Exemplary security applications and systems are described herein. Such embodiments may be configured to provide backup functionality and ransomware protection for cloud storage systems. The described embodiments may monitor cloud storage systems to detect and classify various events. And the embodiments may perform any number of actions based on classified events, such as transmitting notifications to users, preventing a user or application from accessing the cloud storage system, and/or restoring infected files.

Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network.

An adaptor includes non-volatile memory that stores a scan engine. A removable storage device is connected to the adaptor, which in turn is connected to a host computer. Files being copied between the removable storage device and the host computer through the adaptor are scanned for malware using the scan engine.

Examples associated with ransomware attack monitoring are described herein. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated based on a sequence of file accesses that match the predefined pattern. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system based on the logging performed by the investigation module, and resumes legitimate processes.

A computer-implemented method, computer program product and computing system for: obtaining hardware performance information concerning hardware deployed within a computing platform; obtaining platform performance information concerning the operation of the computing platform; obtaining application performance information concerning one or more applications deployed within the computing platform; and generating a holistic platform report concerning the computing platform based, at least in part, upon the hardware performance information, the platform performance information and the application performance information.

A plurality of events associated with each of a plurality of computing nodes that form part of a network topology are monitored. The network topology includes antivirus tools to detect malicious software prior to it accessing one of the computing nodes. Thereafter, it is determined that, using at least one machine learning model, at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools. Data is then provided that characterizes the determination. Related apparatus, systems, techniques and articles are also described.

A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

An information management system implements a method for securing a media agent from unauthorized access, where the method includes configuring a secondary storage computing device to initialize a filter driver at boot time and monitor process calls to a media agent, where the media agent provides read and write operations to a secondary storage device in communication with the secondary storage computing device. The filter driver may detect a process call to the media agent, and determine whether the process call is authorized. In response to a determination that the process call is authorized, the filter driver may allow the process call to request an operation be performed by the media agent, and the media agent may then perform the requested operation. If the filter driver determines that the process call is not authorized, the filter driver may ignore the process call for the requested operation.

A malware family identification engine constructs a graph data structure of direct relationships between malware instances and malware families, direct relationships between malware instances and detected tags, and indirect relationships between detected tags and malware families. The engine builds a dictionary data structure comprising detected tag entries linking each detected tag to one or more malware family nodes based on the graph data structure. The engine identifies significant indirect entities (SIEs) within the detected tag entries of the dictionary data structure and selects a SIE with a highest number of out-going links (OGLs) as a root node in a family tree data structure, recursively connects SIEs with a number of OGLs less than the highest number of OGLs to the root node in the family tree data structure, and converts each SIE name in the family tree data structure to a chained family entity name in the family tree data structure.

A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.