Abstract: A method for detecting security vulnerabilities, comprising: generating a corpus of input samples each labeled to indicate a threat level when executed by an input processing code; training a neural network (NN) using the plurality of input samples to classify inputs according to a plurality of labels of the plurality of input samples; for each input sample: iteratively altering the input sample to correspond to a process of gradient change of the NN, until the NN classifies the altered input sample to a different label than a respective label of the input sample; assigning the different label to the altered input sample; using the plurality of relabeled altered input samples to further train the NN and augment the corpus of input samples.

Abstract: This disclosure describes a proactive deployment impact system that detects and addresses the security impact of candidate code-based infrastructure changes before they are deployed in a production environment within a cloud computing system. The proactive deployment impact system implements a lightweight preemptive security framework, based on runtime resource information, to determine whether a requested candidate code-based infrastructure change would introduce new security risks, attack patterns, or breach vulnerabilities. Furthermore, the proactive deployment impact system can actively block the deployment of negatively impacting candidate changes, report potential security breaches, and/or automatically modify the candidate changes to eliminate security vulnerabilities.

Abstract: Techniques are described herein that are capable of performing a security action based on a communication-based analysis. A security event, which is triggered by an operation performed by a user in an organization, is detected. A security analysis result is generated by determining whether a communication history of the user includes (1) a communication from the user that initiates an interaction with another user in the organization and/or a communication that is addressed specifically to the user from another user in the organization, (2) a communication from the user that references the operation, and/or (3) a communication that provides an explanation of a purpose of the operation that satisfies an explanation criterion. In response to the security event, a security action is performed with regard to the operation as a result of the security analysis result satisfying a security criterion.

Abstract: Techniques are described herein that are capable of performing a security action based on an AI-determined intent and/or impact of a resource in an enterprise. A security alert regarding an identified resource of an enterprise is received. Intents of subsets of information regarding a software application utilized by the enterprise are determined using an AI model. The intents are mapped to subsets of resources in the enterprise and/or the AI model is used to determine impacts of the subsets of the resources on the enterprise. In response to the security alert, a security action is performed with regard to the identified resource as a result of an intent and/or impact associated with the identified resource satisfying an action criterion associated with the security action.

Abstract: Systems, methods, and techniques are directed to detecting potential anomalous activity based on changes in a security graph. In an example, a security system receives a first snapshot of a graph representative of a tenant account of a network-based system corresponding to a first timestamp. The security system receives a second snapshot of the graph corresponding to a second timestamp. The security system determines a first change in the graph based on the first and second snapshots and a second change related to the first change. The security system detects a potential anomaly based on the first and second changes. Responsive to detecting a potential anomaly, the security system causes a mitigation step to be performed with respect to the tenant account. In a further example, the security system determines relationships between a sequence of changes satisfies a cumulative anomaly criterion.

Abstract: According to examples, an apparatus includes a processor that may obtain and parse a pipeline code to determine how variables of the pipeline code relate to each other, and replace the variables in the parsed pipeline code with values to which the variables respectively represent, in which the values correspond to pipeline run sources and pipeline run targets of API calls. The processor may also identify how the pipeline run targets interact with the pipeline run sources of the API calls and build a dependency graph that maps the pipeline run sources with the pipeline run targets. Runtime resources may thus be mapped to source code in a pipeline run to provide visibility into actions carried out by the pipeline. This visibility may be used to determine whether there are security vulnerabilities in the pipeline run sources and/or targets such that the vulnerabilities may be addressed/overcome.

Abstract: Methods, systems, and computer storage media for providing data security posture management using an application discovery engine in a security management system. Application discovery supports identifying and mapping various applications within a computing environment. In particular, application discovery can be provided as part of security management operations to assess security posture of applications, identify vulnerabilities, and ensure compliance with regulations. In operation, application discovery data associated with a plurality computing resources of a computing environment is accessed. An annotated application discovery graph comprising a plurality of entities that represent the plurality of computing resources is generated. The annotated application discovery graph is deployed to support generating security postures for computing environments. A request is received for a security posture of the computing environment.

Abstract: Techniques are described herein that are capable of providing automated governance policy-based security for a cloud native application. Recently unused security misconfigurations of a cloud native application are identified. A first configuration change that resolves a first recently unused security misconfiguration is automatically implemented as a result of the first configuration change being capable of reducing productivity of a user and having a likelihood of reducing security of the cloud native application that is greater than or equal to a likelihood threshold.

Abstract: The disclosed techniques automatically identify cyber-security attacks and predict attack next steps. Descriptions of previously observed cyber-attack campaigns are decomposed into attack campaign steps. Real-time security incident signals are generated by cybersecurity software. Attack campaigns are identified by mapping attack campaign steps to security incident signals. Custom-generated telemetry queries are executed to determine if a missing attack campaign step occurred. A machine learning model generates embeddings for attack campaign steps, security incident signals, and telemetry query responses. A security incident signal or a telemetry query response matches an attack campaign step when their embeddings are within a defined distance. A security alert may be raised when most or all of the attack campaign steps of a particular attack campaign are matched. Attack campaign steps that are not matched to security incident signals or telemetry query results are predicted as attack next steps.

Abstract: Techniques are described herein that are capable of providing automated governance policy-based security for a cloud native application. Recently unused security misconfigurations of a cloud native application are identified. A first configuration change that resolves a first recently unused security misconfiguration is automatically implemented as a result of the first configuration change being capable of reducing productivity of a user and having a likelihood of reducing security of the cloud native application that is greater than or equal to a likelihood threshold.

Abstract: According to examples, an apparatus includes a processor that may obtain and parse a pipeline code to determine how variables of the pipeline code relate to each other, and replace the variables in the parsed pipeline code with values to which the variables respectively represent, in which the values correspond to pipeline run sources and pipeline run targets of API calls. The processor may also identify how the pipeline run targets interact with the pipeline run sources of the API calls and build a dependency graph that maps the pipeline run sources with the pipeline run targets. Runtime resources may thus be mapped to source code in a pipeline run to provide visibility into actions carried out by the pipeline. This visibility may be used to determine whether there are security vulnerabilities in the pipeline run sources and/or targets such that the vulnerabilities may be addressed/overcome.

Abstract: A distributed computing system may include a code repository server configured to store code, a code deployment server configured to receive a deployment of the code, and a development and operations (DevOps) server configured to construct a pipeline between the code repository server and the code deployment server. The DevOps server may be configured to execute a source code management program to receive a request for information regarding a target resource that has been deployed using the pipeline, generate a permissions model for the target resource, the permissions model including one or more permissions, each permission authorizing a managed identity to execute an action related to the target resource, determine a permissions usage history of the permissions contained in the permissions model, filter the permissions model based on the permissions usage history, and generate a list of events determined to have occurred as the filtered permissions model.

Abstract: Methods, systems, and computer storage media for providing data security posture management using an application discovery engine in a security management system. Application discovery supports identifying and mapping various applications within a computing environment. In particular, application discovery can be provided as part of security management operations to assess security posture of applications, identify vulnerabilities, and ensure compliance with regulations. In operation, application discovery data associated with a plurality computing resources of a computing environment is accessed. An annotated application discovery graph comprising a plurality of entities that represent the plurality of computing resources is generated. The annotated application discovery graph is deployed to support generating security postures for computing environments. A request is received for a security posture of the computing environment.

Abstract: According to examples, an apparatus includes a processor that may obtain and parse a pipeline code to determine how variables of the pipeline code relate to each other, and replace the variables in the parsed pipeline code with values to which the variables respectively represent, in which the values correspond to pipeline run sources and pipeline run targets of API calls. The processor may also identify how the pipeline run targets interact with the pipeline run sources of the API calls and build a dependency graph that maps the pipeline run sources with the pipeline run targets. Runtime resources may thus be mapped to source code in a pipeline run to provide visibility into actions carried out by the pipeline. This visibility may be used to determine whether there are security vulnerabilities in the pipeline run sources and/or targets such that the vulnerabilities may be addressed/overcome.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Embodiments may provide techniques that may provide more accurate and actionable alerts by cloud workload security systems so as to improve overall cloud workload security. For example, in an embodiment, a method may be implemented in a computer system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, and the method may comprise generating performance and security information relating to a software system during development of the software system, generating performance and security information relating to the software system during deployed operation of the software system, matching the performance and security information generated during development of the software system with the performance and security information generated during deployed operation of the software system to determine performance and security alerts to escalate, and reporting the escalated performance and security alerts.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Embodiments may provide techniques that that may automatically generate a customized SOC rule set for an organization. For example, in an embodiment, a method may be implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise simulating operation of a security incident and event management system by running a plurality of rules of the system on labeled data, determining fitness metrics of the plurality of rules, selecting at least one rule of the plurality of rules based on the determined fitness metrics; modifying the selected rule to form an updated rule, and repeating running the updated rule on the labeled data, determining fitness metrics of the updated rule, and mutating the updated rule.

Abstract: A method for automatically migrating infrastructure as code (IaC) from a first cloud infrastructure platform to a second cloud infrastructure platform is provided. The method may include receiving an original IaC comprising a first type of coding language. The method may further include using natural language processing to map a connection between the first type of coding language and a second type of coding language. The method may further include based on the mapped connection, using the NLP to automatically generate a partial translation of the first type of coding language to the second type of coding language. The method may further include using a machine learning algorithm to correct at least one inaccuracy in the partial translation. The method may further include generating a complete translation and implementing a second IaC on the second cloud infrastructure platform based on the complete translation.