enrichment to detect a potentially malicious access attempt. A graph that includes nodes and configuration-based links is generated. The nodes represent respective resources. Behavior-based links are added to the graph based at least in part on traffic logs associated with at least a subset of the resources. An attempt to create a new behavior-based link is identified. A probability of the new behavior-based link being created in the graph is determined. The probability is based at least in part on the configuration-based links and the behavior-based links. The new behavior-based link is identified as a potentially malicious link based at least in part on the probability being less than or equal to a threshold probability. A security action is performed based at least in part on the new behavior-based link being identified as a potentially malicious link.

Abstract: Cybersecurity and data categorization efficiency are enhanced by providing reliable statistics about the number and location of sensitive data of different categories in a specified environment. These data sensitivity statistics are computed while iteratively sampling a collection of blobs, files, or other stored items that hold data. The items may be divided into groups, e.g., containers or directories. Efficient sampling algorithms are described. Data sensitivity statistic gathering or updating based on the sampling activity ends when a specified threshold has been reached, e.g., a certain number of items have been sampled, a certain amount of data has been sampled, sampling has used a certain amount of computational resources, or the sensitivity statistics have stabilized to a certain extent.

Abstract: The embodiments described herein are directed to generating labels for alerts and utilizing such labels to train a machine learning algorithm for generating more accurate alerts. For instance, alerts may be generated based on log data generated from an application. After an alert is issued, activity of a user in relation to the alert is tracked. The tracked activity is utilized to generate a metric for the alert indicating a level of interaction between the user and the alert. Based on the metric, the log data on which the alert is based is labeled as being indicative of one of suspicious activity or benign activity. During a training process, the labeled log data is provided to a supervised machine learning algorithm that learns what constitutes suspicious activity or benign activity. The algorithm generates a model, which is configured to receive newly-generated log data and issue security alerts based thereon.

Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.

Abstract: Context-aware security policies and incident identification, via automated cloud graph building with security overlays, are determined and performed by systems and platforms. Graph nodes, of a graph associated with a computing system, that represent resources associated with the computing system and entities associated with the computing system that have respective associations to the resources are generated. Security attributes are determined and assigned to the graph nodes that represent the entities and resources, and static and dynamic connections between the graph nodes are added to the graph. Additionally, possible connections in the graph between the graph nodes are added based on heuristic relational determinations of the graph nodes. From the graph, security incidents and kill chains are identified, context-aware security policies are generated and validated, and scopes and relationships of applications are identified. Accordingly, security actions are taken for the computing system.