Abstract: An AI-based system and method for facilitating management of threats for an organization is disclosed. The method includes receiving one or more inputs captured by a plurality of electronic devices of an organization, determining an AI model based on a type of the one or more inputs, and determining if the one or more inputs correspond to a predefined data range. The method includes detecting one or more threats associated with the organization by using the determined AI model and generating one or more real-time alerts corresponding to the detected one or more threats. Furthermore, the method includes generating one or more recommendations for responding to the detected one or more threats and outputting the detected one or more threats, the generated one or more real-time alerts and the generated one or more recommendations on user interface screen of one or more user devices.

Abstract: Aspects relate to changing at least one communication parameter. In some examples, the at least one communication parameter may include at least one of an association identifier (AID), a packet number (PN), a sequence number (SN), a traffic identifier (TID), a timing synchronization function (TSF) value, or a combination thereof. In some examples, a first apparatus provides an indication of a change associated with at least one of the AID, the PN, the SN, the TID, the TSF value, or a combination thereof to a second apparatus.

Abstract: A method, comprising: detecting a first cyber event; instantiating a report, the report including an identifier corresponding to the first cyber event; generating a signature for a system log and classifying the signature for the system log with a first neural network; and adding the system log to the report based on an outcome of the classification of the signature for the system log, wherein the system log is added to the report only when the signature for the system log is classified into a predetermined category.

Abstract: The present invention is a security system and method for hardening a digital system. The security system includes a plurality of scanners loaded in various hosts provided by digital devices of the digital system. Each scanner is configured to perform scanner operations and use communication paths to communicate with other scanners in the security system. The decentralized nature of the scanners and the ability to communicate amongst the various scanners provides the ability to quickly assess and monitor the entire digital system thereby providing the ability to quickly prevent, detect and respond to malicious attacks.

Abstract: Techniques are disclosed relating to the execution of queries in an online manner. For example, in some embodiments, a server system may include a distributed computing system that, in turn, includes a distributed storage system operable to store transaction data associated with a plurality of users, and a distributed computing engine operable to perform distributed processing jobs based on the transaction data. In various embodiments, the server system preemptively creates a compute session on the distributed computing engine, where the compute session provides access to various functionalities of the distributed computing engine. The distributed computing engine may then use these preemptively created compute sessions to execute queries (e.g., for end users of the server system) against the transaction data and return the results dataset to the requesting users in an online manner.

Abstract: Some embodiments of an interception-based unpacker leverage an auto-unpacker of a packed file, using certain hooks, to obtain unpacked content even when the specific compression and encryption algorithms that were used to pack the packed file are unknown. The unpacked content is studied directly, or injected into a copy of the packed file to create an unpacked executable version of the packed file. A hook on a process loader is utilized to obtain a pre-execution map of memory allocated to a target packed process. One or more interrupt hooks or system call hooks, which are triggered by permission changes or by write permission or execution permission exceptions, are utilized to obtain copies of unpacked content. In some embodiments, the interception-based unpacker executes primarily or entirely in kernel space. Embodiments of the interception-based unpacker are operable in open source kernel or closed source kernel operating systems.

Abstract: A method, apparatus and computer program product for real-time new account fraud detection and prevention. The technique leverages machine learning. In this approach, first and second computational branches of a machine learning model are trained jointly on a corpus of emails. Following training, an arbitrary email is received. The arbitrary email is then applied through the computational branches of the machine learning model. The first branch has an attention layer, and the second branch has a convolutional layer. The outputs of the branches are aggregated into an output that is then applied through another self-attention layer to generate a score. Based on the score, the arbitrary email is characterized. If the email is characterized as fraudulent, a mitigation action is taken.

Abstract: A system for conducting cyberthreat analytics on a submitted object to determine whether the object is malicious is described. The system features a cybersecurity system operating with a cloud platform, which is configured to host resources including cloud processing resources and cloud storage resources. The cybersecurity system is configured to analyze one or more received objects included as part of a submission received from a subscriber after authentication of the subscriber and verification that the subscriber is authorized to perform one or more tasks associated with the submission. The cybersecurity system is configured to operate as a multi-tenant Security-as-a-Service (SaaS) that relies upon the cloud processing resources and the cloud storage resources provided by the cloud platform in performing the cybersecurity operations.

Abstract: Computing resources deployed on the cloud can be susceptible to different types of malicious attacks based on vulnerabilities introduced in computer program instructions that define the computing resources. To address these types of attacks, methods, systems, apparatuses, and computer-readable storage mediums are described for identifying a resource attack path. A vulnerability identifier scans a set of computer program instructions to identify a vulnerability therein. A resource mapper generates a resource map that identifies a relationship between a portion of the set of computer program instructions and a resource executing in a cloud. An attack path identifier obtains a log that identifies telemetry events in the cloud. The attack path identifier further identifies an attack path based at least on the identified vulnerability, the resource map, and the log. A security event remediator performs a remediation action in response to the identifying the attack path.

Abstract: A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. The operational technology module can reference various machine-learning models trained on a normal pattern of life of users, devices, and/or controllers of the operational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Abstract: Systems and methods are provided to detect ransomware and ransomware-like behavior.

Abstract: A computing system generates from received user input an initial profile. The initial profile specifies expected behavioral patterns of datasets that are to be received by the computing system. The computing system extracts from received datasets features that are indicative of behavioral patterns of the received datasets. The computing system provides the initial profile to first machine-learning models. The first machine-learning models have been trained using a subset of the received datasets. The first machine-learning models use the initial profile to determine if the behavioral patterns of the received datasets are anomalous. The computing system includes second machine-learning models that have been trained using a subset of the received datasets. The second machine-learning models train a second profile based on the extracted features to specify behavioral patterns of the received datasets that are learned by the second machine-learning model.

Abstract: Systems and methods for the deployment of an application programming interface to cloud-based systems using a distributed ledger are disclosed. The system may include a cloud provider system and a distributed ledger. The cloud provider system may be configured to deploy cloud-based systems and/or APIs to enable one or more participant systems to leverage cloud-based resources. The distributed ledger may record events, functionalities, and operations from the cloud provider system, the participant systems, and the deployed cloud-based systems and APIs.

Abstract: A method and apparatus for generating a malware detection dataset. The method accesses a database comprising malware files and metadata related to the files. The metadata is ranked and the rankings combined into a relevancy score. The most relevant files in the database are identified as malware samples. The malware samples and their related scores are stored in a malware detection dataset.

Abstract: A system, method, and computer-program product includes obtaining a third-party security event of a subscriber, generating a technology source-agnostic security event signal for the third-party security event based on routing the third-party security event to an event normalization service, identifying a technology source-agnostic security event signal type that corresponds to the technology source-agnostic security event signal based on generating the technology source-agnostic security event signal, retrieving a corpus of computer-executable detection instructions digitally mapped to the technology source-agnostic security event signal type based on querying a detection instructions retrieval application programming interface (API), assessing the technology source-agnostic security event signal against each computer-executable detection instruction included in the corpus of computer-executable detection instructions, and generating, via the one or more processors, a prospective security alert based on the t

Abstract: A non-transitory, processor-readable medium storing instructions that, when executed by a processor, cause the processor to receive, from a requestor compute device, a first request that references one of an electronic file or a data set stored in a memory. The processor monitors a plurality of subsequent requests originating from the requestor compute device. The instructions cause the processor to identify, based on the monitoring of the plurality of subsequent requests, a detected ransomware type from a plurality of ransomware types. Each ransomware type is associated with a predefined sequence of actions associated with the one of the electronic file or the data set. In response to identifying the detected ransomware type, the processor either generates an alert message that includes an indication of an association between the requestor compute device and the detected ransomware type; or modifies an access control permission associated with the requestor compute device.

Abstract: A tainting engine can work in conjunction with a syntax attack detection template to identify when a threat actor attempts a malicious attack in a cloud application scenario. Non-intrusive instrumentation can be used to provide detection of an attempted attack regardless of whether the cloud application is vulnerable to such attacks. Detection of attempted attacks can be an important part of maintaining network security, even in cases where an application itself is not vulnerable to such attacks. Further details about the attempted attack can be assembled, and a variety of actions can be taken in response to detection.

Abstract: A method, apparatus and system for data augmentation include receiving a first plurality of binary files each having a first binary structure and including one or more known files containing malicious content and one or more known files not containing malicious content, altering a source code of each of the first plurality of binary files to produce a second plurality of binary files each having a second binary structure that is different from the first binary structure, wherein each altered binary file is functionality similar to the corresponding file in the first plurality of binary files from which it was produced, using the first and second plurality of binary files to train the AM machine learning model to distinguish between binary files containing malicious content and binary files not containing malicious content, and applying the trained AM machine learning model to identify unknown binary files containing malicious content.

Abstract: The systems and methods use a gradient boosted decision tree, which may be trained in data sparse environments. The system also uses a data transformation step to collapse complex data into a standardized feature input (e.g., a fixed length feature input) that may be processed by the model with a constant (or near-constant) lookup time and with minimal latency. Finally, the system generates a dual variable output that provides both a metric of whether a communication is fraudulent and/or unauthorized as well as a confidence level of that determination.

Abstract: A method includes retrieving, in a kernel space of an operating system executing on a computing device, a first value from a first clock source, retrieving, in a user space of the operating system executing on the computing device, a second value from a second clock source, generating a unique process identifier (UPID) associated with a process identifier (PID) of a process executing in the operating system, wherein the UPID is based on the first value of the first clock source and the second value of the second clock source, and tracking process activity of the process executing in the operating system by utilizing the UPID.

Abstract: The present invention relates to a method for automatic signatures generation from a plurality of sources, comprising defining a plurality of identified sources of samples providers, collecting, by a computerized data processing unit, input samples from the sample providers, verifying, by the computerized data processing unit, the input samples defining verified input samples, generating, by the computerized data processing unit, verified signatures from the verified input samples, storing, in a verified signatures database operatively connected to the computerized data processing unit, the verified signatures, wherein the collecting comprises extracting raw IoCs from the input samples, wherein the verifying comprises evaluating the reputation of each of the raw IoCs according to predefined reputation rules and comparing each of the raw IoCs with a database of existing signatures operatively connected to the data processing unit to define allowable raw IoCs; and wherein the generating comprises creating the v

Abstract: Systems and methods for cloud activity anomaly detection include receiving historical data from a historical time span associated with an identity, wherein the historical data includes activities performed by the identity and times when the activities took place; computing an activity prediction for a future time span based on the historical data, wherein the activity prediction specifies intervals within the future time span when future activities are expected to take place; performing inline monitoring of activity between the identity and a cloud-based system; and responsive to an activity taking place outside of the activity prediction, performing an action based thereon.

Abstract: A network of nodes supporting machine to machine (“M2M”) communication within the network is provided. Each of a plurality of nodes within the networks may be in an inactive communication state prior to authentication. The authentication may be performed by a remote central node (“RCN”). The RCN may be configured to control authentication and communication between nodes in the network. The RCN may perform one, two or more methods of authentication to securely authenticate each node. Following authentication, the RCN may generate network protocol for data payloads transmitted within the network. The RCN may further be configured to store data transmitted between nodes and maintain or delete the data based on a level of privacy that may be tagged to the stored data.

Abstract: An anti-abuse system is provided for a data-platform. An anti-abuse scanner of the data-platform detects a creation of an application package by a provider of content to the data platform where the application package includes a set of files for deployment on the data platform. The anti-abuse scanner performs a review o the set of files to detect malicious content where the review is based on a set of analysis rules and generates a deployment decision for the application package based on a result of the review.

Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: Various embodiments include systems and methods to implement predictive scan engine runtime durations by a security platform to predict runtime durations associated with computing resources. Predictive scan engine runtime durations may be determined by training a prediction model using a multiple linear regression analysis. For example, the security platform may determine a prediction model using training data that associates runtime durations with configuration inputs associated with a security service that operates with respect to a computing resource. Based on the prediction model, the security platform may determine a runtime estimate for a security service run that is configured similarly to a previous security service run used to train the prediction model.

Abstract: Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication. An example method performed by a first device includes receiving a first electronic identification of a first subset of a first set of entangled quantum particles and a first number generated based on a second subset of the first set of entangled quantum particles associated with a second device, generating a second number based on the first subset of the first set of entangled quantum particles, generating a first session key based on the first number and the second number, receiving, from the second device, an electronic communication comprising a second session key, the second session key based on a third number and a fourth number, and authenticating a session between the first device and the second device based on the first session key being identical to the second session key.

Abstract: An anomaly detection system that includes a database and a server. The server is connected to the database. The server is configured to identify anomalous web traffic for a certain time period based on one or more client keys from the certain time period. The client key(s) includes at least two characteristics related to web traffic data. The server includes a processing unit and a memory. The server is configured to receive the web traffic data from the database, calculate a z-score metric for the client key, calculate a change rate metric for the client key, calculate a failure metric for the client key, determine an anomaly score based on the z-score metric, the change rate metric, and the failure metric, and determine that the certain time period is an anomalous time period based on the anomaly score.

Abstract: A system and method for detecting an attack on an Internet of Things (IoT) device connected to an edge of a local network includes: scanning the local network's edge to detect an IoT device connected to said local network edge, detecting the IoT device, running a digital twin of the detected IoT device, transmitting a copy of real-time data, directed to the detected IoT device, to the digital twin of the IoT device, transforming the copy of the real-time data transmitted to the digital twin of the IoT device into a format that a machine learning classification model can process, said transforming step producing transformed data, and classifying the transformed data to detect an attack on the IoT device. A computer connected to the edge of the same local network to which the IoT device is connected can be used to perform the method steps for detecting the attack.

Abstract: A system and method for connected vehicle cybersecurity. A method includes creating, by a remote system, a normal behavior model based on a first set of data including at least one first event with respect to connected vehicles, wherein the first set of data is collected from data sources, wherein the remote system is remote from the fleet of connected vehicles; detecting, by the remote system, an anomaly based on the normal behavior model and a second set of data, the second set of data including a second event with respect to the connected vehicles, wherein each of the first set of data and the second set of data includes vehicle data related to operation of the connected vehicles, wherein each event represents a communication with the connected vehicles; determining, based on the detected anomaly, at least one mitigation action; and causing implementation of the at least one mitigation action.

Abstract: Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual machines. Graph-based incrimination logics may compare monitored system graphs to known ransomware attack graphs. Graphs may have devices as nodes and device network connectivity, repeated files, repeated processes or actions, or other connections as edges. Statistical analyses and machine learning models may be employed as incrimination logics. Search logics may find additional incrimination candidates that would otherwise evade detection, based on files, processes, IP addresses, devices, accounts, or other computational entities previously incriminated.

Abstract: Malicious redirects in a redirect chain as a result of loading a web address are detected and blocked. A suspicion score is determined for a subject redirection domain based at least in part on the subject redirection domain's web address, and a rate of occurrence of the subject redirection domain in redirect chains leading to a malicious landing domain is calculated. Loading the subject redirection domain is blocked if the suspicion score exceeds a suspicion threshold or the rate of occurrence of the subject redirection domain exceeds a rate of occurrence threshold.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: A method for generating enterprise cyber reports through linking IP access control logic with error handler and audits compartmentalized by web application for different user groups with multiple monitoring tools data. Business logic may be defined in access control tables for multiple user groups sharing multiple different application data and programmable access control logic applied to subfolders within the website subfolders based on functional user group role permissions. A common network event field name may be used to map multiple different monitoring tools data into common field alias. The field alias mapping allows multiple networking capture tools to be included within the same cyber report. Joining multiple network events field alias with an IP location allows for groups of different IP zone reports to be created within the enterprise being monitored by different monitoring tools.

Abstract: A computer implemented method processes alerts. A computer system creates a representation of an alert received for processing. The computer system determines a similarity of the alert with previously processed alerts using the representation of the alert and representations of the previously processed alerts. A first evaluator in the computer system evaluates an alert level for the alert based on previously processed similar alerts in response to the similarity being above a similarity threshold for similar alerts. A second evaluator in the computer system evaluates, the alert level for the alert using a machine learning model in response to the similarity not being above the similarity threshold.

Abstract: Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.

Abstract: Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.

Abstract: A semiconductor chip includes an electronic hardware circuitry device that includes a plurality of partitionable hardware resources that each includes a corresponding resource allocation state. The electronic hardware circuitry includes a logic control circuit to control access to the plurality of hardware resources based on the respective resource allocation states of the hardware resources and based on input from one or more authorized agents. The semiconductor chip further includes a processor core to implement a plurality of software applications belonging to a first group or to a second group, each of the plurality of applications configured to access and interact with at least one corresponding hardware resource assigned to the respective application, implement assigning software agents each authorized and configured to cause the electronic hardware circuitry device to assign one or more unassigned hardware resources only to one or more of the software applications belonging to certain groups.

Abstract: Techniques for detecting anomalous behavior of an Internet-of-Things (IoT) device in an IoT network. IoT events of an IoT device are captured and analyzed to identify periodic activities of the IoT device. The periodic activities of the IoT device are tracked over time, and variations in the periodic activities are analyzed to assess potential threats to the IoT network.

Abstract: Methods, apparatuses, or computer program products provide for generating a service risk analysis score data object. A service risk analysis request associated with an unreleased code object is received. One or more service risk analysis attributes are extracted using a service risk analysis layer based at least in part on the unreleased code object. A service risk analysis score data object is generated using a service risk analysis machine learning model based at least in part on the one or more service risk analysis attributes. The service risk analysis score data object is output.

Abstract: A method includes receiving a request for a first domain from a requester with an identification, fetching requester profile using the identification, generating a seed domain based on the request and the requester profile, generating a plurality of SLDs based on the seed domain and the requester profile, generating a plurality of TLDs based on the seed domain and the requester profile, generating a first plurality of candidate domains based on the plurality of SLDs and the plurality of TLDs, generating a second plurality of candidate domains that are currently available by checking the first plurality of domains with a domain registrar, ranking the second plurality of candidate domains to be provided to the requester for a selection, receiving a selected domain, automatically updating the requester profile based on the request and the selection, and fetching the updated profile for generating another seed domain for a subsequent request.

Abstract: A method for operating a data communication between functional units for a vehicle, in which a predefined number of data packets transmitted by a sending unit to a receiving unit is collected in a data buffer of the sending unit to generate a data block. In each predefined time step, one data packet is transmitted, in which the data packets are collected over a predefined collection period. A signature for authenticating the data block is then determined, the signature being determined over a predefined determination period lasting for multiple time steps. The signature is then sent in multiple parts from the sending unit to the receiving unit over a predefined transmission period, with one part of the signature being sent per time step. The sum of the collection period, the determination period and the transmission period is less than a predefined system fault tolerance time.

Abstract: A system and method for detecting cloud identity misuse in a cloud computing environment is presented. The method includes: deploying a runtime sensor on a workload in a cloud computing environment; continuously receiving data from the runtime sensor; generating an activity baseline based on the continuously received data, wherein the runtime sensor is configured to detect runtime processes on the workload; detecting an event in a cloud log, the event including an identifier of the workload; associating a runtime process detected by the runtime sensor on the workload with the event detected in the cloud log; and determining that the event is an anomalous event based on the generated activity baseline.

Abstract: Information characterizing a security event is received from an agent executing on an endpoint computing device. The received information identifies a plurality of files encrypted as part of a ransomware attack and key material used when encrypting each of the files. Based on the received information, a surveyor package is generated which includes decryptor logic to decrypt at least a portion of the files. The surveyor package is deployed to the agent so that it can be unpacked and executed to decrypt at least a portion of the files. Once these files are decrypted, then can be transported to a safe computing environment Related apparatus, systems, techniques and articles are also described.

Abstract: An electronic control unit (ECU), or node, is configured to use a single key for generating requests from a security peripheral for a MAC. The security peripheral includes the stored shared key. The security peripheral may further include a policy enabling it to detect if a request from the V-ECU is valid, in which case it generates a MAC. The security peripheral is also used to store information in a MAC Generate Allow List (MGAL). In some embodiments, the receiving nodes in a network receive data based on a security peripheral's response to a transmit nodes requests for a MAC. The receiving nodes use this knowledge to avoid being spoofed.

Abstract: A method for identifying a malicious connection between a client device and a server includes obtaining handshake parameters for the client device and the server responsive to the client device initiating a connection with the server, generating a feature set by extracting features from the handshake parameters, predicting a maliciousness of the connection using a machine learning model, where the extracted features are provided as inputs to the machine learning model, and automatically initiating a corrective action if the connection is predicted to be malicious.

Abstract: In an embodiment, a computer implemented method is provided. The method may include quantifying a plurality of component level risks for at least a subset of components in the network. The method may further include simulating cascades of the component level risks, with each corresponding component designated as a risk seed of the subset of components, throughout the network. The method may additionally include quantifying the network level risk as a risk status in a resilience spectrum based on the simulated cascades.

Abstract: A domain processing system receives or collects raw data containing sample domains each having a known class identity indicating whether a domain is conducting an email campaign. The domain processing system extracts features from each of the sample domains and selects features of interest from the features, including at least a feature particular to a seed domain and features particular to email activities over a time line that includes days before and after a domain creation date. The features of interest are used to create feature vectors which, in turn, are used to train a machine learning model, the training including optimizing a neural network structure iteratively until stopping criteria are satisfied. The trained model functions as an email campaign domain classifier operable to classify candidate domains with unknown class identities such that each of the candidate domain is classified as conducting or not conducting an email campaign.

Abstract: A system and method for performing inspection of a reachable code object of a cloud computing environment is presented. The method includes detecting a network path for each resource of a plurality of resources deployed in a cloud computing environment, wherein the network path includes at least a portion between an external network and the cloud computing environment; determining reachability parameters of each resource of the plurality of resources for which a network path is detected; accessing a code repository including a plurality of code objects; actively inspecting the network path of a resource to determine if the network path is a viable network path; mapping each resource having a viable network path to a code object of the plurality of code objects; inspecting a mapped code object for a cybersecurity object; and initiating a remediation action based on the cybersecurity object.