Abstract: Evaluating an organization's risk to be exposed to cyber security events, by collecting security-based risk indicators about multiple organizations and an indication on whether or not each of the multiple organizations suffered a security event, inputting values of the security-based risk indicators about the multiple organization into a software model, running the software model multiple times, where the software model outputs multiple sets of one or more classifiers, where each set of one or more classifiers distinguishes organizations that suffered the security event from organizations that did not suffer the security event, where the one or more classifiers include classifiers selected from the security-based risk indicators, assigning a risk score for a specific organization according to the importance of classifiers related to the specific organization, and computing an underwriting score for the specific organization.

Abstract: Evaluating an organization's risk of exposure to cyber security events by collecting security-based risk indicators about multiple organizations and an indication of whether the multiple organizations suffered a security event, inputting into a software model values representing financial damages of the security events and values of the security-based risk indicators about the multiple organizations, running the software model multiple times to output sets of classifiers distinguishing organizations that suffered the security event or not, where each run of the model is associated with the financial damages of the security event, accumulating the values that represent the financial damages associated with each set of classifiers, and assigning a weight to classifiers outputted by the software model according to the accumulated sum of the values that represent the financial damages that appeared in a set of the multiple sets outputted by the software model.

Abstract: A computerized method for evaluating an organization's potential financial damages caused by cyber security events, including receiving a request to evaluate a specific organization's potential financial damages caused by cyber security event, the request including information about the specific organization, collecting security-based risk indicators about the specific organization, inputting the security-based risk indicators about the specific organization into a model, where the model obtains ranges of financial damages for various security events, and computing a specific potential financial damages for the specific organization according to the security-based risk of the specific organization and the ranges of financial damages.

Abstract: Evaluating an organization's risk to be exposed to cyber security events, by collecting security-based risk indicators about multiple organizations and an indication on whether or not each of the multiple organizations suffered a security event, inputting values of the security-based risk indicators about the multiple organization into a software model, running the software model multiple times, where the software model outputs multiple sets of one or more classifiers, where each set of one or more classifiers distinguishes organizations that suffered the security event from organizations that did not suffer the security event, where the one or more classifiers include classifiers selected from the security-based risk indicators, assigning a risk score for a specific organization according to the importance of classifiers related to the specific organization, and computing an underwriting score for the specific organization.

Abstract: A computerized method for evaluating an organization's risk to be exposed to cyber security events, the method including receiving a request to evaluating a specific organization's risk to be exposed to cyber security event, the request including information about the specific organization, collecting security-based risk indicators about the specific organization, inputting the security-based risk indicators about the specific organization into a model, said model obtains weights to classifiers that represent an impact of a specific organization to be exposed to a security event, computing a specific risk value for the specific organization according to values of the specific organization and the weights of the classifiers.

Abstract: Clustering is provided of computer security attacks by the threat actor based on features of the attacks. Attack data is obtained for a given attack and a plurality of features of the given attack are extracted from a plurality of attack attributes. A feature-based score is computed for the given attack based on the extracted features relative to each of a plurality of attack clusters. Each attack cluster is comprised of a plurality of attacks performed by a particular attacker. The given computer security attack is assigned to a particular attack cluster if the feature-based score for the particular attack satisfies a predefined score criteria.

Abstract: Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

Abstract: Disclosed are techniques for use in assessing the risk of electronic communications using logon types. In one embodiment, the techniques comprise a method. The method comprises receiving an electronic communication relating to a login request involving a user and a provider of a computerized resource. The method comprises determining a logon type associated with the logon request. The method comprises determining a first value relating to an amount of logon requests associated with the logon type involving the user and the provider over a first time period and a second value relating to an amount of logon requests associated with the logon type involving the user and the provider over a second time period that is greater than the first time period. The method comprises generating a risk score describing the risk associated with the logon request based on the first and the second values.

Abstract: A method includes selectively implementing, via a component resident and executing on a point of sale system, one or more of a set of proactive operations to counter an information theft attack against the point of sale system. The set of proactive operations comprises: generating false information that appears to be actual information and creating at least one process executable in the point of sale system that comprises the false information; injecting false information that appears to be actual information into at least one process executing in the point of sale system; replacing actual information with false information that appears to be actual information; and blocking at least one process in the point of sale system to prevent actual information from being taken from the point of sale system.

Abstract: A method comprises obtaining data characterizing web browsing activity of a group of users of an enterprise, processing the data characterizing the web browsing activity to identify one or more patterns of web browsing activity of the group of users, selecting, based on the patterns of web browsing activity, at least one website to check for evidence of a watering hole attack threat to the enterprise, analyzing elements of said at least one website to identify executable code evidencing the watering hole attack threat to the enterprise, and modifying access by one or more client devices of the enterprise to said at least one website responsive to identifying executable code of said at least one website evidencing the watering hole attack threat to the enterprise.

Abstract: A technique for detecting fraudulent activity in a compromised device involves downloading a software application from a processor that controls access to a resource to an electronic device requesting access to the resource. The software application includes instructions that gather selected information from the electronic device such as mouse coordinates and active windows at a selected time and transmitting the information to the processor for analysis. The analysis includes determining whether more than a single input operation is occurring simultaneously. Simultaneous input operations are an improbable combination of processes for a single electronic device, and suggest a potential fraudulent activity. The technique may include sending a message to a security location for further analysis of the potential fraudulent activity, or the user may be contacted while the transaction attempt is delayed, or the attempted transaction operation may be terminated until enhanced security procedures are implemented.