Systems and methods for browser isolation with Graphics Processing Unit (GPU) forking includes initializing a plurality of virtual GPU instances within one or more servers of a cloud-based system; receiving a rendering request from a client device; analyzing the rendering request and determining a workload distribution across a plurality of virtual Graphics Processing Unit (GPU) instances based on the analyzing; executing rendering tasks across the plurality of virtual GPU instances and generating rendering instructions; and pushing the rendering instructions to the client device.
Systems and methods for detailed cloud posture remediation recommendations utilizing custom Large Language Models (LLMs). The present systems and methods are configured to perform the steps of scanning a cloud environment for posture control data; generating one or more alerts related to any of risky configurations and risky activities associated with the cloud environment; generating one or more remediation recommendations based on the one or more alerts; and providing the one or more alerts and the one or more remediation recommendations to administrators of the cloud environment.
Systems and methods for cloud security system assistance utilizing custom Large Language Models (LLMs) include providing a cloud-based security solution for an enterprise via a cloud-based system; displaying a User Interface (UI) associated with the cloud-based security solution having a chatbot, wherein the chatbot is configured to allow a user associated with the enterprise to enter a question; and responsive to receiving a question from a user via the chatbot, generating a detailed response to the question via a custom LLM, wherein the custom LLM is trained to provide assistance to users of the cloud-based security solution.
H04L 51/02 - User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail using automatic reactions or user delegation, e.g. automatic replies or chatbot-generated messages
4.
Cloud-Based Data Security Posture Management (DSPM)
Tummalapalli, Lokanadha Venkata Rama Chandra Sai Kishore
Bhallamudi, Arun
Vivekanandan, Shankar
Tangudu, Sreekanth
Paul, Narinder
Abstract
Systems and methods include discovering and classifying any of data discovered by inline cloud inspection, data stored across one or more cloud services, and data stored across one or more endpoints; continuously monitoring access to and usage of classified data, wherein the monitoring is performed in real-time and includes analyzing data access patterns, user behaviors, and application interactions; evaluating a security posture of the classified data by identifying misconfigurations, compliance violations, excessive permissions, and vulnerabilities; and enforcing one or more security policies based on the evaluated security posture.
Systems and methods for automated certificate generation and management inside zero trust private networks. Various methods include monitoring access to one or more private applications; responsive to identifying a request to access an application of the one or more private applications, generating a certificate; providing the generated certificate to a broker; and utilizing the generated certificate to provide access to the application by stitching together a connection between a user and the application.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
6.
Systems and methods for visualizing security coverage based on MITRE ATT&CK framework
Systems and methods for visualizing security coverage based on MITRE ATT&CK framework include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a cloud environment associated with the organization; providing an interactive User Interface (UI), wherein the UI overlays a catalog of known malicious tactics with the cybersecurity monitoring data; and responsive to one or more selections within the UI, providing information related to coverage of one or more threat techniques.
Systems and methods for operating a scanning system, implemented either on-premises or in a cloud-based service, for crawling and analyzing files stored in one or more data repositories. The scanning system includes a controller, a message broker, and a distributed pool of workers, and, in one embodiment, a method includes receiving, by the controller, policy and configuration data associated with at least one organization; generating, by the controller, job assignments corresponding to files to be analyzed according to the received policy and configuration data; publishing the job assignments to the message broker for parallel distribution among the distributed pool of workers; retrieving and scanning, by at least one worker, the files from the one or more data repositories in accordance with the assigned job; and executing, where required by the policy and configuration data, at least one policy-based action on the files within the data repositories.
Systems and methods for updating a security agent installed on a computing device without requiring a scheduled software update window include steps of receiving a digitally signed script from a remote server, wherein the security agent includes an embedded interpreter configured to execute script-based instructions; verifying a digital signature of the digitally signed script using a public key embedded in the security agent; and executing the digitally signed script via the embedded interpreter at runtime to modify functionality of the security agent without recompiling or reinstalling compiled code.
Systems and methods for utilizing small sized Large Language Models (LLMs) for performing domain classification include responsive to training one or more machine learning models for performing classification of domains, the training including performing one or more optimizations to the one or more machine learning models, receiving a domain; obtaining data associated with the domain including log data from a cloud-based system that performs monitoring of a plurality of users; and analyzing the domain via the one or more trained machine learning models for classifying the domain.
Systems and methods for training a machine learning model for malware detection include steps of collecting a training dataset comprising a plurality of malicious files and a plurality of benign files from one or more sources; extracting features from each file in the training dataset, wherein the features include at least one of n-gram features, entropy features, or domain features; labeling each file in the training dataset as malicious or benign based on a predefined criterion; and applying a supervised machine learning technique to learn patterns in the extracted features and generate a trained machine learning model configured to predict whether a file is malicious or benign based on an incremental packet-based analysis.
A method of providing cloud-based security services includes receiving, at one or more distributed processing nodes in a cloud-based system, network traffic from a plurality of endpoints associated with at least one tenant; applying, by each distributed processing node, at least one cloud-based security inspection function configured to detect threats or enforce policy controls in the received network traffic; determining, via a policy engine whether to block, allow, or further analyze the network traffic based on per-tenant security policies; logging, in a cloud-based logging repository, inspection results, policy decisions, and rule matches for subsequent reporting and analytics; and updating the security inspection function at the distributed processing nodes, in real time, with newly discovered threat signatures and policy changes to provide continuous protection across the cloud-based system.
Systems and methods for directing and enforcing zero trust control on requests to destination services. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.
Systems and methods for active exposure and unwanted connection protection. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection from the destination service to the control layer based on the one or more controls, thereby providing access to the destination service without exposing the destination service to a direct connection.
Systems and methods for abnormal Classless Inter-Domain Routing (CIDR) access detection. The present systems and methods are configured to perform the steps of scanning one or more security groups associated with a cloud environment; assigning a score to one or more Classless Inter-Domain Routing (CIDR) groups within the one or more security groups; and providing one or more suggested actions based on the score of the one or more CIDR groups.
Systems and methods for detecting abnormal permissions in a cloud environment include obtaining data associated with a cloud environment; partitioning the data into a plurality of groups and windows, wherein each of the windows includes one or more groups; determining one or more groups within a window having a similarity; and identifying one or more groups as having abnormal permissions based on the similarity. Based on a similarity score being above a threshold, the systems can be adapted to identify the differences, i.e., the one or more extra permissions in one of the groups, and automatically remove these permissions
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
Systems and methods for providing an identity power scoring system for cloud environments. Various embodiments include collecting entitlement information associated with a user of a cloud environment; deriving a global power score of the identity, the global power score being based on the identity's entitlements in the cloud environment; and providing the global power score to security administrators of the cloud environment by way of a Graphical User Interface (GUI).
Systems and methods for intelligent application definition and protection. In various embodiments, steps include receiving a destination service definition from a customer; performing an assessment of the destination service to determine one or more policies to use for the destination service; responsive to receiving a request from a user to access the destination service, directing the request to a control layer, and enforcing one or more controls on the request based on the one or more policies; and providing access to the destination service to the user based on the one or more controls.
Systems and methods for dynamic distributed name resolution. In various embodiments, steps include receiving a request from a user to access a destination service; resolving an Internet Protocol (IP) address for the destination service based on one or more characteristics of the request; enforcing one or more controls on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
19.
Systems and methods for detecting and assigning identities for workloads
Systems and methods for determining and assigning identities to workloads in a cloud-based system. Various embodiments include monitoring traffic in a cloud-based system; extracting identification information from one or more payloads originating from one or more workloads operating in the cloud-based system; assigning an identity to each of the one or more workloads based on the identification information; and enforcing policies on the one or more workloads and traffic associated therewith based on the assigned identity.
Systems and methods for generating sub-identities for workloads in a cloud-based system. Various embodiments include receiving a key from an external system; generating one or more sub-identities from the key; assigning the one or more sub-identities to one or more workloads; and enforcing policies on the one or more workloads and traffic associated therewith based on the one or more sub-identities.
Systems and methods for private application access continuity include providing access to one or more private applications for users associated with a tenant of a cloud-based system; detecting one or more criteria suggesting an outage of the cloud-based system; and responsive to activation of a disaster recovery mode based on the one or more criteria, providing access to the one or more private applications via an on-site disaster recovery system including a site controller, wherein providing the access via the site controller does not require communication with the cloud-based system.
The present disclosure includes systems and methods for a security policy framework. Various embodiments include responsive to receiving a trigger, fetching one or more policies from a policy catalog service; compiling the one or more policies into a query, wherein the one or more policies can be compiled into a plurality of different query languages; executing the query over customer data, the customer data being located in one or more data sources; and persisting results of the query.
The present disclosure includes systems and methods for anomaly detection on resource activity logs. Various embodiments include collecting resource activity data from a plurality of resources in a cloud environment, the resource activity data including information related to a plurality of events associated with the plurality of resources in the cloud environment; aggregating and performing one or more calculations on the resource activity data to represent the plurality of resources in vector form; determining a probability of a sequence of events to be executed by a resource of the plurality of resources based on the vector form of the resource; and determining an anomaly score for the sequence of events being executed by the resource based on the probability.
Systems and methods for differential dynamic memory scanning include, responsive to execution of a program, performing a baseline memory scan of the program; storing data associated with a plurality of memory regions of the program based on the baseline memory scan; performing one or more subsequent memory scans of the program during execution of the program to determine if one or more of the plurality of memory regions incurred a modification; and monitoring one or more altered memory regions based thereon.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
25.
Systems and methods for utilizing Large Language Models (LLMs) for improving machine learning models in network and computer security
Systems and methods for utilizing Large Language Models (LLMs) for improving machine learning models in network and computer security include obtaining tabular data related to an aspect of networking and computer security; converting the tabular data to natural language for each row in the tabular data; inputting the natural language for each row in the tabular data into a Large Language Model (LLM); obtaining an output from the LLM for each row in the tabular data with embedded data therewith; and utilizing the output to train a machine learning model related to the aspect of networking and computer security
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
26.
Systems and methods for detecting and remediating inconsistent tags in cloud-native networks
Systems and methods for detecting and remediating inconsistent tags in cloud-native networks include collecting tags from all resources in a cloud environment; converting each of the tags to a desired format and extracting unique tags in the desired format; calculating a similarity score between all of the unique tags in the desired format and creating tag pairs based on the similarity scores; and selecting a suggested tag for each of the tag pairs based on a number of appearances of each of the tags in the tag pairs. In various embodiments the steps can further include identifying a new resource in the cloud environment; and utilizing one or more machine learning models to determine if the new resource has inaccurate tags, and providing tag suggestions based thereon.
Systems and methods for removing sensitive information from a cloud-based system include receiving one or more dictionaries, the one or more dictionaries including a plurality of field names identified as corresponding to sensitive information; analyzing one or more data storage schemas, the one or more data storage schemas defining how data is stored in a cloud-based system; comparing a plurality of variables within the one or more data storage schemas to the field names in the one or more dictionaries for identifying matches therein; and responsive to identifying a match between a variable of the plurality of variables and one or more of the field names, performing an action based thereon.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
28.
Systems and methods for automated assignment and alerting of non-compliant resources
The present disclosure includes systems and methods for posture control of cloud environments. Various embodiments include scanning a cloud environment for posture control data; identifying configurations associated with one or more resources in the cloud environment; generating one or more alerts related to the one or more resources based on the configurations; and assigning the one or more alerts to one or more individuals. The one or more alerts can then be sent to the one or more individuals based on the assigning.
H04L 41/0681 - Configuration of triggering conditions
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/28 - Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
29.
Machine learning using a diffusion model for out-of-distribution detection of time series data
Systems and methods for using a diffusion machine learning model for out-of-distribution (OOD) detection of time series data include steps of receiving an input time series; causing random imputations in the input time series to provide an imputed time series; processing the imputed time series with a diffusion model that has been parameterized on a given in-distribution time series to obtain a reconstructed time series; and comparing the reconstructed time series with the input time series to determine whether the input time series is out-of-distribution with the in-distribution time series. In particular, the present disclosure includes a novel approach for using a diffusion model of OOD detection which does not require labels for OOD data.
Systems and methods for pause and resume functionality for shared Privileged Remote Access (PRA) sessions. The methods include steps of, responsive to determining one or more users are allowed to access an application associated with infrastructure, determining the one or more users' security and access policies, and creating a Privileged Remote Access (PRA) session for the one or more users; brokering a connection between one or more user devices associated with the one or more users and the application through a lightweight connector, and enabling the one or more users to send commands to the application; receiving a pause command from one of the one or more users; and responsive to receiving the pause command, blocking commands from the one or more users from reaching the application.
Systems and methods to protect shared Privileged Remote Access (PRA) sessions based on user risk include receiving, at a Privileged Remote Access (PRA) system, one or more invitations from a host, the one or more invitations being for one or more users to join a PRA session; responsive to receiving the one or more invitations, determining a risk score of each of the one or more users associated with the one or more invitations; and rejecting or allowing each of the one or more invitations based on the risk score of each of the one or more users.
Systems and methods for a zero trust (ZT) network branch, which includes an edge switch on premises (on prem) with other services being offered in the cloud, include plurality of endpoints on the branch network each of which is configured in a network of one; and route east-west and north-south traffic flows associated with the plurality of endpoints through a cloud for security processing thereon. The security processing is based on one or more security applications selectively configured for the east-west and north-south traffic flows.
A method includes monitoring content inline between any of users, enterprises, and the Internet by a cloud-based system; analyzing the content with a trained machine learning model to provide an initial classification of benign or malicious; determining an uncertainty associated with the initial classification; and one of allowing the content, blocking the content, and sandboxing the content, based on the initial classification and the uncertainty. The uncertainty is used to minimize latency for user experience while avoiding incorrect classifications, in the inline monitoring.
Systems and methods for cloud-based inline encrypted traffic inspection include monitoring a plurality of users having associated user devices communicating over the Internet and the plurality of users are each associated with a plurality of organizations; responsive to traffic being encrypted by any user of the plurality of users, performing operations to enable inline access to the encrypted traffic for the any of the plurality of users; obtaining policy for the any user where the policy is determined by an associated organization of the any user and policy defines how the encrypted traffic is inspected; inspecting the encrypted traffic for the any user based on the obtained policy; and performing actions on the encrypted traffic based on the inspecting.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Systems and methods for providing efficient remediations for cloud environment vulnerabilities. The present systems and methods are configured to calculate the most efficient remediations to reduce cloud environments' risks, calculate a cloud environment's biggest risks and weaknesses, and provide a holistic overview of a cloud environment across different service providers. In an embodiment, steps include scanning a cloud environment for posture control data; identifying a plurality of security risk events based on the scanning; calculating a risk score for each of the plurality of security risk events; and determining and recommending one or more remediations based on the risk score of each of the plurality of security risk events and how efficient each remediation is.
The disclosed system and methods are used for collecting information of third-party applications. A search is performed for detecting uniform resource locator (URL) that is associated with a web page allowing to download at least one third-party application. The search is based on URL patterns that are previously and uniquely determined for each digital data source. An identifier, e.g., client ID, of a third-party application is extracted from each URL of a web page which allows to download a third-party application. Then, the system initiates a software as a service (SaaS) instance in a cloud-based computing environment. The system provides to the third-party application access credentials to access the SaaS instance and extract attributes and behavior data of the third-party application based on at least the actions performed by the third-party application in the SaaS instance.
Systems and methods include receiving a request from a user device for access to an application; performing an authentication of the request via a customer Identity Provider (IDP); receiving a Security Assertion Markup Language (SAML) assertion from the customer IDP; and performing an action based on the SAML assertion, the action being one of blocking the request, allowing the request, and isolating the request.
Kill-chain reconstruction via machine learning includes, responsive to (1) training one or more machine learning models for kill-chain reconstruction, (2) monitoring one or more users associated with an enterprise, and (3) detecting an incident that is one or more of a threat and a policy violation for a user of the one or more users, identifying a transaction associated with the threat and a policy violation as a seed transaction; retrieving transactions of the user from a preconfigured time window leading up to and occurring after the seed transaction; and reconstructing a kill-chain based on the seed transaction and the time window.
Systems and methods for policy-based distributed packet capture include collecting, at one or more capture points distributed across one or more cloud environments, packet capture data; retaining the packet capture data at one or more packet capture caches associated with the one or more capture points; sending the packet capture data to a packet store associated with a tenant of a cloud-based system. The collecting can be based on preconfigured policy, dictating what specific data is captured at the one or more capture points.
The present disclosure includes systems and methods for multi-cloud network analysis and threat intelligence correlation. In various embodiments, systems are adapted to perform steps of retrieving network flow logs associated with one or more Virtual Private Cloud (VPC) networks; processing the network flow logs to identify new files and enriching critical fields from the network flow logs; transforming and aggregating the network flow logs for further processing; and identifying threats associated with the one or more VPC networks.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
41.
Infrastructure as Code (IaC) scanner for infrastructure component security
Systems and methods for an Infrastructure as Code (IaC) scanner for infrastructure component security. Various embodiments include steps of receiving one or more files for security scanning; extracting and parsing one or more resources from the one or more files; evaluating one or more policies for each of the one or more resources thereby ensures that underlying infrastructure components are configured securely; and displaying findings and details associated with the evaluating of the one or more resources.
Systems and methods for cloud activity anomaly detection include receiving historical data from a historical time span associated with an identity, wherein the historical data includes activities performed by the identity and times when the activities took place; computing an activity prediction for a future time span based on the historical data, wherein the activity prediction specifies intervals within the future time span when future activities are expected to take place; performing inline monitoring of activity between the identity and a cloud-based system; and responsive to an activity taking place outside of the activity prediction, performing an action based thereon.
Systems and methods for agentless workload vulnerability scanning include creating a snapshot of a workload in a cloud environment and analyzing workload data from the snapshot to identify one or more characteristics of the workload. The characteristics can be used to identify vulnerabilities present in the workload by correlation. These identified vulnerabilities can be persisted in a database and displayed to users for alerting and remediation.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Systems and methods for sing Large Language Models (LLMs) to generate an Artificial Intelligence (AI) report on security risk using the cybersecurity data include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a plurality of users associated with the organization; inputting the cybersecurity monitoring data to a first Large Language Model (LLM) to generate an initial output for a security report; inputting the initial output to a second LLM for critiquing the initial output against a set of rules to check for predefined flaws and to check for what was done correctly to generate a critique; resolving the initial output and the critique to generate a final output; and providing the final output for the security report.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
45.
Systems and methods for cloud sandboxing with browser isolation for immediate content access
Systems and methods include responsive to a user attempting to access content in a cloud-based system, obtaining the content associated with the user; sending the content to a sandbox for processing; rendering the content within an isolated browser, thereby allowing the user to interact with the content during the processing; and receiving a verdict from the sandbox, wherein the verdict labels the content as one of malicious, benign, and unknown, and performing an action based thereon.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
46.
Natural language interface for querying cloud security logs
Systems and methods for processing search queries are provided. A method, according to one implementation, includes a step of receiving a search request from an authorized user associated with an enterprise, wherein the search request includes natural language and is received via a query field of a User Interface (UI). The method also includes a step of parsing the search request to convert the natural language into one or more search parameters and a display format. Also, the method includes a step of retrieving log data from a private database associated with the enterprise, wherein the log data is retrieved in accordance with the one or more search parameters and is related to network activities associated with the enterprise. Furthermore, the method includes a step of displaying the log data on the UI in accordance with the display format.
Systems and methods for providing identity services are provided. A method, according to one implementation, includes a step of assuming unified and centralized responsibility for performing identity-related services for a plurality of network security products. In response to an end user device attempting to initiate a session with a selected network security product of the plurality of network security products, the method may perform the identity-related services to manage or authenticate an identity of the end user device or a user of the end user device. Then, the method includes a step of enabling the end user device to establish the session with or receive a service from the selected network security product after performing the identity-related services.
Systems and methods are provided for protecting identity information in a directory, such as Active Directory. A method, according to one implementation, include the step of conducting a scan of a directory of a network domain to gain visibility of one or more vulnerabilities of the directory. The one or more vulnerabilities define a potential security risk that would allow an attacker to leverage identity-related information from the directory. The method further includes the step of guiding an administrator regarding management of the directory to reduce the potential security risk. Also, the method includes the step of monitoring the directory for one or more attacks to leverage the identity-related information.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Systems and methods for providing zero trust access to source applications, implemented in a cloud-based system. The method includes steps of, intercepting client application information; identifying if the application is a known application based on an application catalog, and collecting known information of the application from the application catalog; sending the application information to an enforcement node of a cloud-based system in a first packet; and sending only an application Identification (ID) in subsequent packets, wherein the application ID is used for policy enforcement.
Systems and methods are provided for creating a User Interface (UI) that allows a user to perform a search query. According to one implementation, a method includes a step of displaying a UI having a search request section and a dashboard section. The search request section is configured to allow an admin associated with an enterprise to enter a search query using natural language. The dashboard section is configured to display results of the search query. Upon receiving a search query from the admin via the search request section, the method further includes a step of retrieving log data from a private database associated with the enterprise according to search parameters parsed from the search query. Also, the method includes a step of displaying the log data in the dashboard section of the UI according to a display format parsed from the search query.
Systems and methods for analyzing cybersecurity data to determine financial risk include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a plurality of users associated with the organization; determining a current cyber risk posture of the organization based on the cybersecurity monitoring data; determining inputs for a Monte Carlo simulation to characterize financial losses of the organization due to a cyber event in a predetermined time period based on (1) an associated industry of the organization, (2) a size of the organization, and (3) the current cyber risk posture of the organization; performing a plurality of trials of the Monte Carlo simulation utilizing the inputs; and displaying a risk distribution curve based on results of the plurality of trials where the risk distribution curve plots a curve of losses versus a probability.
Systems and methods for collecting and displaying business insights in a cloud-based system. Steps include obtaining data from a cloud-based system associated with any of applications, infrastructure, and employees of an organization, wherein the cloud-based system includes a plurality of organizations with the applications, infrastructure, and employees each assigned thereto; processing the data associated with the organization to determine a plurality of insights; and displaying the plurality of insights on a per-organization basis based on the processing.
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisationPlanning actions based on goalsAnalysis or evaluation of effectiveness of goals
Systems and methods for Large Language Models (LLMs) to generate an Artificial Intelligence (AI) business insight report using business insight data include obtaining business insight data for an organization where the business insight data is from a plurality of sources including from monitoring of a plurality of users associated with the organization; inputting the business insight data to a first Large Language Model (LLM) to generate an initial output for a business insight report; inputting the initial output to a second LLM for critiquing the initial output against a set of rules to check for predefined flaws and to check for what was done correctly to generate a critique; resolving the initial output and the critique to generate a final output; and providing the final output for the business insight report.
G06Q 10/0635 - Risk analysis of enterprise or organisation activities
G06Q 10/0637 - Strategic management or analysis, e.g. setting a goal or target of an organisationPlanning actions based on goalsAnalysis or evaluation of effectiveness of goals
G06Q 10/067 - Enterprise or organisation modelling
54.
Systems and methods for browser isolation via a virtualized Graphics Processing Unit (GPU)
Systems and methods for browser isolation via a virtualized Graphics Processing Unit (GPU). Various embodiments include steps of initiating a browser isolation session between a user device and a server associated with a cloud-based system; receiving a request for a resource from the user device; sending Graphics Processing Unit (GPU) commands associated with the resource to the user device over a network; and rendering graphics based on the GPU commands at the user device.
Systems and methods for Virtual Private Network (VPN) brokering to enterprise resources include receiving a connection from a Virtual Private Network (VPN) device associated with a third party network; receiving a request from the third party network to access a resource, wherein the resource is in one of a public cloud, a private cloud, and an enterprise network; determining if an entity associated with the request is permitted to access the resource; and responsive to the determining, creating secure tunnels between the third party network and the resource.
Systems and methods are presented to provide application server protection by maintaining cross-session inspection context. In an embodiment, steps include monitoring user traffic in a cloud-based system; performing an inspection of the user traffic to determine if the user traffic includes malicious content; assigning a label to content of the user traffic, the label identifying the content as having any of a full match, a partial match, or no match to malicious content based on the inspection; and performing any of blocking the content, allowing the content, and storing a context entry of the content based on the label assigned to the content.
Systems and methods for detecting device change due to Dynamic Host Configuration Protocol (DHCP) in sparsely populated log data include monitoring and logging network traffic data; identifying one or more outlier time gaps associated with an Internet Protocol (IP) address used to communicate over the network within the logged network traffic data; and determining the occurrence of a DHCP change based on one or more network traffic characteristics of the IP address before and after the outlier time gap.
Systems and methods for policy based privileged remote access in zero trust private networks. Various embodiments include receiving a request to an end system; determining available end systems based on one or more criteria associated with the request, wherein the one or more criteria are analyzed based on policy; and providing access to the end system based on the one or more criteria, wherein the access includes remote pixel rendering protocols integrated with a zero trust architecture.
Systems and methods for a hierarchical step-up authentication mechanism include monitoring access to one or more private applications; responsive to a request to access the one or more private applications, determining an Authentication Level (AL) of a user associated with the request, wherein determining the AL of the user comprises referencing one or more AL trees; and responsive to determining an AL of the user, performing one or more actions based thereon, wherein the one or more actions comprises one of allowing access to the one or more private applications and denying access to the one or more private applications.
The present disclosure includes systems and methods for time series analysis for cloud resources. Various embodiments include receiving resource data from one or more subsystems of a cloud environment, the resource data including information related to a plurality of events associated with one or more resources in the cloud environment; storing and processing the resource data; and presenting the resource data in a chronological order based on a time associated with each of the plurality of events.
Systems and methods for time bound session management for Operational Technology (OT) applications using Cron expression policies over zero trust. Various embodiments include receiving a request to an end system from a user; determining that the request requires a time-based approval; performing one or more time-based policy checks associated with the request; and allowing or denying the request based on the one or more time-based policy checks. The steps can further include monitoring an active session between the user and the end system; and timing out the active session based on time-based policy checks.
Systems and methods for providing a smart reauthentication process for prolonged WebSocket sessions which may present a risk to cloud environments. The various embodiments can include monitoring a WebSocket session associated with a user, detecting one or more triggers associated with an authentication of the WebSocket session, and initiating an authentication process based on the one or more triggers. The authentication process can disconnect an existing WebSocket session and force the user to reauthenticate in order to continue the session.
Systems and methods for detecting and bypassing network throttling in User Datagram Protocol (UDP) connections. Various embodiments include monitoring network traffic to and from a user device, wherein the network traffic is facilitated over a communication mode; collecting telemetry from the network traffic; identifying network throttling based on the telemetry; and responsive to identifying network throttling, utilizing an alternate communication mode, thereby bypassing the network throttling. The network throttling can be identified by calculating a loss value based on the telemetry and determining network throttling based on the loss value.
Systems and methods for policy based seamless authentication for PRA systems through zero trust private networks. The various systems and methods described herein include steps of receiving a request to access a Privileged Remote Access (PRA) system; determining if any credential rules apply to a console associated with the request; retrieving credentials associated with any of a user and the console from a database, thereby avoiding the user being required to provide credentials; and providing access to the requested PRA system based on the retrieved credentials.
Systems and methods for cloud-based threat alerts and monitoring include monitoring network traffic via a cloud-based system of one or more tenants of the cloud-based system; receiving a plurality of alerts associated with the network traffic from a plurality of security tools of the cloud-based system; logging the plurality of alerts; and providing an event chain, including the plurality of alerts. Based on the event chain, alerts can be identified as being false positives or legitimate.
Systems and methods for location-based zero trust application access. Various embodiments are adapted to make decisions whether to provide access to applications based on location context. The various methods include receiving a request from an entity for access to an application; retrieving physical location data of the entity from one or more sources; determining a policy decision based on the location data and one or more preconfigured policy rules; and managing the request by performing one of allowing or denying access to the requested application based on the policy decision.
Systems and methods for a dynamically reconfigurable traffic inspection pipeline in zero trust networks. Methods include steps of intercepting traffic traversing through a zero trust network to a destination; determining one or more traffic inspection stages to utilize for inspecting the traffic based on the characteristics of the traffic; creating a traffic inspection pipeline including the one or more traffic inspection stages; and performing the one or more traffic inspection stages on the traffic through the traffic inspection pipeline. The steps can include dynamically adding or removing traffic inspection stages in the traffic inspection pipeline after performing a traffic inspection stage.
Systems and methods for transparent proxy chaining for distributed remote access. The various embodiments described herein include intercepting network traffic associated with an end user device; identifying a request to a destination from the network traffic, the destination being in a distributed environment of a plurality of distributed environments; connecting the end user device to the destination based on access control policies associated with a user of the end user device; and logging all traffic associated with the plurality of distributed environments.
Techniques for optimized tracing in IPV6 environments include sending a plurality of trace packets between a client and a destination in a service path; responsive to receiving a response from the plurality of trace packets, extracting trace information therefrom; and determining a corresponding router associated with each of the responses based on the trace information.
The present disclosure includes systems and methods for posture control of cloud environments. Various embodiments include scanning a cloud environment for posture control data; identifying one or more configurations associated with the cloud environment; identifying one or more activities performed by a plurality of identities associated with the cloud environment; and providing one or more alerts related to any of the one or more configurations and the one or more activities. The various alerts and posture control data can be further represented in a Graphical User Interface (GUI).
Systems and methods include intercepting traffic at a mobile device via a connector application executing on the mobile device, the traffic originating from one or more applications on the mobile device and destined for one or more resources located in one of a public cloud, a private cloud, and an enterprise network; detecting one or more Virtual Private Network (VPN) profiles associated with the traffic, wherein the one or more VPN profiles are assigned to the traffic by the operating system of the mobile device; and forwarding the traffic to a cloud-based system via one or more tunnels based on the one or more VPN profiles detected in the traffic.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 67/1001 - Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
Techniques for determining a destination Time-to-Live (TTL) value for a destination in a service path include sending a first trace packet having a TTL equal to an integer N; sending a subsequent trace packet having a TTL based on whether a response is received from the destination to the first trace packet; and repeating the steps until the destination TTL is determined. The various embodiments are adapted to perform the determining based on a binary search approach, thus optimizing the process for determining the destination TTL.
A method performed by a cloud system includes, subsequent to the cloud system connecting to one of a cloud provider and a Software-as-a-Service (SaaS) application, scanning data stored therein for one or more users associated with a tenant of a plurality of tenants of the cloud system; detecting an incident in the data during the scanning; maintaining details of the incident in an in-memory data store; and providing a notification to the tenant of the incident.
A technique to provide early detection of ransomware is disclosed. Message traffic from secure gateways is monitored. Statistical anomaly detection and behavioral anomaly detection is performed. Visualization and alerts may be generated to aid operators to identify ransomware attacks and take proactive measures. In one implementation, the early detection of ransomware is performed in the cloud.
Systems and methods are provided for controlling network access in a zero trust environment. A method, according to one implementation, includes the step of monitoring and controlling access between a user device and a network application using a zero trust policy engine having a Zero Trust Architecture (ZTA) in which no user, user device, or network application is inherently trusted. The method further includes the step of granting trust by allowing the user device to access the network application when identity and context information associated with a user of the user device is verified and when policy checks of the zero trust policy engine are enforced.
Systems and methods for identifying device type within a network include receiving data associated with monitoring network communication traffic associated with a plurality of devices; analyzing the data of the plurality of devices, wherein the analyzing includes identifying one or more features of the data of each of the plurality of devices; and labeling each of the plurality of devices as one of a user device and a non-user device based on the one or more features.
H04L 43/065 - Generation of reports related to network devices
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Systems and methods for policy based traffic inspection in zero trust private networks. Various embodiments include receiving a request for a workload; analyzing one or more criteria associated with the request; determining an inspection profile to utilize for the request based on the analyzing of the one or more criteria; applying the inspection profile to the request; and inspecting traffic associated with the request based on the inspection profile.
Systems and methods for providing zero-trust connectivity for Subscriber Identity Module (SIM) enabled user equipment include responsive to a device having a SIM card equipped therein connecting to a cellular network, intercepting traffic associated with the device traversing the cellular network; forwarding the traffic through a cloud-based system; and processing the traffic from the device according to policy enforced by the cloud-based system.
H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
79.
System and method for load balancing endpoint traffic to multiple security appliances acting as default gateways with point-to-point links between endpoints
A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication by overwriting the DHCP responses. A high availability cluster of the gateways is utilized to distribute traffic and implement load balancing amongst the gateways.
H04L 47/125 - Avoiding congestionRecovering from congestion by balancing the load, e.g. traffic engineering
H04L 67/1023 - Server selection for load balancing based on a hash applied to IP addresses or costs
H04L 67/1036 - Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
H04L 69/40 - Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
80.
System and method to create disposable jump boxes to securely access private applications
A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined. A disposable jump box may be utilized to provide an additional layer of protection against ransomware.
Systems and methods for dynamic session aggregation detection include receiving session logs for one of a plurality of machines operating in a cloud-based system; determining a plurality of time intervals between activities based on the session logs; determining a probability of a new log to be received after each time interval of the plurality of time intervals; calculating a slope from a shortest break interval and a slope to a longest break interval for each log of the session logs; calculating a slope ratio for each log of the session logs; and determining an optimal maximum session duration based on the slope ratios. The steps further include defining a new applicative session each time the machine experiences a break larger than the optimal maximum session duration.
Systems and methods for zero trust lensing of cloud-based traffic. Various embodiments include intercepting a plurality of requests from one or more users in a cloud-based system, wherein the requests are for connectivity to one or more destination workloads; determining a request of the plurality of requests requires lensing; identifying an appropriate lens for rendering the request; and initiating and utilizing a lens workload for processing a session associated with the request, wherein the session is processed in-line between the user and the workload destination without the user nor the workload destination being aware of the lens.
Systems and methods for access key abuse detection, the systems and methods including steps of receiving activity data relating to an access key from cloud providers associated with a cloud-based system, generating a baseline for the access key based on the activity data, monitoring activities associated with the access key in the cloud-based system, and calculating a score for monitored activities based on a comparison of the monitored activities to the baseline. The present scoring system helps identify an abnormal and risky activity that indicates an attacker is abusing the access key. In addition, a baseline is created for a plurality of selected attributes that present the normal access key usage in order to identify malicious abnormal activities.
Systems and methods include, responsive to a request to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet, determining if a user of the user device is permitted to access the application and whether the application should be provided in an isolated browser; responsive to the determining, initiating an isolation session by creating secure tunnels between the user device, an isolation service operating the isolated browser, and the application based on connection information; loading the application in the isolated browser, via the secure tunnels; and responsive to traffic associated with the isolation session being to an external destination, forwarding the traffic to a cloud monitoring system.
Systems and methods include responsive to receiving a request at a remote node, determining whether the request is to be sent directly or via a cloud-based system; establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between the remote node and a local node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier.
Systems and methods include obtaining log data for a plurality of users of an enterprise, wherein the log data relates to usage of a plurality of applications by the plurality of users; analyzing the log data to determine one or more relations between the plurality of users and the plurality of applications; determining one or more app-segments that are groupings of application of the plurality of applications based on the log data and the one or more relations between the plurality of users and the plurality of applications; and providing access policy of the plurality of applications based on the one or more app-segments.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
87.
Cybersecurity vulnerability management system and method thereof
A system and method for cybersecurity vulnerability management through ticket system reduction reduces alert fatigue. The method includes receiving a plurality of alerts from a cybersecurity monitoring system, the cybersecurity monitoring system configured to monitor a computing environment, wherein each alert includes a plurality of attributes; generating in a graph database a ticket node corresponding to each alert of the received plurality of alerts; generating in the graph database a ticket group node, the ticket group node connected to a plurality of ticket nodes, each ticket node of the plurality of ticket nodes corresponding to an alert having an attribute with a same value; generating a ticket in a ticketing system corresponding to the ticket group node; and generating a visual representation of the ticket corresponding to the ticket group node.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
88.
Identity power scoring system for cloud environments
Systems and methods for providing an identity power scoring system for cloud environments. Various embodiments include defining a plurality of admin categories associated with a cloud environment; deriving a category power score of an identity for each of the plurality of admin categories; and calculating a global power score of the identity based on the power score for each of the plurality of admin categories. The scoring system helps identify and prioritize risk associated with specific identities, allowing more optimized methods of protection for information in the cloud-based system.
Systems and methods are provided for calculating a security risk score. In one implementation, a method includes the step of analyzing a network to assess a license status of the network, where the license status is related to one or more security licenses procured for providing security protection to the network. The method also includes the step of analyzing the network to assess a configuration status of the network, where the configuration status is related to configurations settings of one or more security policies currently operating with respect to the network. Based on the assessed license status and configuration status, the method further includes the step of calculating a security risk score indicating a current level of risk that the network faces against threats, intrusions, cyber-attacks, breaches, and/or data loss.
Systems and methods for defending against volumetric attacks, implemented in a cloud-based system. Embodiments include steps of, monitoring flows and a rate of requests to a Data Center (DC); receiving a request from an address to the DC, the request being for a service in a cloud-based system; determining if the address has been successfully authenticated within a past predetermined time period; responsive to the address not having been successfully authenticated within the past time period, and one of (i) the rate of requests being above a threshold or (ii) the number of flows being above a threshold, placing the address in a penalty box for a predetermined amount of time; and blocking requests from the address in the penalty box for the predetermined amount of time.
Systems and methods for providing a context aware client firewall. Various embodiments include intercepting all network traffic to and from a mobile device, deriving a static risk profile of the mobile device based on one or more parameters, determining a dynamic risk of the mobile device based on network flow attributes, and computing an overall risk for the network traffic based on the static risk profile and the dynamic risk. Network traffic can therefore be allowed or blocked based on the computed risk. The solution provides granular control to IT administrations to block network traffic based on parameters such as geolocation, network type, and various others described herein.
Systems and methods are provided for evaluating the effectiveness of network security tools for mitigating network security risks. According to one implementation, a method includes the step of analyzing a network to measure security parameters associated with the use of one or more network security tools that are configured for mitigating risk with respect to network compromise, data loss, lateral movement, and asset exposure. Based on the measured security parameters, the method further includes the step of quantifying the one or more network security tools to determine an effectiveness score defining an ability of the one or more network security tools, in combination, to counteract the network compromise, data loss, lateral movement, and asset exposure.
Systems and methods for a zero trust architecture are provided. A method, according to one implementation, includes detecting an initial attempt by an entity to connect, access, or communicate with a network resource and blocking the entity from initially connecting, accessing, or communicating with the network resource. The method also includes performing a verification procedure to verify one or more of an identity of the entity and a context of the initial attempt. The method also performs a control procedure to control one or more of malicious content and sensitive data. In addition, the method includes performing an enforcement procedure in response to results of the verification procedure and control procedure to determine how to handle the initial attempt.
Systems and methods include responsive to a user initiating a session with a resource, determining a master fingerprint of a device associated with the user; collecting, at predefined time intervals, one or more additional fingerprints during the session; comparing the one or more additional fingerprints with the master fingerprint; and performing one or more actions based on the comparing.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 67/1001 - Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
H04L 67/125 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Systems and methods for identifying incorrect labels and improving label correction for machine learning for security. The systems and methods including receiving data with labels; training one or more Machine Learning (ML) models to label the received data; identifying disagreements between the labels provided by the one or more ML models and the labels received with the data; and providing one or more groups of the data for review for incorrect labels.
Systems and methods for learning from mistakes to improve detection rates of Machine Learning (ML) models. The systems and methods including receiving data with labels; running the data through a trained ML model for predictions; identifying errors in the predictions based on the labels received with the data; adjusting weights associated with samples in the data based on the identified errors; and retraining the ML model with the adjusted weights.
Systems and methods include initiating a browser isolation session between a user device and a remote browser, wherein the browser isolation session includes a first isolated browser tab and a second isolated browser tab; providing a connection to the first isolated browser tab; and responsive to a request for switching to the second isolated browser tab, suppressing the connection to the first isolated browser tab; and un-suppressing a connection to the second isolated browser tab.
The present disclosure relates to systems and methods for synchronizing device states across two distributed systems. Various embodiments include a convergence mechanism also referred to as a device resync engine. The basis of the present system and methods is that any and every operation done between the two distributed systems, via Application Programming Interfaces (API's), pushes the system towards re-synchronization. This is achieved by providing an active feedback of the user's device state on every user action. For example, a user performs an authentication on one device; the two systems complete the authentication and additionally ensure all states of all devices owned by the user are in sync. By performing these small corrections for every user, the present systems and methods are able to re-converge into a synchronized state while keeping compute expanses low and process efficient.
Systems and methods for dynamic core assignment for virtual machines in public cloud environments include steps of initially booting up a software package for a virtual node in a cloud-based system, wherein the software package includes N processes each configured to operate on one of N cores, N is an integer; determining a configuration of the virtual node based on communication in the cloud-based system; responsive to a first configuration, proceeding the booting up and configuring the N processes to each operate on one of N cores; and, responsive to a second configuration, rebooting for improved performance, and subsequent to the rebooting, configuring the N processes to so that at least one process is operated on at least two of the N cores and so that at least one of the N processes is omitted, improving performance.
Systems and methods for session similarity identification include receiving historical sessions for one of a plurality of machines operating in a cloud-based system. The methods can include receiving and manage sessions from any number of machines in the cloud-based system. The system then receives monitored sessions for the machine or plurality of machines, and calculates a similarity between the received historical sessions and the received monitored sessions. After calculating the similarity, the system defines a risk score based on the similarity.
