Abstract: Browser-based detection of data exfiltration includes gathering first information describing browser activity of a browser of a device and generated by a browser extension on the device; and determining whether the first information indicates a data exfiltration. The first information may include data input to the browser and the determination of whether the first information indicates a data exfiltration is based on the data input.

Abstract: Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

Abstract: Location-based identification of anomalous activity on a user device, including: gathering information describing one or more destinations associated with a user; determining, based on the information, that user activity deviates from normal activity for the user; and generating, based on the information, a user-specific visualization that includes one or more destinations associated with the network activity, wherein the user-specific visualization includes an indication that user activity deviates from normal activity for the user.

Abstract: Distinguishing user-initiated activity from application-initiated activity, including: gathering first information generated by a browser extension of a browser executed on a user device, wherein the first information describes activity associated with the browser; gathering second information generated by a client application executed on the user device, wherein the second information describes activity associated with the user device; and determining whether a user has deviated from normal activity by determining, based on the first information, whether at least a portion of the activity described in the second information comprises user-initiated activity or browser-initiated activity.

Abstract: Monitoring the usage of an application by a user, including: determining, for the user and based on data describing usage of the application by the user, an access pattern of the application; and restricting, without modifying the one or more access policies that control access to the application for additional users, access to the application by the user, including implementing an approval workflow for accessing the application one or more steps that, if completed, allows access to the application by the user, wherein the approval workflow is implemented by an intermediary between a user device and the application.

Abstract: Determining user risk based on user posture and activity, including: determining a risk score for a user based on a security posture associated with the user and historical activity associated with the user; and controlling access by the user to one or more resources based on the risk score.

Abstract: Risk scoring based on entity correlation, including: detecting an event associated with a plurality of entities; calculating a plurality of risk scores based on a plurality of correlated pairs of entities from the plurality of entities and historical activity associated with the plurality of entities; calculating, based on the plurality of risk scores, an overall risk score for the event; and controlling access to one or more resources based on the overall risk score for the event.

Abstract: Handling of certificates by intermediate actors, including: receiving, by a proxy and from a client, a client certificate and a first private key; generating, by the proxy and based on the client certificate and the first private key, an intermediate certificate; generating, by the proxy and in response to a request from the client to connect to a destination, an alternate certificate for the destination; and providing, to the client, a certificate chain comprising the alternate certificate, the intermediate certificate, and the client certificate.

Abstract: Approaches for evaluating user devices are disclosed. Devices that are physically proximate to a user device are determined. A first geolocation is determined based on the devices that are physically proximate to a user device. Data communications involving the user are evaluated. A second geolocation is determined based on an evaluation of the data communications involving the user. A proximity of the first geolocation with respect to the second geolocation is determined. The proximity of the first geolocation and the second geolocation are evaluated with respect to a threshold value to determine if the first geolocation and the second geolocation are sufficiently proximate.

Abstract: Approaches to electronic device security are described. A representation of user information describing a user device, visible in a graphical presentation of a user-specific polygraph via a graphical user interface (GUI) presented via a display device is generated. First information associated with the user is gathered. Second information indicating activity associated with the user that has been generated by an application executed on the electronic computing device is gathered. Determining whether the user of the electronic computing device has deviated from normal activity by correlating portions of the first information with portions of the second information. Directing the user to an approval workflow via the browser in response to a determination that the user has deviated from normal activity.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: This disclosure generally relates to a method and system for mapping application dependency information. The present technology relates techniques that enable user-adjustable application dependency mapping of a network system. By collecting internal network data using various sensors in conjunction with external user inputs, the present technology can provide optimized application dependency mapping using user inputs.

Abstract: Using activity monitored by multiple data sources to identify shadow systems, the method comprising: gathering first information describing access to one or more resources by one or more user devices of a user; gathering, from at least a subset of the one or more user devices, second information describing access to the one or more resources; and identifying one or more shadow systems based on a discrepancy between the first information and the second information.

Abstract: This disclosure generally relate to a method and system for mapping application dependency information. The present technology relates techniques that enable user-adjustable application dependency mapping of a network system. By collecting internal network data using various sensors in conjunction with external user inputs, the present technology can provide optimized application dependency mapping using user inputs.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.

Abstract: Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

Abstract: Elastic privileges in a secure access service edge, including: identifying, based on one or more access policies, an application accessible to a user; determining, for the user, an access pattern of the application; and restricting, without modifying the one or more access policies, access to the application by the user based on the access pattern.