Abstract: Execution of software containers is secured using security profiles. A security profile is generated for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process. The operation of a runtime execution of the application container is monitored. A violation of the spawned processes profile is detected based on the monitored operation.

Abstract: Based on analyzing a serverless function associated with a first role, a set of security permissions granted to the serverless function is identified based on the first role and a first attribute of the serverless function. A least privilege role indicating a set of least privilege security permissions for the serverless function is generated based, at least in part, on the first attribute. Based on comparing the least privilege role with the first role, it is determined if the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions. Based on determining that the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions, the first role is reported as over-permissive.

Abstract: Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.

Abstract: A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.

Abstract: Zero trust network security is provided without modifying the underlying network infrastructure. Unique intermediate certificates created based on a primary certificate are sent to each of a plurality of entities. Each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment of a cloud provider. An agent is deployed to each of the plurality of nodes, and the agent is configured to enforce at least one network firewall policy based on the intermediate certificate sent to the corresponding entity.

Abstract: A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment. The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious.

Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a host device configured to run a virtualization entity, an event index for the virtualization entity; encoding a plurality of events related to the virtualization entity, wherein each event includes a process having a process path; and updating the event index based on the encoded plurality of events.

Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A packet from a sender entity to a recipient entity is intercepted. A determination is made whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, and each entity identifier is unique among the plurality of entity identifiers. Rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other. The packet is forwarded to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity. At least one mitigation action is performed when it is determined that the recipient entity is not permitted to communicate with the sender entity.

Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the services that is not among the discrete behaviors defined in capabilities for the service.

Abstract: A system and method for scanning of virtual machine images. The method includes creating a virtual machine instance of a virtual machine based on a virtual machine image of the virtual machine and an application programming interface (API) of an environment in which the virtual machine is to be deployed, wherein the virtual machine image has an entry point such that the virtual machine instance executes the entry point; and replacing the entry point of the virtual machine instance with a lightweight script, wherein the lightweight script is configured to retrieve a static scanner executable, to execute the static scanner executable, and to send results of the scanning.

Abstract: A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.

Abstract: A system and method for cloud native discovery and protection. The method includes discovering instances of a plurality of cloud assets in a cloud native environment based on a plurality of application programming interface (API) endpoints in the cloud native environment, wherein the plurality of API endpoints is identified based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one entity deployed in the cloud native environment; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: Execution of software containers is secured using security profiles. A security profile is generated for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process. The operation of a runtime execution of the application container is monitored. A violation of the spawned processes profile is detected based on the monitored operation.

Abstract: A system and method for securing execution environments by quarantining software containers. A method includes: determining, based on configuration data for an application stored in the application software container, at least one intended behavior of the application when executed by the application software container; monitoring execution of the application software container in a first execution environment, wherein the monitoring further comprises comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and quarantining the application software container by migrating the application software container from the first execution environment to a second execution environment when the unauthorized action is detected.

Abstract: A plurality of connection patterns is determined based on connectivity data collected by a plurality of agents. Each agent of the plurality of agents is installed on a respective compute node of a plurality of compute nodes. The connectivity data collected by each agent of the plurality of agents includes node-local connectivity data indicating node-local connections for the respective compute node on which the agent is installed. The node-local connections include communications with at least one application entity hosted by the respective compute node. A graph representation that is organized with respect to the at least one application entity hosted by each of the plurality of compute nodes is generated based on the plurality of connection patterns.

Abstract: The disclosed serverless security access control system leverages static analysis information about application code and runtime information to create and assign on-the-fly transient serverless function roles. A default role can be initially assigned to serverless functions of the application. The default role allows the function to communicate with a security access broker. The access broker accesses least privilege information about an invoked serverless function and then creates and assigns a transient role to the serverless function based on that information. The short life of the role reduces and possibly eliminates the security risk of an over-permissive role. The access broker can update the least privilege information based on updated analysis of the application code and runtime information to allow flexibility and adaptation over executions.

Abstract: A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.

Abstract: A system and method for discovering vulnerabilities in software packages. A method includes identifying at least one potential source of vulnerability in at least one potentially vulnerable software package of a plurality of software packages, wherein each potential source of vulnerability is a change to one of the at least one potentially vulnerable software package; and identifying at least one vulnerability in the plurality of software packages by selecting and applying at least one vulnerability identification rule to data of each of the at least one potentially vulnerable software package, wherein the at least one vulnerability identification rule for each of the at least one potentially vulnerable software package is selected based on an availability of version identifiers for the potentially vulnerable software package.

Abstract: A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment. The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious.

Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including a plurality of training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each of the at least one service, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the at least one service that is not among the discrete behaviors defined in the at least one capability for the service.