Abstract: A system and method for detecting excessive permissions of a principal in a cloud computing environment utilizes code objects of infrastructure as code. The method also includes accessing a configuration code, the configuration code including a plurality of code objects, where a code object of the plurality of code objects corresponds to a deployed principal in the cloud computing environment; detecting in a log a plurality of access events, each access event associated with a first principal deployed in the cloud computing environment based on a first code object of the plurality of code objects; determining that the first code object includes a permission which is not utilized in any of the plurality of access events; and initiating a mitigation action for the first principal based on the permission.

Abstract: A system and method for detecting lateral movement in a computing environment based on configuration code is presented. The method includes accessing a configuration code, the configuration code including a plurality of code objects, wherein a code object of the plurality of code objects corresponds to an entity deployed in the computing environment; selecting an identifier of an exposed entity, the exposed entity associated with a secret; querying a security database based on the identifier to detect a representation of the exposed entity, wherein the representation of the exposed entity is connected to a representation of the secret; traversing the security database to detect a second representation connected to the representation of the secret, the second representation representing a second entity deployed based on the code object of the plurality of code objects; and initiating a mitigation action associated with the second entity.

Abstract: A system and method for signatureless validation of virtual instances in a computing environment is presented. The method includes detecting a request to deploy an instance based on a software artifact in the computing environment; generating a first fingerprint based on the software artifact; querying a fingerprint database, including a plurality of validated fingerprints, to determine if the first fingerprint is stored therein, each validated fingerprint corresponding to a software artifact; deploying the instance in response to detecting the first fingerprint in the fingerprint database; and blocking deployment of the instance in response to determining that the first fingerprint is not stored in the fingerprint database.

Abstract: A system and method for detecting lateral movement in a cloud computing environment is based on configuration code. The method includes: accessing a configuration code, the configuration code including a plurality of code objects, wherein a code object of the plurality of code objects corresponds to a cloud entity deployed in the cloud computing environment; selecting an identifier of an exposed cloud entity, the cloud entity associated with a secret; querying a security graph based on the identifier to detect a node representing the secret, wherein the node representing the secret is connected to a node representing the exposed cloud entity; traversing the security graph to detect a second node connected to the node representing the secret, the second node representing a second cloud entity deployed based on the code object of the plurality of code objects; and generating a mitigation action based on the second cloud entity.

Abstract: A system and method for detecting excessive permissions of a principal in a cloud computing environment is presented. The method includes accessing a plurality of code objects, wherein a code object of the plurality of code objects corresponds to a principal of the cloud computing environment; detecting in a log a plurality of access events associated with a first principal of the cloud computing environment, the first principal corresponding to a first code object of the plurality of code objects; detecting in the first code object a permission associated with the first principal which is not utilized in any of the plurality of access events; and initiating a mitigation action for the first principal based on the permission.

Abstract: A system and method for detecting a cybersecurity toxic combination prior to a virtual instance deployment is presented. The method includes: inspecting an entity in a cloud computing environment for a cybersecurity object, the cybersecurity object; detecting the cybersecurity object on the inspected entity; inspecting a code object utilized to deploy a virtual instance in the cloud computing environment prior to deployment of the virtual instance; detecting a toxic combination cybersecurity issue based on the cybersecurity object and the code object; and initiating a mitigation action on the code object.

Abstract: A system and method for signatureless validation of objects in a computing environment, including artifacts, objects, files, virtual images, and the like. The method includes: detecting a request to deploy an instance based on a software artifact in the computing environment; generating a first fingerprint based on the software artifact in response to detecting the request to deploy the instance; querying a fingerprint database, including a plurality of validated fingerprints, to determine if the first fingerprint is stored therein; deploying the instance in response to validating the first fingerprint; and blocking deployment of the instance in response to determining the first fingerprint is not of the plurality of validated fingerprints.

Abstract: A system and method for detecting excessive permissions of a principal in a cloud computing environment utilizes code objects of infrastructure as code. The method also includes accessing a configuration code, the configuration code including a plurality of code objects, where a code object of the plurality of code objects corresponds to a deployed principal in the cloud computing environment; detecting in a log a plurality of access events, each access event associated with a first principal deployed in the cloud computing environment based on a first code object of the plurality of code objects; determining that the first code object includes a permission which is not utilized in any of the plurality of access events; and initiating a mitigation action for the first principal based on the permission.

Abstract: A system and method for signatureless validation of objects in a computing environment, including artifacts, objects, files, virtual images, and the like. The method includes: detecting a request to deploy an instance based on a software artifact in the computing environment; generating a first fingerprint based on the software artifact in response to detecting the request to deploy the instance; querying a fingerprint database, including a plurality of validated fingerprints, to determine if the first fingerprint is stored therein; deploying the instance in response to validating the first fingerprint; and blocking deployment of the instance in response to determining the first fingerprint is not of the plurality of validated fingerprints.

Abstract: A system and method for inspecting a resource deployed in a cloud computing environment for a cybersecurity threat is presented. The method includes detecting a virtual instance deployed in a cloud computing environment, the virtual instance associated with an original disk; generating a cloned disk directly based on the original disk, wherein the original disk is provisioned storage from a cloud storage system; generating a cloned disk descriptor associated with the cloned disk, the cloned disk descriptor pointing to the provisioned storage; inspecting the cloned disk for a cybersecurity object, the cybersecurity object indicating a cybersecurity risk; and releasing the cloned disk in response to completing inspection of the cloned disk.

Abstract: A system and method for detecting a permission escalation event in a computing environment is disclosed. The method includes: generating a cloned disk based on an original disk of a resource deployed in a computing environment; detecting an identifier of a first principal on the cloned disk; detecting a second principal in the computing environment, the first principal authorized to assume the first principal; storing a representation of the computing environment in a security database, including: a first principal node representing the first principal, and a second principal node representing the second principal, further associated with a permission; querying the representation to determine a permission of the first principal; determining that the second principal includes a permission which the first principal does not include based on a result of querying the representation; and generating a permission escalation event.

Abstract: A system and method for detecting a permission escalation event in a computing environment is disclosed. The method includes: generating a cloned disk based on an original disk of a resource deployed in a computing environment; detecting an identifier of a first principal on the cloned disk; detecting a second principal in the computing environment, the first principal authorized to assume the first principal; storing a representation of the computing environment in a security database, including: a first principal node representing the first principal, and a second principal node representing the second principal, further associated with a permission; querying the representation to determine a permission of the first principal; determining that the second principal includes a permission which the first principal does not include based on a result of querying the representation; and generating a permission escalation event.

Abstract: A system and method for detecting a permission escalation event in a computing environment is disclosed. The method includes: generating a cloned disk based on an original disk of a resource deployed in a computing environment; detecting an identifier of a first principal on the cloned disk; detecting a second principal in the computing environment, the first principal authorized to assume the first principal; storing a representation of the computing environment in a security database, including: a first principal node representing the first principal, and a second principal node representing the second principal, further associated with a permission; querying the representation to determine a permission of the first principal; determining that the second principal includes a permission which the first principal does not include based on a result of querying the representation; and generating a permission escalation event.

Abstract: A system and method detects a vulnerable code object in configuration code for deploying instances in a cloud computing environment. The method includes: accessing a configuration code, including a plurality of code objects, where a code object of the plurality of code objects corresponds to a deployed principal; detecting in a log a plurality of access events, each access event associated with a first principal deployed in the cloud computing environment based on a first code object of the plurality of code objects; determining a first set of permissions associated with the first code object. The method also includes determining a second set of permissions based on the plurality of access events. The method also includes detecting a difference between the second set of permissions and the first set of permissions; and generating an updated code object based on the first code object and the detected difference.