Abstract: Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.

Abstract: A system and method for maintaining image integrity in a containerized environment. Image layers of a software container are scanned for metadata. The metadata is indexed and contextual metadata is added. Execution of the containerized environment is monitored to detect new image layers being executed. Integrity of images in the environment is maintained based on integrity rules and the metadata of each image layer. The integrity rules ensure image integrity by ensuring that pulled images are composed from trusted images, image layers are pushed by trusted users, image layers do not include potential vulnerabilities, and image layers do not override specific file paths. Trusted image layers may be automatically detected using a machine learning model trained based on historical image layer metadata.

Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity, wherein each event includes a process having a process path, wherein encoding the at least one event includes replacing at least a portion of each event with at least one code representing at least the process path of the respective process; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.

Abstract: A method and system for detecting vulnerable root certificates in container images are provided. The method includes receiving an event to scan at least one container image hosted in a host device, wherein the least one container image includes resources utilized to execute, by the host device, at least a respective software application container; extracting contents of layers of the at least one container image; scanning the extracted contents to generate a first list designating all root certificates included in the at least one container image; generating a second list designating all root certificates trusted by the host device; comparing the first list to the second list to detect at least one root certificate designated in the first list but not in the second; and determining the at least one detected root certificate as vulnerable.

Abstract: A system and method for radar visualization of a cloud native environment. The method includes determining a plurality of connection patterns based on connectivity data collected by a plurality of agents, wherein each agent of the plurality of agents is installed on a respective compute node of a plurality of compute nodes, wherein the connectivity data collected by each agent of the plurality of agents includes node-local connectivity data indicating node-local connections for the respective compute node on which the agent is installed, wherein the node-local connections include communications with at least one application entity hosted by the respective compute node; and generating, based on the plurality of connection patterns, a topological graph, wherein the topological graph is organized with respect to the at least one application entity hosted by each of the plurality of compute nodes.

Abstract: A host device and method for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.

Abstract: A system and method for detecting vulnerabilities in be images of software containers are disclosed. The method includes receiving an event indicating that at least one base image should be scanned for vulnerabilities, each base image including at least one image layer, wherein the event designates at least one source of the at least one base image, wherein the least one base image includes resources utilized to execute at least a software container; extracting contents of each image layer of each base image; scanning the extracting contents to detect at least one vulnerability; and generating a detection event, when the at least one vulnerability is detected.

Abstract: A system and method for detecting vulnerabilities in software containers at runtime are provided. This method includes intercepting a request to instantiate a new software container in a first execution environment; creating a second execution environment; migrating the new software container from the first execution environment to the second execution environment for execution therein; monitoring the operation of the new software container in the second execution environment to detect at least one unauthorized action; and upon detection of the at least one unauthorized action, generating a detection event identifying at least a type of vulnerability associated with the detected unauthorized action.

Abstract: A system and method for cloud native discovery and protection. The method includes identifying a plurality of cloud assets in a cloud native environment based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one of: each of the at least one cloud asset, and at least one security solution deployed in the cloud native environment, wherein each cloud asset instance is an instance of one of the plurality of cloud assets; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: A system and method for method for protecting cloud native environments based on cloud resource access. The method includes determining a mapping of a plurality of cloud assets to a plurality of cloud resources based on resource access data for a cloud native environment, wherein the plurality of cloud assets and the plurality of cloud resources are deployed in the cloud native environment, wherein each of the plurality of cloud assets is mapped to at least one associated cloud resource of the plurality of cloud resources; detecting at least one improper resource access based on the mapping and a cloud access security stream for the cloud native environment, wherein each of the at least one improper resource access deviates from the mapping; and performing at least one mitigation action with respect to the detected at least one improper resource access.

Abstract: A system and method for traffic enforcement in containerized environments. The method includes analyzing contents of a container image to determine a type of application to be executed by a first container, wherein the first container is a runtime instance of the container image; determining, based on the type of application to be executed by the first container, a filtering profile for the first container, wherein the filtering profile defines a configuration for inspecting and filtering traffic directed to the first container; and filtering, based on the filtering profile, malicious traffic directed to the first container.

Abstract: A system and method for securing execution of software containers using security profiles. The method includes exporting a container image to a host device from a container image source, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.

Abstract: A system and method for securing execution of software containers using security profiles. The method includes receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image when the event is received, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.

Abstract: A system and method for securing execution of software containers using security profiles. The method includes receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image when the event is received, wherein the generated security profile indicates at least networking ports that are allowed for at least one of: access to the application container, and access by the application container; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.

Abstract: A method for securing execution of software containers using security profiles. The method comprises receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile includes at least a system calls profile; monitoring the operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation, wherein the security profile is of the container image corresponding to the application container.

Abstract: A system and method for dynamically adapting traffic inspection and filtering in containerized environments. The method includes monitoring the containerized environment to identify deployment of a software container in the containerized environment; inspecting traffic redirected from the software container, wherein the inspecting includes detecting malicious activity of the software container; and filtering the traffic based on at least one filtering rule when the malicious activity is detected, wherein the at least one filtering rule is defined in a filtering profile for the software container, wherein the filtering profile is determined for the software container when a new container image of the software container is detected in the containerized environment.

Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including a plurality of training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each of the at least one service, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the at least one service that is not among the discrete behaviors defined in the at least one capability for the service.

Abstract: A system and method for serverless runtime application self-protection.

Abstract: A host device and method for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.

Abstract: A system and method for maintaining image integrity in a containerized environment. Image layers of a software container are scanned for metadata. The metadata is indexed and contextual metadata is added. Execution of the containerized environment is monitored to detect new image layers being executed. Integrity of images in the environment is maintained based on integrity rules and the metadata of each image layer. The integrity rules ensure image integrity by ensuring that pulled images are composed from trusted images, image layers are pushed by trusted users, image layers do not include potential vulnerabilities, and image layers do not override specific file paths. Trusted image layers may be automatically detected using a machine learning model trained based on historical image layer metadata.