Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a host device configured to run a virtualization entity, an event index for the virtualization entity; encoding a plurality of events related to the virtualization entity, wherein each event includes a process having a process path; and updating the event index based on the encoded plurality of events.

Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying an at-risk application, wherein identifying the at-risk application further comprises determining that the application is configured incorrectly; identifying at least one port through which the at-risk application is accessible when the at-risk application is determined to be configured incorrectly; and determining, based on the identified at least one port through which the at-risk application is accessible, whether an exposure vulnerability exists, wherein the exposure vulnerability is an unapproved exposure of at least one of the at least one port to external resources.

Abstract: Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime output of each of the plurality of destination entities, wherein the runtime output includes behavioral activities of the plurality of destination entities; and training a machine learning model based on the contents of the plurality of requests the runtime output of each of the plurality of destination entities, wherein the machine learning model is trained to output request-output correlations between groups of requests and subsequent behavioral activities.

Abstract: Systems and methods for zero trust network security. A method includes sending a unique intermediate certificate authority (CA) certificate to each of a plurality of entities, wherein each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment; and causing deployment of an agent on each of the plurality of nodes, each agent corresponding to the entity installed on the same node as the agent is configured to enforce at least one network firewall policy based on the intermediate CA certificate sent to the corresponding entity.

Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A method includes intercepting a packet from a sender entity to a recipient entity; determining whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, wherein each entity identifier is unique among the plurality of entity identifiers, wherein the rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other; forwarding the packet to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity; and performing at least one mitigation action when it is determined that the recipient entity is not permitted to communicate with the sender entity.

Abstract: A system and method for scanning of virtual machine images. The method includes creating a virtual machine instance of a virtual machine based on a virtual machine image of the virtual machine and an application programming interface (API) of an environment in which the virtual machine is to be deployed, wherein the virtual machine image has an entry point such that the virtual machine instance executes the entry point; and replacing the entry point of the virtual machine instance with a lightweight script, wherein the lightweight script is configured to retrieve a static scanner executable, to execute the static scanner executable, and to send results of the scanning.

Abstract: A system and method for cloud native discovery and protection. The method includes discovering instances of a plurality of cloud assets in a cloud native environment based on a plurality of application programming interface (API) endpoints in the cloud native environment, wherein the plurality of API endpoints is identified based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one entity deployed in the cloud native environment; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying at least one port through which the application is accessible when the application is not configured correctly, wherein the application is executed at a host device connected to at least one network, the host device having the at least one port; sending, to an external resource, connection data for connecting to the application via the at least one port, wherein the external resource is configured to attempt to connect to the application based on the connection data and to return results of the connection attempt; determining, based on the results of the connection attempt, whether an exposure vulnerability exists; and performing at least one mitigation action when an exposure vulnerability exists.

Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity, wherein each event includes a process having a process path, wherein encoding the at least one event includes replacing at least a portion of each event with at least one code representing at least the process path of the respective process; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.

Abstract: A system and method for cloud native discovery and protection. The method includes identifying a plurality of cloud assets in a cloud native environment based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one of: each of the at least one cloud asset, and at least one security solution deployed in the cloud native environment, wherein each cloud asset instance is an instance of one of the plurality of cloud assets; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: A method and system for runtime detection of botnets in containerized environments. The method includes creating a domain name system (DNS) policy for a software container, wherein the DNS policy defines at least a plurality of allowed domain names for the software container, wherein the DNS policy is created based on historical DNS queries by the software container; detecting a botnet based on traffic to and from the software container, wherein the botnet is detected when at least a portion of the traffic does not comply with the DNS policy, wherein the botnet is implemented via communication with a bot executed in the software container; and blocking at least one DNS query in the at least a portion of traffic, wherein each blocked DNS query is to a domain having a domain name that does not match any of the plurality of allowed domain names for the software container.

Abstract: A system and method for securing execution of software containers using security profiles. The method includes exporting a container image to a host device from a container image source, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.

Abstract: A system and method for defending an application configured to invoke anonymous functions. The method includes analyzing the application to determine at least one branch of the application, wherein each branch is an instruction that deviates from a default behavior of the application; identifying a potential threat branch based on the at least one branch of the application and an anonymous function, the potential threat branch including a call to an anonymous function; and creating a secured instance of the application, wherein creating the secured instance of the application further comprises embedding a policy within the anonymous function of the identified potential threat branch.

Abstract: A method for securing execution of software containers using security profiles. The method includes generating a security profile for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process; monitoring the operation of a runtime execution of the application container; and detecting a violation of the spawned processes profile based on the monitored operation.

Abstract: A system and method for serverless runtime application self-protection.

Abstract: A system and method for securing execution environments by quarantining software containers. A method includes: determining, based on configuration data for an application stored in the application software container, at least one intended behavior of the application when executed by the application software container; monitoring execution of the application software container in a first execution environment, wherein the monitoring further comprises comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and quarantining the application software container by migrating the application software container from the first execution environment to a second execution environment when the unauthorized action is detected.

Abstract: A method for securing execution of software containers using security profiles. The method comprises receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile includes at least a spawned processes profile, wherein the security profile is of the container image corresponding to the application container; monitoring the operation of a runtime execution of the application container; and detecting a violation of the spawned processes profile based on the monitored operation.

Abstract: A system and method for defending an application configured to invoke anonymous functions. The method includes analyzing the application to determine at least one branch of the application, wherein each branch is an instruction that deviates from a default behavior of the application; identifying, based on the at least one branch of the application and at least one first anonymous function, at least one potential threat branch, each potential threat branch including a call to one of the at least one first anonymous function; and rewiring at least one first function call of the application to create a secured instance of the application, wherein each of the at least one first function call is to one of the at least one first anonymous function prior to rewiring.

Abstract: A system and method for runtime detection of vulnerabilities in an application software container that is configured to execute an application.

Abstract: A system and method for detecting vulnerabilities in software containers at runtime are provided. The method includes monitoring events triggered as a result of changes to an application layer of a software container; based on the monitored events, determining if at least one file has been changed; upon determination that at least one file has been changed, scanning the at least one file to detect at least one type of vulnerability; and upon determination of at least one type of known vulnerability, generating a detection event.