Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and method for performing active inspection of a cloud computing environment includes selecting a reachable resource, having a network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in the cloud computing environment, and accessible from a network which is external to the cloud computing environment; determining a network protocol for the network path; and actively inspecting the network path to determine if an application utilizing the network protocol is deployed on the reachable resource as part of a technology stack of the reachable resource.

Abstract: A method and system for modeling a cloud environment as a security graph are provided. The method includes identifying security objects in the cloud environment; collecting object data of the identified security objects; constructing security graph based on collected object data of the identified security objects; determining relationships among the identified security objects, wherein the relationships are determined based on the collected object data of the identified security objects and using a static analysis process; updating the constructed security graph with the determined relationships among the identified security objects; and storing the constructed security graph in a graph database.

Abstract: A system and method for detecting an application path utilizing active inspection of a cloud computing environment, includes selecting a reachable resource having at least one network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in the cloud computing environment, and accessible from a network which is external to the cloud computing environment; selecting a second resource having a second network path based on the network path of the reachable resource; and actively inspecting the second network path to determine if the second resource is accessible through the second network path from the reachable resource.

Abstract: A method and system for modeling a cloud environment as a security graph are provided. The method includes identifying security objects in the cloud environment; collecting object data of the identified security objects; constructing security graph based on collected object data of the identified security objects; determining relationships among the identified security objects, wherein the relationships are determined based on the collected object data of the identified security objects and using a static analysis process; updating the constructed security graph with the determined relationships among the identified security objects; and storing the constructed security graph in a graph database.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and method improves cloud detection and response by generating a normalized event log from a plurality of cloud service providers (CSPs). The method includes receiving a plurality of events, wherein a first event of the plurality of events is generated in a cloud computing environment provided by a first CSP and a second event of the plurality of events is generated in a cloud computing environment provided by a second CSP; extracting data from an event of the plurality of events; generating a normalized event based on the extracted data and a predefined data schema, the predefined data schema including a plurality of data fields; storing the normalized event in a transactional database having stored therein a normalized event log; and applying a rule from a rule engine on a normalized event stored in the transactional database to detect a cybersecurity threat in any of the CSPs.

Abstract: A system and method improves cloud detection and response by generating a normalized event log from a plurality of cloud computing layers. The method includes receiving a plurality of events, wherein a first event is generated in a first cloud layer of a cloud computing environment provided by a cloud service provider (CSP) and a second event is generated in a second cloud layer of the cloud computing environment; extracting data from each event; generating a normalized event based on the extracted data and further based on a predefined data schema, the predefined schema including a plurality of data fields, at least a portion of which are related to cloud layers; storing the normalized event in a transactional database having stored therein a normalized event log; and applying a rule from a rule engine on the normalized event to detect a cybersecurity threat in the cloud computing environment.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: A method and system for providing textual insights on objects deployed in a cloud environment are provided. The method includes collecting object data on objects deployed in the cloud environment, wherein objects are deployed and operable at different layers of the cloud environment; identifying objects deployed in the cloud environment; constructing a visual representation of the cloud environment, including the identified objects and their relationships; and generating textual insights on the identified objects and their relationships using natural language processing.

Abstract: A system and method for agentless generation of a software bill of materials (SBOM) in a cloud computing environment is disclosed. The method includes: accessing a plurality of workloads in a cloud computing environment; detecting in each workload of the plurality of workloads a software component; generating for each workload an SBOM based on the detected software component; and storing each SBOM in a database.

Abstract: A system and method for reducing redundancy in inspecting container layers for cybersecurity objects includes: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate a diff output between a first container layer and a second container layer, wherein the second container layer is previously generated based off of the first container layer, wherein the diff includes at least an object; inspect the first container layer for a cybersecurity object; inspect the object for the cybersecurity threat; associate the cybersecurity object with the first container layer in response to detecting the cybersecurity object in the first container layer and not in the at least an object; and associate the cybersecurity object with the second container layer in response to detecting the cybersecurity object in the at least an object and not in the first container layer.

Abstract: A system and method for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment. The method includes: inspecting a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key; detecting in a security database a representation of the public CNP key; generating a lateral movement path, the lateral movement path including an identifier of a second workload, the second workload represented by a representation connected to the representation of the public CNP key.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment configures a resource deployed in a cloud computing environment to deploy thereon a sensor, configured to listen on a data link layer for an event. The method further includes detecting a potential cybersecurity threat on the resource; sending a definition based on the cybersecurity threat to the sensor, wherein the definition includes a logical expression, which when applied to an event produces a binary outcome, and wherein the sensor is further configured to apply the definition to the event; determining that the potential cybersecurity threat is an actual cybersecurity threat in response to the produced binary outcome having a predetermined value; and generating an instruction to perform a mitigation action based on the actual cybersecurity threat.

Abstract: A system and method for detecting privilege escalation on a resource deployed in a computing environment is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; receiving from the sensor a permission-based event based on a first actor, the permission-based event indicating a first permission set of the first actor; querying a database to detect a second permission set of the first actor; detecting that the first permission set includes a permission which is not in the second permission set; determining that the resource is involved in a privilege escalation event in response to detecting that the first permission set includes a permission which is not in the second permission set; and initiating a mitigation action in response to the determined privilege escalation event.

Abstract: A system and method for detecting a cybersecurity event based on multiple cybersecurity data sources is disclosed. The method includes: receiving data from a first cybersecurity source, the first cybersecurity source configured to generate data based on a resource deployed in a computing environment; receiving data from a second cybersecurity source, the second cybersecurity source configured to generate data based on the resource deployed in the computing environment, wherein the second cybersecurity source has a source type which is different from a source type of the first cybersecurity source; detecting a cybersecurity event on the resource based on data received from the first cybersecurity source and data received from the second cybersecurity source; and initiating a mitigation action for the resource in response to detecting the cybersecurity event.

Abstract: A system and method for reducing network communication from a sensor for detecting cybersecurity threats is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; configuring the sensor to generate an event set from a plurality of events, based on a rule; detecting that a number of events in the event set exceeds a predetermined threshold; determining that a cybersecurity event occurred in response to detecting that the number of events exceeds the predetermined threshold; and initiating a mitigation action based on the cybersecurity event.