Emc IP Holding Company LLC

Tenable, Inc.

Emc Corporation

Enterasys Networks, Inc.

Kevin T Douglas

Sashka T Davis

Zulfikar A Ramzan

Matthew L Wirges

Diptanu Das

Kevin Bowers

Kevin J Arunski

Scott Moore

Leandro Diato

Brian P Girardi

Nicholas H Hoang

Abram Q Thielke

Ed G Quackenbush

Gary J Golomb

Aldrin D'Souza

Kien Nguyen

In an embodiment, a vulnerability scanner component determines one or more target software objects of a remote file system for a vulnerability scan, and performs, via a file system application programming interface (API), a file system decoding procedure based on information associated with the remote file system to determine a subset of disk blocks of the remote file system that comprise the one or more target software objects. The vulnerability scanner component transmits, to a remote device, a read request associated with the subset of disk blocks, and obtains, in response to the read request, the subset of disk blocks (e.g., rather than a full disk image). The vulnerability scanner component extracts the one or more target software objects from the subset of disk blocks, and performs the vulnerability scan on the extracted one or more target software objects.

Vulnerability scanning of a remote file system

A method includes monitoring user behavior in an enterprise system, identifying a given user of the enterprise system associated with a given portion of the monitored user behavior, determining a predicted impact of compromise of the given user on the enterprise system, generating a risk score for the given user based on the predicted impact of compromise and the given portion of the monitored user behavior, and identifying one or more remedial actions to reduce the risk score for the given user. The method also includes implementing, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of at least one asset in the enterprise system, the at least one asset comprising at least one of a physical computing resource and a virtual computing resource in the enterprise system.

Risk score generation utilizing monitored behavior and predicted impact of compromise

A method includes detecting a plurality of events associated assets of an enterprise system and generating database record structures based on the detected events, each database record structure comprising a first field storing an association key identifying one of the assets, a second field storing a first timestamp associated with a first detected event stored in that database record structure for its identified asset, and at least a third field storing a value associated with a second detected event stored in that database record structure for its identified asset. The method also includes maintaining indexing structures for the first, second and third fields, receiving a query to resolve a temporal association for a queried assets at a specified time, and utilizing the indexing structures to locate a particular one of the database record structures storing the temporal association for the queried asset at the specified time.

Maintaining temporal associations for event data in an event database

Methods, apparatus, and processor-readable storage media for identifying and determining the criticality of enterprise assets using network traffic information are provided herein. An example computer-implemented method includes capturing network session information from an enterprise network; identifying multiple assets within the enterprise network by processing the captured network session information; determining, for each of the identified assets, one or more predefined features of the asset based at least in part on the processing of the captured network session information; determining, for each of the identified assets, a level of criticality associated with the asset based at least in part on the one or more determined features of the asset; and outputting the level of criticality and an identifier of the asset associated therewith to a security-related system, wherein the level of criticality and the asset identifier are used by the security-related system to take at least one automated action.

Determining criticality of identified enterprise assets using network session information

A method includes obtaining usage metrics for assets of an enterprise system and extracting sets of features from the obtained usage metrics, the sets of features characterizing relative importance of each of the assets for each of two or more designated time windows. The method also includes determining, utilizing the extracted features, an importance of each of the assets. The method further includes establishing a baseline behavior of the assets based on the extracted features, monitoring behavior of the assets during at least one additional time window, and modifying a configuration of a given asset responsive to detecting that the monitored behavior of the given asset during the at least one additional time window exhibits a threshold difference from the established baseline behavior of the given asset, wherein the modification is based at least in part on the importance of the given asset relative to one or more other assets.

Automated determination of relative asset importance in an enterprise system

A method includes extracting one or more code fragments from a first software module and computing fingerprints of the code fragments extracted from the first software module. The method also includes determining a similarity score based on distances between the fingerprints of the code fragments extracted from the first software module and fingerprints of one or more code fragments extracted from at least a second software module, the second software module being classified as a given software module type, each of the fingerprints being computed by application of a fuzzy hash function to a given one of the code fragments. The method further includes classifying the first software module as the given software module type based on the similarity score and modifying access by a given client device to the first software module responsive to classifying the first software module as the given software module type.

Classifying software modules based on fingerprinting code fragments

A method comprises obtaining a potentially malicious file, decoding the file to identify one or more code streams, processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise, determining whether the file is malicious based on the presence of one or more of the indicators of compromise in the code streams, and modifying access by a given client device to the file responsive to determining that the file is malicious.

Detection and remediation of potentially malicious files

Systems and methods for sensitive data remediation include calculating a Probability of Loss of data on a given computer based on measures of control, integrity, and potential avenues of exploitation of the given computer, determining an Impact of Loss of the data on the given computer based on a type, volume, and nature of the data, and correlating the Probability of Loss with the Impact of Loss to generate a risk score for the given computer that can be compared to other computers in the network. The computers with higher risk scores can then be subjected to data remediation activity.

Systems and methods for sensitive data remediation

A host-based intrusion detection system (HIDS) sensor that monitors system logs for evidence of malicious or suspicious application activity running in real time and monitors key system files for evidence of tampering. This system detects attacks targeted at the host system on which it is installed and monitors output to the system and audit logs. It is signature-based and identifies and analyzes system and audit messages for signs of system misuse or attack. The system monitors the logs of applications running on the host, including mail servers, web servers and FTP servers. The system also monitors system files and notifies the system administrator when key system and security files have been accessed, modified or even deleted.

Growing community of inventors

Vienna, VA, United States of America

Kevin T Douglas