Abstract: A system and method for providing cybersecurity incident response utilizing a large language model. The method includes: mapping a received incident input into a scenario of a plurality of scenarios, each scenario including a plurality of sub-scenarios; generating a query based on the received incident input and a selection of a sub-scenario of the plurality of sub-scenarios; executing the query on a security database, the security database including a representation of the computing environment; and initiating a mitigation action based on a result of the executed query.

Abstract: A system and method for generating a remediation action in a computing environment based on a cybersecurity inspection. The method includes: inspecting a computing environment for a cybersecurity object; detecting a cybersecurity issue in the computing environment based on detection of the cybersecurity object; generating an input for a generative remediator based on the detected cybersecurity issue, wherein the generative remediator is configured to generate an output including a remediation action based on the input; and initiating the remediation action in the computing environment.

Abstract: A system and method for near-real time inspection of a computing environment for a cybersecurity object is presented. The method includes: continuously receiving a plurality of event records, each event record having an event type, and corresponding to an event in the computing environment; detecting in the plurality of event records, an event record of a first type; parsing the event record of the first type to detect a resource identifier, wherein the resource identifier corresponds to a resource deployed in the computing environment; initiating inspection of the resource for a cybersecurity object; and initiating a mitigation action in the computing environment, in response to detecting the cybersecurity object on the resource.

Abstract: A system and method for generating a compact representation of a computing environment having a remediated cybersecurity threat is disclosed. In an embodiment, the method includes generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk; traversing a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detecting a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node.

Abstract: A system and method for cybersecurity remediation based on a digital forensic finding is disclosed. In an embodiment, the method includes generating an inspectable disk from a disk of a resource deployed in a computing environment; mounting the inspectable disk at a mount point on a forensic analyzer; configuring the forensic analyzer to generate a forensic finding based on the inspectable disk; and initiating a remediation action based on the forensic finding.

Abstract: A system and method for iterative cybersecurity remediation based on a digital forensic finding is disclosed. In an embodiment, the method includes detecting a forensic finding, the forensic finding based on a forensic artifact detected on a disk of a resource in a computing environment; generating an inspectable disk based on the disk of the resource; inspecting the inspectable disk for a cybersecurity object based on the forensic artifact; and initiating a remediation action on the disk based on the cybersecurity object detected on the inspectable disk.

Abstract: A system and method reduces use of restricted operations in a cloud computing environment during cybersecurity threat inspection. The method includes: detecting an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS); generating a second key in the KMS, the second key providing access for a principal of an inspection environment; generating a snapshot of the encrypted disk; generating a volume based on the snapshot, wherein the volume is re-encrypted with the second key; generating a snapshot of the re-encrypted volume; generating an inspectable disk from the snapshot of the re-encrypted volume; and initiating inspection for a cybersecurity object on the inspectable disk.

Abstract: A system and method for inspecting a running container for a cybersecurity object in a cloud computing environment is disclosed. The method includes: generating a clone of a disk, wherein the disk is deployed in a cloud computing environment; detecting a software container on the generated clone of the disk; and inspecting the software container for a cybersecurity object, in response to determining that the container is a running container.

Abstract: A system and method reduces use of restricted operations in a cloud computing environment during cybersecurity threat inspection. The method includes: detecting an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS); generating a second key in the KMS, the second key providing access for a principal of an inspection environment; generating a snapshot of the encrypted disk; generating a volume based on the snapshot, wherein the volume is re-encrypted with the second key; generating a snapshot of the re-encrypted volume; generating an inspectable disk from the snapshot of the re-encrypted volume; and initiating inspection for a cybersecurity object on the inspectable disk.

Abstract: A system and method for inspecting a running container for a cybersecurity object in a cloud computing environment is disclosed. The method includes: generating a clone of a disk, wherein the disk is deployed in a cloud computing environment; detecting a software container on the generated clone of the disk; and inspecting the software container for a cybersecurity object, in response to determining that the container is a running container.

Abstract: A system and method for detecting a permission escalation event in a computing environment is disclosed. The method includes: generating a cloned disk based on an original disk of a resource deployed in a computing environment; detecting an identifier of a first principal on the cloned disk; detecting a second principal in the computing environment, the first principal authorized to assume the first principal; storing a representation of the computing environment in a security database, including: a first principal node representing the first principal, and a second principal node representing the second principal, further associated with a permission; querying the representation to determine a permission of the first principal; determining that the second principal includes a permission which the first principal does not include based on a result of querying the representation; and generating a permission escalation event.

Abstract: A system and method for agentless detection of sensitive data in a cloud computing environment. The method includes detecting a first data object including a data schema and a content in a cloud computing environment; detecting a second data object, having the data schema of the first data object; generating in a security graph: a first data object node representing the first data object, a second data object node representing the second data object, and a data schema node representing the data schema; storing a classification based on the content in the security graph, wherein the content is classified as sensitive data or non-sensitive data; and rendering an output based on the classification and the data schema node, in lieu of the first data object node and the second data object node, in response to receiving a query to detect a node representing a data object classified as sensitive data.

Abstract: A system and method for inspecting managed workloads in a cloud computing environment for cybersecurity threats improves inspection of managed workload service repositories, by only inspecting bases of managed workload deployed in the cloud computing environment. The method includes discovering a managed workload deployed in a cloud computing environment; determining an identifier of the managed workload, wherein the identifier includes an indicator to a base repository in which a base is stored, and wherein the managed workload is currently deployed in the cloud computing environment, the base repository further storing a plurality of bases, wherein a portion of the plurality of bases do not correspond to a deployed workload; accessing the base repository to pull the base; and inspecting the base of the deployed managed workload for a cybersecurity threat.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A method and system for modeling a cloud environment as a security graph are provided. The method includes identifying security objects in the cloud environment; collecting object data of the identified security objects; constructing security graph based on collected object data of the identified security objects; determining relationships among the identified security objects, wherein the relationships are determined based on the collected object data of the identified security objects and using a static analysis process; updating the constructed security graph with the determined relationships among the identified security objects; and storing the constructed security graph in a graph database.

Abstract: An architecture of a multi-cloud inspector for any computing device type is provided. According to an embodiment, a method for implementing multi-cloud inspection includes accessing an object list, determining which objects to inspect, determining which inspectors to use, creating object copies, providing and running inspectors for each object copy, receiving inspection report summaries, generating an enriched dataset, and adding the enriched dataset to a security graph database.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: A system and method for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment. The method includes: inspecting a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key; detecting in a security database a representation of the public CNP key; generating a lateral movement path, the lateral movement path including an identifier of a second workload, the second workload represented by a representation connected to the representation of the public CNP key.

Abstract: A system and method for detecting cybersecurity risk on a resource in a computing environment utilizes static analysis of a cloned resource and runtime data from the live resource. The method includes: configuring a resource deployed in a computing environment to deploy thereon a sensor, the sensor configured to detect runtime data; detecting runtime data from the sensor of the resource; generating an inspectable disk based on an original disk of the resource; initiating inspection based on the detected runtime data for a cybersecurity object on the inspectable disk; detecting the cybersecurity object on an inspectable disk; and initiating a mitigation action on the resource.

Abstract: A system and method for applying a policy on a network path is presented. The method includes: selecting a reachable resource having a network path to access the reachable resource, wherein the reachable resource is deployed in a cloud computing environment, having access to an external network; actively inspecting an external network path to determine if the network path of the reachable resource is accessible from the external network; determining that the network path is a valid path, in response to determining that the reachable resource is accessible from the external network path; applying a policy on the valid path; and initiating a mitigation action, in response to determining that the policy is violated.