Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.

Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.

Abstract: Detecting malicious user activity is provided. A profile for a user that accesses a set of protected assets is generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user. A plurality of analytics is applied on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user. A malicious user activity alert is generated in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value. The malicious user activity alert is sent to an analyst for feedback.

Abstract: Detecting malicious user activity is provided. A profile for a user that accesses a set of protected assets is generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user. A plurality of analytics is applied on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user. A malicious user activity alert is generated in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value. The malicious user activity alert is sent to an analyst for feedback.

Abstract: Detecting malicious user activity is provided. A profile for a user that accesses a set of protected assets is generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user. A plurality of analytics is applied on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user. A malicious user activity alert is generated in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value. The malicious user activity alert is sent to an analyst for feedback.

Abstract: Portions of code in an original application are randomized to generate a randomized version of the original application, wherein the randomizing does not modify expected behavior of the original application. Digital signature(s) are generated that attest to integrity of the randomized version. The digital signature(s) and either the original application or the randomized version are sent to a user device for execution or denial of execution of the randomized version based on the digital signature(s). At the user device, the randomized version is created if not received. The randomized version of the application is verified by the user device using the digital signature(s). The randomized version is executed by the user device in response to the digital signature(s) being verified or not executing the randomized version in response to the digital signature(s) not being verified.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection, level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: Portions of code in an original application are randomized to generate a randomized version of the original application, wherein the randomizing does not modify expected behavior of the original application. Digital signature(s) are generated that attest to integrity of the randomized version. The digital signature(s) and either the original application or the randomized version are sent to a user device for execution or denial of execution of the randomized version based on the digital signature(s). At the user device, the randomized version is created if not received. The randomized version of the application is verified by the user device using the digital signature(s). The randomized version is executed by the user device in response to the digital signature(s) being verified or not executing the randomized version in response to the digital signature(s) not being verified.

Abstract: Detecting malicious user activity is provided. A profile for a user that accesses a set of protected assets is generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user. A plurality of analytics is applied on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user. A malicious user activity alert is generated in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value. The malicious user activity alert is sent to an analyst for feedback.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection, level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: A method for detecting abnormal behavior of users is disclosed. Processors identify from a log of user activity, a first number of actions performed by a user over a first time period that match a pattern of user activity for a task associated with one or more roles of the users. Processors also identify from the log of user activity, a second number of actions performed by the user over a second time period that match the pattern of user activity. Processors calculate an amount of deviation between the first number of actions and the second number of actions. The deviation identifies a difference between amounts of time spent in the one or more roles. Processors then determine whether the amount of deviation between the first number of actions and the second number of actions exceeds a threshold for abnormal behavior.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Abstract: In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: An embodiment directed to a method is associated with a VPN that may be used to access resource servers. Upon determining that the VPN has been accessed by a specified client, resource servers are identified, which each has an address and may receive traffic routed from the client through the VPN. The method further comprises sending a message corresponding to each identified resource server to the client, wherein the message to corresponding to a given one of the identified resources is intended to cause a response to be sent from the client to the address of the given identified resource server. Responses to respective messages sent to the client are used to determine whether a route for traffic from the client to the VPN has been compromised.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.