Abstract: A computer-implemented method includes detecting occurrence of an event in a cloud environment, obtaining an indication of an identity associated with the event, obtaining an indication of a usage time stamp representing usage time of a privilege in association with the identity for the event, and classifying the privilege into a classification group selected from a plurality of predefined classification groups. Each respective classification group groups a respective set of privileges defined in the cloud environment. The method includes obtaining a grant time stamp representing a grant time of at least one privilege, in the respective set of privileges in the classification group, to the identity and, based on the usage time stamp and the grant time stamp, generating an excessive privilege determination that indicates the classification group includes at least one excessive privilege. The method includes performing a computing action based on the excessive privilege determination.

Abstract: The technology disclosed relates to a system and method for detecting risk events in cloud environment that obtains set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of event log and to label each detected instance with a signature identifier that identifies one or more risk signatures that corresponds to the detected instance. Result metadata is received indicative of the detected instances, based on the result metadata, context information associated with the detected instances is obtained based on cloud infrastructure graph. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.

Abstract: The disclosed technology receives a control input identifying a sampling criterion for classifying a data store storing a set of data objects in a computing environment as corresponding to a target data type and deploys one or more scanners configured to select a representative subset of data objects, from the set of data objects, based on the sampling criterion. A scanner result generated by the one or more scanners is received that represents detected instances, in the representative subset of data objects, of one or more pre-defined data patterns of the target data type. A classification result is generated based on a comparison of the number of detected instances of the one or more pre-defined data patterns to a threshold. The classification result represents a classification of the data store as having correspondence to the target data type. A computing action is performed based on the classification result.

Abstract: The technology disclosed relates to detection of data traffic in computing environments, such as cloud environments. Example systems and methods detect a plurality of workloads in a virtual network in a computing environment and deploy a plurality of probe agents to the plurality of workloads. Each respective probe agent detects network traffic on a respective workload of the plurality of workloads, scans a data packet that is at least one of sent or received by the respective workload, generates a data classification relative to the data packet, and generates a scan result that includes packet payload information and an indication of the data classification. The scan results are received from the plurality of probe agents and a computing action is performed based on scan results.

Abstract: A computer-implemented method includes detecting occurrence of an event in a cloud environment, obtaining an indication of an identity associated with the event, obtaining an indication of a usage time stamp representing usage time of a privilege in association with the identity for the event, and classifying the privilege into a classification group selected from a plurality of predefined classification groups. Each respective classification group groups a respective set of privileges defined in the cloud environment. The method includes obtaining a grant time stamp representing a grant time of at least one privilege, in the respective set of privileges in the classification group, to the identity and, based on the usage time stamp and the grant time stamp, generating an excessive privilege determination that indicates the classification group includes at least one excessive privilege. The method includes performing a computing action based on the excessive privilege determination.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment that invokes an incremental change detector to perform an infrastructure scan of the cloud environment and return a scan result that identifies one or more changes to one or more infrastructure assets in the cloud environment. The scan result includes, for each particular change in the one or more changes, first information indicative of the particular change. A data scan is constrained to the one or more infrastructure assets having the one or more changes and second information associated with the one or more changes is obtained based on the data scan. A cloud infrastructure graph is updated based on one or more of the first information or the second information. The cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method of risk event detection and remediation. An event is detected in a cloud environment and a pre-defined risk signature is obtained that identifies one or more entities in the cloud environment and represents an instance of a risk event relative to the one or more entities. The pre-defined risk signature includes a reference to a remediation workflow having one or more commands for one or more remediation actions in the cloud environment. Th pre-defined risk signature is determined to have a threshold match to the event and, based on the determination that the pre-defined risk signature has a threshold match to the event, the remediation workflow is obtained based on the reference. The one or more commands are executed in the cloud environment.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. A computing system is configured to automatically discover a plurality of databases in the cloud environment and configure an orchestration engine to deploy a plurality of log analyzer microservices on the plurality of databases. Each log analyzer microservice, of the plurality of log analyzer microservices, is configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. Analysis results are received from the plurality of log analyzer microservices. The analysis results represent detection of at least one of a performance criterion or a security criterion in one or more databases of the plurality of databases. An action signal representing the analysis results is generated.

Abstract: The technology disclosed relates to analysis of data posture of a cloud environment. In particular, disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in cloud assets. A computing system is configured to access data in plurality of cloud resources and, on a cloud resource-by-cloud resource basis, attribute a plurality of data sensitivity parameters to the data in a given cloud resource of the plurality of cloud resources, and generate a peak value indicating an appraisal of the data in given cloud resource based on the plurality of data sensitivity parameters attributed to the data. A graphical interface includes graphical objects configured to visually represent plurality of cloud resources, plurality of data sensitivity parameters, and the peak values generated for the plurality of cloud resources.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. A computing system is configured to automatically discover a plurality of databases in the cloud environment and configure an orchestration engine to deploy a plurality of log analyzer microservices on the plurality of databases. Each log analyzer microservice, of the plurality of log analyzer microservices, is configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. Analysis results are received from the plurality of log analyzer microservices. The analysis results represent detection of at least one of a performance criterion or a security criterion in one or more databases of the plurality of databases. An action signal representing the analysis results is generated.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analysis of infrastructure posture of a cloud environment, that include detecting a triggering criterion corresponding to initiation of an update scan of the infrastructure posture of the cloud environment, and invoking an incremental change detector based on the triggering criterion. The incremental change detector is configured to scan the cloud environment and return a scan result that identifies one or more changes to a set of infrastructure assets in the cloud environment within a selected time period. A cloud infrastructure graph is updated based on the one or more changes to the set of infrastructure assets, wherein the cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.

Abstract: The technology disclosed relates to resource activity management in a cloud environment. A computer-implemented method includes detecting a plurality of virtual networks in the cloud environment and deploying a plurality of sensors in the plurality of virtual networks using an orchestration engine of the cloud environment. Each sensor, of the plurality of sensors, includes an executable package configured to execute in a respective virtual network, of the plurality of virtual networks, independent of other sensors, of the plurality of sensors, to manage activities in the respective virtual network. The method includes identifying an activity management task to be performed in a particular virtual network of the plurality of virtual networks, sending a task command representing the activity management task to the sensor deployed in the particular virtual network, and receiving an execution result representing execution of the activity management task by the sensor deployed in the particular virtual network.

Abstract: The technology disclosed relates to analysis of data posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in the cloud assets. A system for prioritized presentation of high-value cloud resources susceptible to cloud security risks includes a processor, a display, and memory accessible by the processor and executable to, on a cloud resource-by-cloud resource basis, analyze data in a given cloud resource, and attribute a plurality of data sensitivity parameters to the data in the given cloud resource, and a peak value indicating an appraisal of the data in the given cloud resource. A graphical interface includes graphical objects configured to display the given cloud resource, the plurality of data sensitivity parameters, and the peak value.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, and qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against at least one risk criterion. A representation of propagation of the breach attack along the network communication paths is generated, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: A system for streamlined analysis of access sub-networks in a cloud environment is disclosed. The system comprises memory storing access sub-networks in a cloud environment between a plurality of resources and a plurality of users, memory storing user-to-role mappings for roles assigned to the plurality of users, and accumulation logic having access to the access sub-networks and to the user-to-role mappings. The accumulation logic is configured to traverse the access sub-networks to build a number U user-to-resource mappings between the plurality of users and the plurality of resources, and evaluate the U user-to-resource mappings against the user-to-role mappings to accumulate a number R role-to-resource mappings between the roles and the plurality of resources.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: The technology disclosed relates to a computing system configured to execute a cloud scanner in a cloud environment to discover one or more data stores in the cloud environment and return metadata representing a data schema of data objects in the one or more data stores, traverse the data objects in the one or more data stores based on the metadata to identify a plurality of data items, execute a content-based data classifier against the plurality of data items to identify a set of data items, in the plurality of data items, as conforming to one or more data profiles, and generate a graphical interface including one or more graphical objects configured to display a representation of the one or more data profiles, wherein the graphical interface is configured to filter the plurality of data items based on a selected data profile selected from the one or more data profiles.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method that detects a triggering criterion and, in response to the triggering criterion, automatically discovers a plurality of databases in the cloud environment. An orchestration engine is configured to deploy a plurality of log analyzer microservices on the plurality of databases, each log analyzer microservice, of the plurality of log analyzer microservices, being configured to scan a respective database log that represents database activities on a respective database of the plurality of databases. Analysis results are received from the plurality of log analyzer microservices, the analysis results represent detection of at least one of a performance criterion or a security criterion in one or more databases of the plurality of databases. An action signal representing the analysis results is generated.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a data schema detection system that uses a content-based data classifier to classify data items in a cloud environment. A computer-implemented method includes accessing a data store in the cloud environment and obtaining metadata representing a structure of schema objects in the data store. The method includes executing, based on the metadata, a content-based data classifier to classify data items in the schema objects and outputting a classifier result that represents the classification of the data in the schema objects.