Abstract: Methods, systems, and computer storage media for providing container secure computing modes using a container mode management engine of a security management system. A container secure computing mode can include a secure state in which a container operates to prioritize security measures and practices. A container secure computing mode can be assigned to a container instance and enforced via a container security agent. In operation, a container instance is initialized, the container instance is associated with a container security agent having a secure compute mode transition control for the container instance. Based on the secure compute mode transition control, the container instance is transitioned into a secure state. A container operation of the container instance is accessed. The execution of the container operation is restricted based on the secure state of the container instance. The secure state is associated with a secure state configuration that supports restricting the container operation.

Abstract: Some embodiments bridge a gap between focusing on security alerts raised by conditions and events that have already occurred, and focusing on vulnerabilities that might be exploited in the future. Alerts are organized into alert categories, vulnerabilities are organized into vulnerability categories, and are optionally supplemented with misconfiguration categories. Correlations are identified between alert categories and vulnerability or misconfiguration categories, and the correlation values noted, to produce category association rules. The alerts, vulnerabilities, and other security findings are gathered in some situations from multiple similar environments, and in some cases are filtered to pertain to similar resources or similar configurations. The category association rules are utilized to perform cybersecurity prioritizations such as assigning priority levels to alerts and assigning likelihood levels to potential breaches.

Abstract: Methods, systems, and computer storage media for providing container secure computing modes using a container mode management engine of a security management system. A container secure computing mode can include a secure state in which a container operates to prioritize security measures and practices. A container secure computing mode can be assigned to a container instance and enforced via a container security agent. In operation, a container instance is initialized, the container instance is associated with a container security agent having a secure compute mode transition control for the container instance. Based on the secure compute mode transition control, the container instance is transitioned into a secure state. A container operation of the container instance is accessed. The execution of the container operation is restricted based on the secure state of the container instance. The secure state is associated with a secure state configuration that supports restricting the container operation.

Abstract: Some embodiments bridge a gap between focusing on security alerts raised by conditions and events that have already occurred, and focusing on vulnerabilities that might be exploited in the future. Alerts are organized into alert categories, vulnerabilities are organized into vulnerability categories, and are optionally supplemented with misconfiguration categories. Correlations are identified between alert categories and vulnerability or misconfiguration categories, and the correlation values noted, to produce category association rules. The alerts, vulnerabilities, and other security findings are gathered in some situations from multiple similar environments, and in some cases are filtered to pertain to similar resources or similar configurations. The category association rules are utilized to perform cybersecurity prioritizations such as assigning priority levels to alerts and assigning likelihood levels to potential breaches.

Abstract: Some embodiments gather and correlate software artifact identifiers to determine a lifecycle path connecting disparate artifacts from different lifecycle stages. Embodiments support developers or security personnel who are facing inquiries such as which developer can shed light on a particular problematic workload, whether a package based on a particular vulnerable source code has been deployed, and whether a given workload running on a cluster was built with any components that currently have known vulnerabilities. Embodiments proactively fill gaps and resolve ambiguities in a lifecycle path, by using commit-build data structures, build-digest data structures, tag-digest data structures, responses to development tool queries, results of drilling into enclosing packages to find nested package digests, lifecycle graphs, timestamps, and other data.

Abstract: Cybersecurity is improved by automatically finding underutilized access capabilities. Some embodiments obtain an access capability specification, gather access attempt data, and computationally determine that the access capability has not been exercised sufficiently, based on an access capability exercise sufficiency criterion. Security is then enhanced by automatically producing a recommendation to harden a guarded computing system by reducing, disabling, or deleting the insufficiently exercised access capability. In some cases, security enhancement is performed by automatically hardening the guarded computing system. Access capability exercise sufficiency determination may be based on fixed, statistical, or learned time period thresholds or activity level thresholds, or on a combination thereof using confidence levels. Thresholds are compared to a detected time period value or a detected activity level value that is derived from the access attempt data, to determine exercise sufficiency.

Abstract: Cybersecurity is improved by automatically finding underutilized access capabilities. Some embodiments obtain an access capability specification, gather access attempt data, and computationally determine that the access capability has not been exercised sufficiently, based on an access capability exercise sufficiency criterion. Security is then enhanced by automatically producing a recommendation to harden a guarded computing system by reducing, disabling, or deleting the insufficiently exercised access capability. In some cases, security enhancement is performed by automatically hardening the guarded computing system. Access capability exercise sufficiency determination may be based on fixed, statistical, or learned time period thresholds or activity level thresholds, or on a combination thereof using confidence levels. Thresholds are compared to a detected time period value or a detected activity level value that is derived from the access attempt data, to determine exercise sufficiency.

Abstract: Systems, methods, and computer-readable storage media are provided for authenticating users to secure services or apps utilizing reversed, hands-free and/or continuous two-factor authentication. When a user desires to access a secure service or app for which s/he is already registered, the user, having a registered mobile computing device in proximity to his or her presence, comes within a threshold distance of a computing device that includes the desired secure service or app. The computing device authenticates the particular mobile computing device as associated with the particular registered user that utilized that mobile device during registration. Subsequent to such device authentication, the user is able to login to the service or app by simply providing his or her user credentials at a login form associated therewith. Two-factor authentication in accordance with embodiments hereof is more secure and more efficient that traditional authentication methodologies.

Abstract: A system for detecting a targeted attack by a first machine on a second machine is provided. The system includes an application including instructions to: according to first parameters, group alerts for attacking machines; each group of alerts corresponds to attacks performed by a respective one of the attacking machines, and each of the alerts is indicative of a possible attack performed by one of the attacking machines; according to second parameters, group metadata corresponding to attacked machines implementing cloud applications; based on the group of metadata corresponding to the second machine and one or more co-factors, evaluate one or more alerts corresponding to attacks performed by the first machine on the second machine relative to alerts associated with attacks performed by the first machine on other machines or attacks performed by the attacking machines; and alert the second machine of the targeted attack.

Abstract: A system for detecting a targeted attack by a first machine on a second machine is provided. The system includes an application including instructions to: according to first parameters, group alerts for attacking machines; each group of alerts corresponds to attacks performed by a respective one of the attacking machines, and each of the alerts is indicative of a possible attack performed by one of the attacking machines; according to second parameters, group metadata corresponding to attacked machines implementing cloud applications; based on the group of metadata corresponding to the second machine and one or more co-factors, evaluate one or more alerts corresponding to attacks performed by the first machine on the second machine relative to alerts associated with attacks performed by the first machine on other machines or attacks performed by the attacking machines; and alert the second machine of the targeted attack.

Abstract: Systems, methods, and computer-readable storage media are provided for authenticating users to secure services or apps utilizing reversed, hands-free and/or continuous two-factor authentication. When a user desires to access a secure service or app for which s/he is already registered, the user, having a registered mobile computing device in proximity to his or her presence, comes within a threshold distance of a computing device that includes the desired secure service or app. The computing device authenticates the particular mobile computing device as associated with the particular registered user that utilized that mobile device during registration. Subsequent to such device authentication, the user is able to login to the service or app by simply providing his or her user credentials at a login form associated therewith. Two-factor authentication in accordance with embodiments hereof is more secure and more efficient that traditional authentication methodologies.