Abstract: A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.

Abstract: Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.

Abstract: Zero trust network security is provided without modifying the underlying network infrastructure. Unique intermediate certificates created based on a primary certificate are sent to each of a plurality of entities. Each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment of a cloud provider. An agent is deployed to each of the plurality of nodes, and the agent is configured to enforce at least one network firewall policy based on the intermediate certificate sent to the corresponding entity.

Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A packet from a sender entity to a recipient entity is intercepted. A determination is made whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, and each entity identifier is unique among the plurality of entity identifiers. Rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other. The packet is forwarded to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity. At least one mitigation action is performed when it is determined that the recipient entity is not permitted to communicate with the sender entity.

Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the services that is not among the discrete behaviors defined in capabilities for the service.

Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a host device configured to run a virtualization entity, an event index for the virtualization entity; encoding a plurality of events related to the virtualization entity, wherein each event includes a process having a process path; and updating the event index based on the encoded plurality of events.

Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A packet from a sender entity to a recipient entity is intercepted. A determination is made whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, and each entity identifier is unique among the plurality of entity identifiers. Rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other. The packet is forwarded to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity. At least one mitigation action is performed when it is determined that the recipient entity is not permitted to communicate with the sender entity.

Abstract: A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.

Abstract: A system and method for scanning of virtual machine images. The method includes creating a virtual machine instance of a virtual machine based on a virtual machine image of the virtual machine and an application programming interface (API) of an environment in which the virtual machine is to be deployed, wherein the virtual machine image has an entry point such that the virtual machine instance executes the entry point; and replacing the entry point of the virtual machine instance with a lightweight script, wherein the lightweight script is configured to retrieve a static scanner executable, to execute the static scanner executable, and to send results of the scanning.

Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the services that is not among the discrete behaviors defined in capabilities for the service.

Abstract: A system and method for scanning of virtual machine images. The method includes creating a virtual machine instance of a virtual machine based on a virtual machine image of the virtual machine and an application programming interface (API) of an environment in which the virtual machine is to be deployed, wherein the virtual machine image has an entry point such that the virtual machine instance executes the entry point; and replacing the entry point of the virtual machine instance with a lightweight script, wherein the lightweight script is configured to retrieve a static scanner executable, to execute the static scanner executable, and to send results of the scanning.

Abstract: A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.

Abstract: Execution of software containers is secured using security profiles. A security profile is generated for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process. The operation of a runtime execution of the application container is monitored. A violation of the spawned processes profile is detected based on the monitored operation.

Abstract: A system and method for cloud native discovery and protection. The method includes discovering instances of a plurality of cloud assets in a cloud native environment based on a plurality of application programming interface (API) endpoints in the cloud native environment, wherein the plurality of API endpoints is identified based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one entity deployed in the cloud native environment; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: Execution of software containers is secured using security profiles. A security profile is generated for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process. The operation of a runtime execution of the application container is monitored. A violation of the spawned processes profile is detected based on the monitored operation.

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

Abstract: A system and method for securing execution environments by quarantining software containers. A method includes: determining, based on configuration data for an application stored in the application software container, at least one intended behavior of the application when executed by the application software container; monitoring execution of the application software container in a first execution environment, wherein the monitoring further comprises comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and quarantining the application software container by migrating the application software container from the first execution environment to a second execution environment when the unauthorized action is detected.

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

Abstract: A cybersecurity appliance monitoring application traffic to a web application programming interface (API) dynamically updates tree structures for the web API using the application traffic. An API tree generator generates batches of API trees from paths indicated in the application traffic. An API tree merger/pruner updates the generated batches of API trees with various merging, pruning, compacting, and malicious detection operations on the generated batches of API trees. The cybersecurity appliance implements the updated API trees with an API agent that filters the application traffic prior to processing by the web API.

Abstract: A plurality of connection patterns is determined based on connectivity data collected by a plurality of agents. Each agent of the plurality of agents is installed on a respective compute node of a plurality of compute nodes. The connectivity data collected by each agent of the plurality of agents includes node-local connectivity data indicating node-local connections for the respective compute node on which the agent is installed. The node-local connections include communications with at least one application entity hosted by the respective compute node. A graph representation that is organized with respect to the at least one application entity hosted by each of the plurality of compute nodes is generated based on the plurality of connection patterns.