Abstract: Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.

Abstract: Disclosed embodiments relate to systems and methods for multidimensional vectors for analyzing and visually displaying identity permissions. Techniques include identifying a plurality of identities, privileges used by the identities, and data associated with the identities, developing privilege vectors based on the identified information, and generating groupings of the identities based on the privilege vectors. Further techniques include generating a group score for an identity grouping, using the group score to determine if the grouping is a least privilege grouping, and updating the privileges of the identities within the grouping.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.

Abstract: Disclosed embodiments relate to systems and methods for multidimensional vectors for analyzing and visually displaying identity permissions. Techniques include identifying a plurality of identities, privileges used by the identities, and data associated with the identities, developing privilege vectors based on the identified information, and generating groupings of the identities based on the privilege vectors. Further techniques include generating a group score for an identity grouping, using the group score to determine if the grouping is a least privilege grouping, and updating the privileges of the identities within the grouping.

Abstract: Systems and methods are provided for automatically discovering and evaluating privileged entities in a network environment. The systems and methods can include scanning the network environment to identify a plurality of network entities. This scan can include identifying network permissions corresponding to the plurality of network entities. The operations can further include performing a multi-layer evaluation of the permissions corresponding to the plurality of network entities, the multi-layer evaluation being based at least on factors of network action sensitivity and network resource sensitivity. The network action sensitivity factor can address the sensitivity of particular actions that the plurality of network entities are able to take in the network environment. The network resource sensitivity factor can address the sensitivity of particular resources in the network environment that the plurality of network entities are able to access.

Abstract: Systems and methods are provided for automatically discovering and evaluating privileged entities in a network environment. The systems and methods can include scanning the network environment to identify a plurality of network entities. This scan can include identifying network permissions corresponding to the plurality of network entities. The operations can further include performing a multi-layer evaluation of the permissions corresponding to the plurality of network entities, the multi-layer evaluation being based at least on factors of network action sensitivity and network resource sensitivity. The network action sensitivity factor can address the sensitivity of particular actions that the plurality of network entities are able to take in the network environment. The network resource sensitivity factor can address the sensitivity of particular resources in the network environment that the plurality of network entities are able to access.

Abstract: Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.

Abstract: Systems and methods are provided for automatically discovering and evaluating privileged entities in a network environment. The systems and methods can include scanning the network environment to identify a plurality of network entities. This scan can include identifying network permissions corresponding to the plurality of network entities. The operations can further include performing a multi-layer evaluation of the permissions corresponding to the plurality of network entities, the multi-layer evaluation being based at least on factors of network action sensitivity and network resource sensitivity. The network action sensitivity factor can address the sensitivity of particular actions that the plurality of network entities are able to take in the network environment. The network resource sensitivity factor can address the sensitivity of particular resources in the network environment that the plurality of network entities are able to access.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.

Abstract: Techniques include securely maintaining data associated with a plurality of authentication credentials; generating, as a function of the data associated with a selected group of the plurality of authentication credentials, a secret data element; making available, the secret data element, to be embedded in a first authentication credential; identifying an attempt to change the first authentication credential, the attempt including new authentication credential data to replace data in the first authentication credential; validating, conditional on whether the new authentication credential data includes the secret data element, the new authentication credential data; and determining, based on the validating, whether to perform a control action based on the new authentication credential data.

Abstract: Disclosed embodiments include techniques for automatically provisioning dynamic privileged access resources. Aspects may involve receiving a notification that an identity is seeking to participate in a privileged session with an access-restricted network resource, and automatically provisioning, in response to the notification, a privileged access resource for use by the identity in participating in the privileged session with the access-restricted network resource. Further, aspects may include determining that the privileged session with the access-restricted network resource has ended, and automatically deprovisioning, based on the determination, the privileged access resource.

Abstract: Systems and methods are provided for enabling source resources to communicate with access-restricted target resources. The method can include receiving, at a proxy manager, a request from a source resource to access an access-restricted target resource. The request can include replica authentication information inoperable to enable the source resource to access the access-restricted target resource. The method can further include generating, in response to the request, temporary authentication information corresponding to the replica authentication information. The temporary authentication information can be operable to enable the source resource to access the access-restricted target resource. The method can additionally include making available to the access-restricted target resource the temporary authentication information, without sending the temporary authentication information to the source resource.

Abstract: Disclosed embodiments relate to systems and methods for predictable detection in a computing network. Techniques include identifying an activity associated with an identity in the computer network; accessing hierarchical-chained progression states representing timelines defining one or more process flows for operations in the computer network between beginning states and corresponding predictable result states to be controlled; identifying a hierarchical-chained progression state corresponding to the identified activity; automatically predicting a likelihood that the at least one activity will reach the predictable result state corresponding to the identified hierarchical-chained progression state; and implementing a control action for the activity, the identity, or a resource to which the identity is seeking to communicate.

Abstract: Systems and methods are provided for automatically discovering and evaluating privileged entities in a network environment. The systems and methods can include scanning the network environment to identify a plurality of network entities. This scan can include identifying network permissions corresponding to the plurality of network entities. The operations can further include performing a multi-layer evaluation of the permissions corresponding to the plurality of network entities, the multi-layer evaluation being based at least on factors of network action sensitivity and network resource sensitivity. The network action sensitivity factor can address the sensitivity of particular actions that the plurality of network entities are able to take in the network environment. The network resource sensitivity factor can address the sensitivity of particular resources in the network environment that the plurality of network entities are able to access.

Abstract: Systems and methods are provided for scanning a network to identify potentially compromised cloud-based access information.

Abstract: Systems and methods are provided for identifying potentially compromised cloud-based access information. The systems and methods include providing a unique signature for insertion into application programming interface (API) communications to be sent from a network resource to a cloud application executable in a cloud environment. The unique signature can be associated with an access token that a particular identity can use to request access to the cloud application. The systems and methods include accessing a log associated with the cloud environment, identifying the unique signature and the access token using information in the log, accessing a trusted validation resource storing signature information associated with the access token, determining whether the unique signature is valid, and determining whether the access token is potentially compromised.

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Techniques include identifying permission polices corresponding to a plurality of identities in a network environment, the permission polices specifying what types of actions the plurality of identities are permitted to take with respect to particular network resources; analyzing information describing activity associated with a first identity from the plurality of identities in the network environment; and automatically developing, based on the analysis of the information, a least-privilege profile for the first identity, the least-privilege profile including permissions corresponding to the particular actions with respect to the particular network resources and excluding permissions that do not correspond to the particular actions with respect to the particular network resources.