Abstract: An orchestrator that manages security appliances for an organization determines a sink configured for traffic mirroring and correspondingly configures components for the correlation and secure conveyance. The orchestrator also configures the security appliances. The orchestrator configures the security appliances to copy cryptographic keys (hereinafter “tunnel keys”) and identifiers associated with the keys of secure VPN tunnels established by the security appliances to a repository of the cloud-service provider. The orchestrator configures a virtual machine associated with the mirroring sink with correlation logic. The virtual machine correlates sets of packets aggregated across different mirroring streams and tunnel keys with the associated identifiers. Correlating the sets of packets and the tunnel keys allows an organization to efficiently access the content of the encrypted packets or facilitates secure conveyance.

Abstract: An orchestrator that manages security appliances for an organization determines a sink configured for traffic mirroring and correspondingly configures components for secure conveyance of mirrored traffic to a sink. The orchestrator configures a VM associated with the mirroring sink to use correlated packets and tunnel keys to securely convey the packets to an organization. The virtual machine decrypts each set of packets with the correlated tunnel key in memory and then re-encrypts the packets with a cryptographic key (hereinafter “random key”) generated on-the-fly for use on the current set of decrypted packets in memory. The virtual machine then encrypts the random key with a public key of the organization that will monitor and/or analyze the traffic data and writes the encrypted packets and/or packet contents and encrypted random key to a specified repository of the organization.

Abstract: Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.

Abstract: Techniques for rendering an object using multiple versions of an application in a single process for dynamic malware analysis are disclosed. In some embodiments, a system, process, and/or computer program product for rendering an object using multiple versions of an application in a single process for dynamic malware analysis includes receiving a sample at a cloud security service, in which the sample includes an embedded object; detonating the sample using a browser executed in an instrumented virtual machine environment; and rendering the embedded object using a plurality of versions of an application in a single process during a dynamic malware analysis using the instrumented virtual machine environment.

Abstract: Techniques for rendering an object using multiple versions of an application in a single process for dynamic malware analysis are disclosed. In some embodiments, a system, process, and/or computer program product for rendering an object using multiple versions of an application in a single process for dynamic malware analysis includes receiving a sample at a cloud security service, in which the sample includes an embedded object; detonating the sample using a browser executed in an instrumented virtual machine environment; and rendering the embedded object using a plurality of versions of an application in a single process during a dynamic malware analysis using the instrumented virtual machine environment.

Abstract: Techniques for rendering an object using multiple versions of an application in a single process for dynamic malware analysis are disclosed. In some embodiments, a system, process, and/or computer program product for rendering an object using multiple versions of an application in a single process for dynamic malware analysis includes receiving a sample at a cloud security service, in which the sample includes an embedded object; detonating the sample using a browser executed in an instrumented virtual machine environment; and rendering the embedded object using a plurality of versions of an application in a single process during a dynamic malware analysis using the instrumented virtual machine environment.