Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource: performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for automatically mediating among diversely structured operational policies. Techniques include identifying a first communication of a computing resource that is associated with an operational policy, identifying a second computing resource, determining if there is a conflict between the first communication and the second computing resource, applying a language processing protocol to the communication, normalizing the communication and policy, and generating a mediated communication. Other techniques include transmitting the mediated communication, generating a recommendation for implementing a security control on the first communication, and applying a security policy to the first communication.

Abstract: Systems, methods, and non-transitory computer-readable media for container management are disclosed. A system consistent with disclosed embodiments can include a processor and a computer-readable medium containing instructions. When executed by the processor, the instructions can cause the system to perform operations. The operations can include obtaining a request by a first process running in a container for access to a protected resource. The operations can further include determining that a set of registered processes does not include the first process, the set of registered processes being processes running in the container at a time point or in a time interval following creation of the container. The operations can further include determining that an exception applies to the first process and, in response to the determination that the exception applies to the first process, providing the first process access to the protected resource.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying a policy associated with an application or computer code; applying a language processing protocol to the policy to interpret the policy and extract attribute(s) of the policy, where the policy is defined using a vocabulary and syntax; normalizing the policy to define the policy using a standardized vocabulary and syntax agnostic to an infrastructure or service associated with the application or computer code, where one or more of the vocabulary and syntax are respectively different from the standardized vocabulary and syntax and where normalizing the policy comprises translating the attribute(s) of the policy; and evaluating the policy based on the normalizing to determine whether a potentially malicious activity is associated with the application or computer code.

Abstract: Disclosed embodiments relate to systems and methods for identifying vulnerabilities for virtualized execution instances to escape their operating environment and threaten a host environment. Techniques include identifying a virtualized execution instance configured for deployment on a host in a virtual computing environment; performing a privileged configuration inspection for the virtualized execution instance, the privileged configuration inspection analyzing whether the virtualized execution instance has been configured with one or more attributes that can permit operation of the virtualized execution instance to perform operations, beyond an environment of the virtualized execution instance, on an environment of the host; and implementing, based on the privileged configuration inspection, a control action for controlling the virtualized execution instance's ability to perform operations on the environment of the host.

Abstract: Disclosed embodiments relate to systems and methods for automatically mediating among diversely structured operational policies. Techniques include identifying a first communication of a computing resource that is associated with an operational policy, identifying a second computing resource, determining if there is a conflict between the first communication and the second computing resource, applying a language processing protocol to the communication, normalizing the communication and policy, and generating a mediated communication. Other techniques include transmitting the mediated communication, generating a recommendation for implementing a security control on the first communication, and applying a security policy to the first communication.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying a policy associated with an application or computer code; applying a language processing protocol to the policy to interpret the policy and extract attribute(s) of the policy, where the policy is defined using a vocabulary and syntax; normalizing the policy to define the policy using a standardized vocabulary and syntax agnostic to an infrastructure or service associated with the application or computer code, where one or more of the vocabulary and syntax are respectively different from the standardized vocabulary and syntax and where normalizing the policy comprises translating the attribute(s) of the policy; and evaluating the policy based on the normalizing to determine whether a potentially malicious activity is associated with the application or computer code.

Abstract: An endpoint configured for adaptively generating responses to data queries, comprising program store for storing code, and one or more processors of an endpoint coupled to the program store for executing the code which comprises: (1) Code instructions for detecting a data query from a requester with respect to one or more information resources of the endpoint. (2) Code instructions for adaptively generating a response to the data query. The adaptively generated response comprises data indicative of one or more fictive information resources which are of a similar type as the information resource(s). The response is adaptively generated according to an analysis of data extracted from the data query, the information resource(s), previous interaction of the requester with the endpoint and/or identified information resource operation(s) at the endpoint which precede the detection of the data query. (3) Code instructions for providing the adaptively generated response to the requester.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource: performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: Disclosed embodiments relate to systems and methods for identifying vulnerabilities for virtualized execution instances to escape their operating environment and threaten a host environment. Techniques include identifying a virtualized execution instance configured for deployment on a host in a virtual computing environment; performing a privileged configuration inspection for the virtualized execution instance, the privileged configuration inspection analyzing whether the virtualized execution instance has been configured with one or more attributes that can permit operation of the virtualized execution instance to perform operations, beyond an environment of the virtualized execution instance, on an environment of the host; and implementing, based on the privileged configuration inspection, a control action for controlling the virtualized execution instance's ability to perform operations on the environment of the host.

Abstract: Disclosed embodiments relate to systems and methods for automatically processing diversely structured operational policies. Techniques include identifying first and second operational policies, determining if the policies use different vocabulary or syntax, applying a language processing protocol to the policies, and normalizing the policies. Other techniques include making available the normalized policies to a computing resource, identifying a set of related rules based on the normalizing, identifying that one of the polices has an unnecessarily high level of privileges, and reducing the level of privileges according to a least-privileges policy.

Abstract: An endpoint configured for adaptively generating responses to data queries, comprising program store for storing code, and one or more processors of an endpoint coupled to the program store for executing the code which comprises: (1) Code instructions for detecting a data query from a requester with respect to one or more information resources of the endpoint. (2) Code instructions for adaptively generating a response to the data query. The adaptively generated response comprises data indicative of one or more fictive information resources which are of a similar type as the information resource(s). The response is adaptively generated according to an analysis of data extracted from the data query, the information resource(s), previous interaction of the requester with the endpoint and/or identified information resource operation(s) at the endpoint which precede the detection of the data query. (3) Code instructions for providing the adaptively generated response to the requester.

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalati

Abstract: Described herein are systems and methods for detecting potentially malicious activity in a network session. Embodiments may involve identifying a requested network session between a first computer device and a second computer device, wherein the requested network session includes at least one security access message having an encrypted portion, obtaining a decryption key suitable for decrypting the encrypted portion of the security access message, decrypting the encrypted portion of the security access message with the decryption key, identifying a session key within the decrypted portion of the security access message, decrypting an application message that has been transmitted between the first computer device and the second computer device in the requested network session using the session key, and determining whether the decrypted application message includes an indicia of potentially malicious activity.