Abstract: Systems and methods described herein provide a cyber risk assessment service. A computing device determines weights for techniques of a cyber security framework based on historical industry impact. The computing device associates an enterprise network with an industry identifier, obtains customer risk data for the enterprise network, and normalizes and/or combines the customer risk data to form normalized risk scores. The computing device maps the customer risk data to corresponding techniques in the cyber security framework, generates technique scores based on the mapping and the normalized risk scores, and generates weighted technique scores using some of the weights selected based on the industry identifier. The computing device calculates an overall security score for the enterprise network based on the weighted technique scores, identifies a corrective recommendation for the overall security score, and provides the overall security score and the corrective recommendation for presentation to a user.

Abstract: Systems and methods described herein provide a cyber risk assessment service. A computing device determines weights for techniques of a cyber security framework based on historical industry impact. The computing device associates an enterprise network with an industry identifier, obtains customer risk data for the enterprise network, and normalizes and/or combines the customer risk data to form normalized risk scores. The computing device maps the customer risk data to corresponding techniques in the cyber security framework, generates technique scores based on the mapping and the normalized risk scores, and generates weighted technique scores using some of the weights selected based on the industry identifier. The computing device calculates an overall security score for the enterprise network based on the weighted technique scores, identifies a corrective recommendation for the overall security score, and provides the overall security score and the corrective recommendation for presentation to a user.

Abstract: Systems and methods described herein provide a cyber risk assessment service. A computing device determines weights for techniques of a cyber security framework based on historical industry impact. The computing device associates an enterprise network with an industry identifier, obtains customer risk data for the enterprise network, and normalizes and/or combines the customer risk data to form normalized risk scores. The computing device maps the customer risk data to corresponding techniques in the cyber security framework, generates technique scores based on the mapping and the normalized risk scores, and generates weighted technique scores using some of the weights selected based on the industry identifier. The computing device calculates an overall security score for the enterprise network based on the weighted technique scores, identifies a corrective recommendation for the overall security score, and provides the overall security score and the corrective recommendation for presentation to a user.

Abstract: Systems and methods described herein provide a cyber risk assessment service. A computing device determines weights for techniques of a cyber security framework based on historical industry impact. The computing device associates an enterprise network with an industry identifier, obtains customer risk data for the enterprise network, and normalizes and/or combines the customer risk data to form normalized risk scores. The computing device maps the customer risk data to corresponding techniques in the cyber security framework, generates technique scores based on the mapping and the normalized risk scores, and generates weighted technique scores using some of the weights selected based on the industry identifier. The computing device calculates an overall security score for the enterprise network based on the weighted technique scores, identifies a corrective recommendation for the overall security score, and provides the overall security score and the corrective recommendation for presentation to a user.

Abstract: A botnet detector collects data associated with flows between a pair of network elements. The botnet detector processes the flow data to determine whether some of the flows are associated with botnet beaconing and/or tunneling. For example, the botnet detector may determine whether some of the flows occur at a regular interval or whether some of the flows are associated with extended length sessions, respectively. To determine whether some of the flows occur at a regular interval, the botnet detector may convert the flow data to the frequency domain and may determine an interval associated with a highest vector magnitude. If the botnet detector determines that the pair of network elements are exchanging beaconing or tunneling signals, the botnet detector may forward a notification that the pair of network elements are associated with the botnet.

Abstract: A botnet detector collects data associated with flows between a pair of network elements. The botnet detector processes the flow data to determine whether some of the flows are associated with botnet beaconing and/or tunneling. For example, the botnet detector may determine whether some of the flows occur at a regular interval or whether some of the flows are associated with extended length sessions, respectively. To determine whether some of the flows occur at a regular interval, the botnet detector may convert the flow data to the frequency domain and may determine an interval associated with a highest vector magnitude. If the botnet detector determines that the pair of network elements are exchanging beaconing or tunneling signals, the botnet detector may forward a notification that the pair of network elements are associated with the botnet.