A system for detecting and mitigating forged authentication object attacks is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

A system includes a memory, a survey engine, and a reporting engine. The memory stores identifying information of a plurality of users. The survey engine determines a question to present to each user of the plurality of users and determines an interval for each user of the plurality of users. The determined interval for a first user of the plurality of users is different from the determined interval for a second user of the plurality of users. For each user, the survey engine communicates to that user, based on the stored identifying information, the determined question for that user according to the determined interval for that user and receives a response from each user of the plurality of users. The reporting engine generates a report based on the received response from the plurality of users.

Methods and systems for assessing internet exposure of a cloud-based workload are disclosed. A method comprises accessing at least one cloud provider API to determine a plurality of entities capable of routing traffic in a virtual cloud environment associated with a target account containing the workload, querying the at least one cloud provider API to determine at least one networking configuration of the entities, building a graph connecting the plurality of entities based on the networking configuration, accessing a data structure identifying services publicly accessible via the Internet and capable of serving as an internet proxy; integrating the identified services into the graph; traversing the graph to identify at least one source originating via the Internet and reaching the workload, and outputting a risk notification associated with the workload. Systems and computer-readable media implementing the above method are also disclosed.

Computer environment infrastructure compliance audit result prediction includes receiving system inventory information identifying systems of a computer environment and properties of those systems, loading security requirements applicable to systems, determining compliance deviations indicating deviations between current configurations of the systems and the security requirements, based at least on the determined compliance deviations, selecting audit features based on which a predicted audit result is to be generated, and generating a predicted audit result using the selected audit features as input to an audit result classification model trained on historical audit information to predict audit results based on input audit features, and the predicted audit result being a prediction of a result of an audit of the systems.

System and methods are described for efficient monitoring of network traffic in a public cloud computing environment. In one implementation, a method comprises: generating flow log records of network traffic in the public cloud computing environment; identifying a data packet that presents a potential security risk; identifying a captured data packet (PCAP) record corresponding to the identified data packet; and transmitting the PCAP record to a computing device for network traffic analysis.

Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for detecting abnormal behavior of device in an enterprise network based on an analysis of behavioral information of the device's neighbors in network. At a high level, embodiments of the present disclosure employ a hive-mind approach to determine anomalous behavior of a device in a network based on analyzing behavior information reported by neighboring devices within the network. Embodiments identify that a device is alive and connected within the network based on multiple neighboring devices reporting behavioral information about the device; however, the device may be dysfunctional and failing to report its own information. By aggregating and analyzing behavioral information of a device based on the reporting information of its neighboring devices, embodiments of the present disclosure are able to determine whether a device is healthy even when the device is unable to report its own information.

A Cloud Access Security Broker (CASB) system includes a controller; a message broker connected to the controller; and a plurality of workers connected to the message broker and connected to one or more cloud providers having a plurality of files contained therein for one or more tenants, wherein the plurality of workers are configured to crawl through the plurality of files for the one or more tenants, based on policy and configuration for the one or more tenants provided via the controller, and based on assignments from the message broker. The plurality of workers can be further configured to cause an action in the one or more cloud providers based on the crawl and based on the policy and the configuration. The action can include any of allowing a file, deleting a file, quarantining a file, and providing a notification.

Methods and systems for penetration testing of a networked system involve assigning network nodes to disjoint classes based on current information about the compromisability of the network nodes. The classes distinguish between nodes not currently known to be compromisable, nodes that only recently have become known to be compromisable, e.g., by a first method of a attack, and nodes that have been known for a longer time to be compromisable. Nodes that only recently have become known to be compromisable can be re-targeted by the penetration testing system to determine whether such nodes can be compromised using multiple methods of attack and not just using the first method of attack.

A computer-implemented method includes: receiving system information data representing configurations of digital systems; receiving attack information data associated one or more of the digital systems; analyzing the received system information data and attack information data, to associated attack types; identifying, for each identified attack type, correlations and/or causalities between individual system constituents or combinations thereof in the digital systems associated with attacks; determining and assigning, based on the identified correlations and/or causalities, an attack vulnerability value, for each attack, respectively, to each of the systems and/or systems' constituents and/or combinations thereof; and retrievably storing attack vulnerability values associated with the systems, system constituents and/or combinations thereof.

A protocol state fuzzing method for security of a control plane of a distributed software-defined network is provided. The protocol state fuzzing method includes receiving input alphabets being abstract symbols of a protocol message in an ambusher of a distributed network operating system (NOS), converting the input alphabets into the protocol message, and sending the protocol message to a cluster, monitoring, by the cluster, intercommunication between instances in the distributed NOS, and selecting a set of sequences executable in the cluster and searching a cluster log for an output by executing the sequence to generate an attack result.