Abstract: When a transformation job of flow logs generated for a cloud environment is triggered, a security service determines a parameterized template for batch data processing operations offered by the cloud service provider (CSP) to use based on the type of transformation job. The security service communicates an indication of the template and the corresponding parameter values to a data processing service/pipeline offered by the CSP. The provisioned processing resources retrieve the flow logs from a designated location in cloud storage, complete the transformation, and store the transformed flow logs in a new storage location. If the CSP does not provide a data processing service/pipeline which can perform bulk data transformation, the security service uses a generic parameterized template specifying a transformation job to be run on a cluster. Upon completion, the security service retrieves and analyzes the transformed flow logs as part of threat detection performed for securing the cloud environment.

Abstract: A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.

Abstract: An API response field classification service obtains API documentation published by a vendor and defined security policies and matches the response fields represented in the security policies to their descriptions in the API documentation. The service generates labelled training data that comprise the identified response field descriptions with labels indicating that their corresponding response field is security related. Additional labelled training data for security unrelated response fields comprises descriptions of response fields that are known not to be represented with any security policies. The service trains a text classifier on the labelled training data. The trained text classifier accepts inputs comprising descriptions of unknown response fields and outputs predicted classes indicating whether the corresponding response fields are predicted to be security related. Subsequent creation of security policies can be focused on these response fields predicted to be security related.

Abstract: A browser extension produces a single view comprising content of web pages of a target vendor requested by a customer and corresponding security information for the target vendor maintained for the customer. Fingerprints of the target vendor's web page URLs and web page elements corresponding to resources, respectively, are determined. As the web browser retrieves web pages and the customer selects web page elements that identify resources, the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.

Abstract: Comprehensive matching allows for automated conversion from runtime policy rules to build time rules that can be applied to an IaC configuration file(s). API specifications of a CSP and resource models defined in an IaC configuration file(s) are parsed and tokenized. The tokenized API specifications are evaluated to identify, for each resource model, a most appropriate API specification for mapping fields. Based on the evaluation and token matching, tokens of the API specifications are mapped to the tokens of the IaC resource models to form a mapping model. In an implementation phase, a runtime policy rule converter replaces tokens of a runtime security policy rule query with IaC tokens based on the mapping index to convert the runtime security policy rule query into a buildtime security policy rule query that can be applied against the IaC configuration files.

Abstract: A graph representation of cloud resources and their relationships is generated and maintained to provide insights into impact of incidents affecting cloud resources on others in the cloud environment. Cloud resource data for the cloud resources are obtained and relationships among the cloud resources are determined. Relationships among the cloud resources are determined based on analysis of configuration data associated with the cloud resources from which relationships among cloud resources of different types can be inferred, and external sources may also be utilized to facilitate identification of relationships. A graph representation of the cloud resources and their determined relationships is built where the cloud resource data are stored in vertices with directed edges between the vertices representing the identified relationships.

Abstract: A system processes an API specification provided by a vendor to determine and classify the functions defined therein by CRUD operation type based on analysis of the function names. Classification of the function includes associating a bitmask corresponding to the class with the function name. The system then subscribes to an event stream including logged API function call events during a time window overlapping with a “blind spot” period of attack detection. The system analyzes incoming events to identify an associated resource and an API function call. The system classifies the function based on the determined function classes and performs a bitwise operation between bit values maintained for the identified resource that are indicative of resource state and the bitmask of the function class. If the resulting bit values indicate that the resource was both created and deleted during the time window, the system flags the resource as potentially involved in an attack.

Abstract: When a transformation job of flow logs generated for a cloud environment is triggered, a security service determines a parameterized template for batch data processing operations offered by the cloud service provider (CSP) to use based on the type of transformation job. The security service communicates an indication of the template and the corresponding parameter values to a data processing service/pipeline offered by the CSP. The provisioned processing resources retrieve the flow logs from a designated location in cloud storage, complete the transformation, and store the transformed flow logs in a new storage location. If the CSP does not provide a data processing service/pipeline which can perform bulk data transformation, the security service uses a generic parameterized template specifying a transformation job to be run on a cluster. Upon completion, the security service retrieves and analyzes the transformed flow logs as part of threat detection performed for securing the cloud environment.

Abstract: When a transformation job of flow logs generated for a cloud environment is triggered, a security service determines a parameterized template for batch data processing operations offered by the cloud service provider (CSP) to use based on the type of transformation job. The security service communicates an indication of the template and the corresponding parameter values to a data processing service/pipeline offered by the CSP. The provisioned processing resources retrieve the flow logs from a designated location in cloud storage, complete the transformation, and store the transformed flow logs in a new storage location. If the CSP does not provide a data processing service/pipeline which can perform bulk data transformation, the security service uses a generic parameterized template specifying a transformation job to be run on a cluster. Upon completion, the security service retrieves and analyzes the transformed flow logs as part of threat detection performed for securing the cloud environment.