Abstract: A system and method for performing authorization based active inspection of network paths for a resource, deployed in a cloud computing environment, includes receiving at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.

Abstract: A system and method for performing active inspection of a cloud computing environment includes receiving at least one network path to access a first resource, wherein the first resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the first resource is accessible through the at least one network path from a network external to the cloud computing environment.

Abstract: A system and method for performing active inspection of vulnerability exploitation in a cloud computing environment. The method includes receiving at least one network path to access a first resource, wherein the first resource is a cloud object is deployed in the cloud computing environment and having a known vulnerability, wherein the first resource is potentially accessible from a network which is external to the cloud computing environment; actively inspecting the at least one network path to determine if the first resource is accessible through the at least one network path from a network external to the cloud computing environment; and triggering the known vulnerability to determine if the first resource can be exploited with the known vulnerability, in response to determining that the first resource is accessible through the external network.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A method and system for determining abnormal configuration of network objects deployed in a cloud computing environment are provided. The method includes collecting network object data on a plurality of network objects deployed in the cloud computing environment; constructing a network graph based on the collected network object data, wherein the network graph includes a visual representation of network objects identified in the cloud computing environment; determining relationships between the identified network objects in the network graph, wherein the determined relationships between the identified network objects includes descriptions of connections between the identified network objects; and analyzing the network graph and the determined relationships to generate insights, wherein the generated insights include at least a list of abnormal connections between the identified network objects.

Abstract: A system and method for generating a compact forensic event log based on a cloud log, includes: traversing a security graph to detect a node representing a cloud entity in a cloud computing environment, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity threat connected to the node representing the cloud entity; parsing a cloud log of the cloud computing environment to detect a data record, the data record including an attribute of the node representing the cloud entity; and generating a compact forensic event log including the detected data record.

Abstract: A system and method for generating a contextual cloud risk assessment of a cloud computing environment. The method includes accessing a plurality of cloud assessment policies, wherein a policy including a query executable on a security graph; applying the plurality of cloud assessment policies to the representation of the first cloud computing environment; generating a risk assessment report based on an output generated by applying a policy of the plurality of cloud assessment polices; and initiating a mitigation action based on a cybersecurity risk from the risk assessment report.

Abstract: A system and method detects an exploited vulnerable cloud entity. The method includes: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.

Abstract: A system and method for detecting a cloud detection and response (CDR) event from a cloud log. The method includes detecting an identifier of a cloud entity in a cloud log, wherein the cloud log includes a plurality of records generated by a cloud computing environment; detecting a node in a security graph based on the identifier of the cloud entity, wherein the security graph includes a representation of the cloud computing environment; generating a CDR event in response to determining from the security graph that the first node is associated with a cybersecurity threat; and initiating a mitigation action based on the cybersecurity threat.

Abstract: A system and method for prioritizing alerts and mitigation actions against cyber threats in a cloud computing environment. The method includes detecting an alert based on a cloud entity deployed in a cloud computing environment, wherein the alert including an identifier of the cloud entity and a severity indicator, and wherein the cloud computing environment is represented in a security graph; generating a severity index for the received alert based on the identifier of the cloud entity and the severity indicator; and initiating a mitigation action based on the severity index.

Abstract: A system and method traces suspicious activity to a workload based on a forensic log. The method includes detecting in at least one cloud log of a cloud computing environment a plurality of events, each event indicating an action in the cloud computing environment; extracting from an event of the plurality of events an identifier of a cloud entity, wherein the event includes an action which is predetermined as indicative of a suspicious event; traversing a security graph to detect a node representing the cloud entity, wherein the security graph further includes a representation of the cloud computing environment; detecting that the node representing the cloud entity is connected to a node representing a cybersecurity vulnerability; and initiating a mitigation action for the cloud entity based on the cybersecurity vulnerability.

Abstract: Methods, systems and computer program products are described to improve machine learning (ML) model-based classification of data items by identifying and removing inaccurate training data. Inaccurate training samples may be identified, for example, based on excessive variance in vector space between a training sample and a mean of category training samples, and based on a variance between an assigned category and a predicted category for a training sample. Suspect or erroneous samples may be selectively removed based on, for example, vector space variance and/or prediction confidence level. As a result, ML model accuracy may be improved by training on a more accurate revised training set. ML model accuracy may (e.g., also) be improved, for example, by identifying and removing suspect categories with excessive (e.g., weighted) vector space variance. Suspect categories may be retained or revised. Users may (e.g., also) specify a prediction confidence level and/or coverage (e.g., to control accuracy).

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A system and method detects a vulnerable code object in configuration code for deploying instances in a cloud computing environment. The method includes: accessing a configuration code, including a plurality of code objects, where a code object of the plurality of code objects corresponds to a deployed principal; detecting in a log a plurality of access events, each access event associated with a first principal deployed in the cloud computing environment based on a first code object of the plurality of code objects; determining a first set of permissions associated with the first code object. The method also includes determining a second set of permissions based on the plurality of access events. The method also includes detecting a difference between the second set of permissions and the first set of permissions; and generating an updated code object based on the first code object and the detected difference.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A system and method provide detection of a malware attack path. The method includes detecting at a first time a malware object on a first workload deployed in the compute environment, wherein the first workload is represented by a first node in a security graph, the security graph including a representation of the compute environment; querying the security graph to detect a second node connected to the first node, wherein the connection indicates that the first workload represented by the first node can access a second workload represented by the second node; and generating an instruction to inspect the second workload represented by the second node at a second time, occurring after the first time.

Abstract: Methods, systems and computer program products are described to improve machine learning (ML) model-based classification of data items by identifying and removing inaccurate training data. Inaccurate training samples may be identified, for example, based on excessive variance in vector space between a training sample and a mean of category training samples, and based on a variance between an assigned category and a predicted category for a training sample. Suspect or erroneous samples may be selectively removed based on, for example, vector space variance and/or prediction confidence level. As a result, ML model accuracy may be improved by training on a more accurate revised training set. ML model accuracy may (e.g., also) be improved, for example, by identifying and removing suspect categories with excessive (e.g., weighted) vector space variance. Suspect categories may be retained or revised. Users may (e.g., also) specify a prediction confidence level and/or coverage (e.g., to control accuracy).

Abstract: Embodiments described herein are directed to improving machine learning (ML) model-based techniques for automatically labeling data items based on identifying and resolving labels that are problematic. An ML model may be trained to predict labels for any given data item. The ML model may be validated to determine a confusion metric with respect to each distinct pair of labels predicted by the ML model. Each confusion metric indicates how a particular label is being mistaken for another particular label. The confusion metrics are analyzed to determine whether any of the ML model-generated labels are problematic (e.g., a label conflicts with another label, a label that is rarely predicted, a label that is incorrectly predicted, etc.). Steps for resolving the problematic labels are implemented, and the ML model is retrained based on the resolution steps. By doing so, the ML model generates a more accurate label for a data item.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.

Abstract: Embodiments described herein are directed to generating a machine learning (ML) model. A plurality of vectors are accessed, each vector of the plurality of vectors including a first set of features associated with a corresponding data item. A second set of features is identified by expanding the first set of features. A ML model is trained using vectors including the expanded set of features, and it is determined that an accuracy of the ML model trained using the vectors increased. A third set of features is identified by determining a measure of importance for different subsets of features in the second set and replacing subsets having a low measure of importance with new features. A ML model is trained using vectors that include the third set, and it is determined that an accuracy of the model increased due to the replacing.