Embodiments of the present invention generate network communication policies by applying machine learning to existing network communications, and without using information that labels such communications as healthy or unhealthy. The resulting policies may be used to validate communication between applications (or services) over a network.

Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

Apparatus and method for device and data authentication in a computer network, such as but not limited to an IoT (Internet of Things) network. In some embodiments, a trust hub device is coupled to an interconnectivity device. The trust hub device includes a controller and non-volatile memory (NVM), and may be a network capable data storage device. The interconnectivity device is configured as an Internet of Things (IoT) or Operational Technology (OT) device, and includes a controller and a sensor. Data from the sensor are transferred from the interconnectivity device to the trust hub device. The trust hub device proceeds to attest a provenance of the data from the sensor to a remote entity associated with the interconnectivity device. The trust hub device includes a firewall to the external network, establishes a root of trust for the local interconnectivity device, and performs enrollment and signing services for the interconnectivity device.

Methods, systems, and processes to simplify networking setup complexity for security agents implemented in cybersecurity computer environments are disclosed. A request with an intentionally bad Transport Layer Security (TLS) handshake is transmitted from an agent to a server. An indication is received from the server that the request has been rejected. A Round Trip Time (RTT) of the request and rejection of the request is determined. The server is then pinged based on the RTT. The subsequent pinging does not require whitelisting of an additional port and does not negatively interact with network intermediaries that support protocol detection.

Techniques for distributed traffic steering and enforcement for security solutions are disclosed. In some embodiments, a system, process, and/or computer program product for distributed traffic steering and enforcement for security solutions includes encapsulating an original traffic header for a monitored flow from/to a host or a container; rerouting the flow from the host or the container to a security platform of a security service; performing security analysis at the security platform using the original traffic header; and rerouting the flow back to the host or the container for routing to an original destination based on the original traffic header.

Techniques for advertising device inspection capabilities to enhance network traffic inspections are described herein. The techniques may include determining, by a first inspection device of a network, that a second inspection device is disposed within the network. The first inspection device may also receive, from the second inspection device, an indication that the second inspection device is capable of performing a first type of inspection. The techniques may also include receiving, at the first inspection device, a packet that is to be sent through the network along a path that includes the second inspection device. Based at least in part on the path including the second inspection device, the first inspection device may refrain from performing the first type of inspection on the packet at the first inspection device such that the second inspection device can perform the first type of inspection on the packet.

A non-transitory, processor-readable medium includes code representing instructions to cause a processor to perform a method. The method includes receiving, from a traffic filter at a boundary of a network, a network communication and determining the network communication is a first anomalous communication associated with a service that does not exist within the network, uses a non-readable character set, or includes a malicious payload. The method further includes, at least partially based on the determining, generating a first rule, at least partially based on an analysis of a subset of partial or exact fingerprints of the first anomalous communication. The first rule is communicated to the traffic filter for the traffic filter to filter, from network communications external to the network, a second anomalous communication.

Embodiments of the present invention relate to, in general, detecting and mitigating malicious communications. Typically, a system of the present invention is configured to deliver indicators of compromise in response to identifying and isolating malicious communication. Moreover, the system is configured to analyze an electronic communication to determine if it is malicious or if it has a malicious payload. In some embodiments, the system is configured to determine an indicator of compromise for the electronic communication determined to be malicious, and transmit this indicator of compromise to the first networked device. In some embodiments, the system transmits a threat trigger signal to a third party provider. The threat trigger signal is configured to allow an application or system provided by the third party provider to block a threat caused by the electronic communication. In some embodiments, the system provides training to help users better identify and report threats.

The present disclosure includes methods and systems for protecting network resources. An exemplary method comprises starting, by a processor, copy-on-write snapshotting for modifications to a plurality of files in storage, the modification initiated by a suspicious application, detecting, by the processor, a modification of a file of the plurality of files, determining, by the processor, whether the file is stored on a shared network resource or a local resource, in response to determining that the file is stored on a shared network resource, determining, by the processor, that a current region being modified is not already saved in a snapshot, and if the current region is not saved, saving the current region to a snapshot, marking, by the processor, the current region as being saved and analyzing all saved regions that were modified for malicious activity to determine that the suspicious application modifying the saved regions is malicious.

A trust broker is disclosed for a data confidence fabric. The trust broker evaluates the trustworthiness of data flowing through a network that includes a data confidence fabric. The trust broker evaluates a baseline confidence score and generates a workorder to improve the baseline confidence score in a measurable way. The trust broker may implement the workorder and ensure that the trust improves in the data confidence fabric.