Techniques for outbound/inbound lateral traffic punting based upon process risk are disclosed. In some embodiments, a system/process/computer program product for outbound/inbound lateral traffic punting based upon process risk includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process ID information identifies a process that is associated with an outbound or inbound network session on the EP device on the enterprise network, and the EP agent selected the network session for punting to the network device for inspection; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.

A technique for tamper protection of incoming data signal to an electronic device is disclosed. An intentional interference signal is generated and modulated onto the incoming data signal as one composite input signal, to prevent unauthorized acquisition of valid data from the incoming data signal. The magnitude of the interference signal is adjusted to correspond to the magnitude of the incoming data signal, thereby preventing an attacker from properly differentiating the two different signals and/or decoding the valid data from the composite input signal. Once the composite input signal is safely received within the device, the interference signal can be filtered out in either analog mode or digital mode.

A data transfer method and a virtual switch, where when receiving a data packet, the virtual switch extracts characteristic information of the data packet, and determines, based on the extracted characteristic information of the data packet, whether an expedited forwarding rule is configured for a data stream to which the data packet belongs. If the expedited forwarding rule is configured for the data stream to which the data packet belongs, the virtual switch bypasses a LINUX bridge to directly send the data packet to a receive end, thereby reducing times of data packet switching between a kernel mode and a user mode, and improving data packet forwarding efficiency.

Embodiments include a multi-tenant cloud system that receives a request for an authenticate action for a user. Embodiments create an authenticate target action and register a cache listener for a cache that includes a filter to listen for a target action response that is responsive to the authenticate target action, the filter listing a plurality of bridges assigned to an on-premise active directory. Embodiments randomly select one of the plurality of bridges and sends the authenticate target action to the active directory via the selected bridge. Embodiments wait for a cache callback and, at the cache callback, receive a target action response that includes a result of the authenticate action.

Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.

A legitimate voice or video communication application modifies data in a communication session to produce a watermark. The watermark is a piece of information that is part of a communication session that is not readily observable, but can be verified later on. The purpose of a watermark is to verify that the communication session is a legitimate communication session and does not pose a security breach. The video or audio communication session is monitored for a watermark. In response to determining that the communication session contains the watermark, the communication session is allowed continue. In response to determining that the communication session does not contain the watermark, the communication session is identified as a potential security breach. If the communication session is identified as a potential security breach, the communication session can be dropped and a user can be notified of the potential security breach.

A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc. Often, however, the selection of a rule's disposition and directives that best protect the associated network may not be optimally determined before a matching in-transit packet is observed by the associated TIG. In such cases, threat context information that may only be available (e.g., computable) at in-transit packet observation and/or filtering time, such as current time-of-day, current TIG/network location, current TIG/network administrator, the in-transit packet being determined to be part of an active attack on the network, etc., may be helpful to determine the disposition and directives that may best protect the network from the threat associated with the in-transit packet. The present disclosure describes examples of methods, systems, and apparatuses that may be used for efficiently determining (e.g., accessing and/or computing), in response to the in-transit packet, threat context information associated with an in-transit packet. The threat context information may be used to efficiently determine the disposition and/or one or more directives to apply to the in-transit packet. This may result in dispositions and/or directives being applied to in-transit packets that better protect the network as compared with solely using dispositions and directives that were predetermined prior to receiving the in-transit packet.

A measure of similarity between an identifier of a sender of the message and each identifier of one or more identifiers of each trusted contact of a plurality of trusted contacts of a recipient of the message is determined. In the event the sender of the message is not any of the trusted contacts but at least one of the measure of similarity between the identifier of the sender of the message and a selected identifier of a selected trusted contact of the plurality of trusted contacts meets a threshold, the message is modified, if applicable, to alter content of a data field that includes an identification of the sender of the message. The data field is one of a plurality of data fields included in a header of the message.

An enterprise organization may operate a central network and one or more remote networks, each comprising a plurality of computing devices. For protection against malicious actors, the central network may be configured to filter network traffic associated with the computing devices based on identified threats. Traffic corresponding to computing devices connected to the remote network may be tunneled to the central network for filtering by the central network. A tunnel gateway device, associated with the remote network, may efficiently identify which communications are associated with Internet threats, and tunnel such identified traffic to the central network, where actions may be taken to protect the enterprise network.

Systems, methods, and related technologies for segmentation management are described. The segmentation management may include visualization, configuration including translation, simulation, or a combination thereof of one or more segmentation policies. In certain aspects, a segmentation policy is accessed and a segmentation rule is determined based on the segmentation policy, wherein the segmentation rule is based on a characteristic of an entity determined without the use of an agent. An enforcement point associated with the segmentation rule may be determined, where the enforcement point is communicatively coupled to a network. The segmentation rule may be translated into a configuration associated with the enforcement point and the configuration communicated to the enforcement point.