Abstract: The disclosure is directed towards the detection of supply chain-related security threats to software applications. One method includes identifying differences between updated source code and previous source. The updated source code corresponds to an updated version of an application. The previous source code corresponds to a previous version of the application. A risk score is determined for the updated version. The risk score is based on a machine learning (ML) risk model. The ML risk model analyzes the differences between the updated source code and the previous source code. A value of the risk score corresponds to potential security threats that are associated with the updated version. The potential security threats are not associated with the previous version of the application. The risk score is provided to interested parties.

Abstract: One method embodiment includes receiving input creating a data distribution restriction implemented to restrict distribution of data by publisher nodes located in at least one geographic or political area to subscriber nodes outside of the at least one geographic or political area. The method then queries a subscription repository storing data defining subscriptions to publisher node data events on publisher nodes located in the at least one geographic or political area to identify existing subscriptions to data events about the particular data by subscriber nodes located outside of the at least one geographic or political area. The method may then output the query results identifying existing subscriber node subscriptions contrary to the new or newly modified data distribution restriction. The received input may then be stored in a database such that subsequent changes are conditionally limited by the new or newly modified data distribution restriction.

Abstract: Methods, systems, and computer storage media provide a privacy compliance notification indicating a database's level of compliance with a privacy policy after restoring the database to the database's backup copy. The database is associated with a database management engine. The database supports privacy-based first-class data entities. The privacy-based first-class data entities are database entities having privacy system-level metadata properties associated with data operations in a database language syntax. The privacy compliance notification may be generated based on determining whether a privacy database operation associated with a database journal and a privacy journal has been executed on a database since the database was restored to a backup copy of the database.

Abstract: The disclosure is directed towards the detection of supply chain-related security threats to software applications. One method includes identifying differences between updated source code and previous source. The updated source code corresponds to an updated version of an application. The previous source code corresponds to a previous version of the application. A risk score is determined for the updated version. The risk score is based on a machine learning (ML) risk model. The ML risk model analyzes the differences between the updated source code and the previous source code. A value of the risk score corresponds to potential security threats that are associated with the updated version. The potential security threats are not associated with the previous version of the application. The risk score is provided to interested parties.

Abstract: One example method includes bringing up a clone application in a validation environment, replaying recorded incoming network traffic to the clone application, obtaining a response of the clone application to the incoming network traffic, comparing the response of the clone application to recorded outgoing network traffic of the production application, and making a validation determination regarding the clone application, based on the comparison of the response of the clone application to recorded outgoing network traffic of the production application. When the clone application is not validated, the example method includes identifying and resolving a problem relating to the clone application.

Abstract: Dynamic honeypots for computer program execution environments are described. A determination is made whether a time period has expired since a computer program execution environment, of multiple computer program execution environments, began executing a computer program that provides a user service. The computer program execution environment is changed into a computer security mechanism that counteracts an attempt of unauthorized use of a system that comprises the computer program execution environment, in response to a determination that the time period has expired since the computer program execution environment began executing the computer program that provides the user service.

Abstract: The life cycle of one or more containers related to one or more containerized applications is managed by determining that a predefined retention time for a first container of a plurality of containers has elapsed; in response to the determining, suspending new session traffic to the first container; and waiting for a predefined session dilution time before terminating the first container and/or changing a role of the first container. In some embodiments, the session dilution time allows existing sessions to complete before the first container is disconnected from a service platform.

Abstract: Life cycle management techniques are provided for cloud-based application executors with key-based access to other devices. An exemplary method comprises determining that a retention time for a first cloud-based application executor (e.g., a virtual machine or a container) has elapsed, wherein the first cloud-based application executor has key-based access to at least one other device using a first key; in response to the determining, performing the following steps: creating a second cloud-based application executor; and determining a second key for the second cloud-based application executor that is different than the first key, wherein the second cloud-based application executor uses the first key to add the second key to one or more trusted keys of the at least one other device and deactivates the first key from the one or more trusted keys.

Abstract: Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.

Abstract: A plurality of containers related to one or more containerized applications are managed by monitoring an execution of the one or more containers; determining that a given one of the one or more containers exhibits anomalous behavior; and in response to the determining, adjusting a retention time of the given container, wherein the retention time of the given container determines when the given container is one or more of terminated and changes role to a honeypot container. The anomalous behavior comprises, for example, the given container exhibiting behavior that is different than a learned baseline model of the given container or including program code consistent with malicious activity. An alert notification of the anomalous behavior is optionally generated. The retention time of the given container can be adjusted for example, to an interval between deployment of the given container and the time the anomalous behavior is detected.

Abstract: A method and system for implementing risk-based cyber security. Specifically, the disclosed method and system entail evaluating risk as a decision threshold for conducting cyber security assessments of system images within cloud computing environments. Further, the disclosed method and system pivot on intelligence pertaining to the latest cyber threats and/or vulnerabilities found worldwide.

Abstract: A method includes monitoring data of one or more containers running on one or more container host devices, a given one of the containers providing operating-system level virtualization for running at least one application. The method also includes determining a first set of behavior metrics for the given container based on the monitoring data, the first set of behavior metrics characterizing current behavior of the given container. The method further includes generating a model characterizing normal operation of the at least one application running in the given container using a second set of behavior metrics obtained during a learning period, utilizing the model to detect one or more anomalies in the first set of behavior metrics characterizing the current behavior of the given container, generating an alert responsive to detecting one or more anomalies in the first set of behavior metrics, and delivering the alert to a client device.

Abstract: A tracing mechanism is provided for analyzing session-based attacks. An exemplary method comprises: detecting a potential attack associated with a session from a potential attacker based on predefined anomaly detection criteria; adding a tracing flag identifier to a response packet; sending a notification to a cloud provider of the potential attack, wherein the notification comprises the tracing flag identifier; and sending the response packet to the potential attacker, wherein, in response to receiving the response packet with the tracing flag identifier, the cloud provider: determines a source of the potential attack based on a destination of the response packet; forwards the response packet to the potential attacker based on the destination of the response packet; and monitors the determined source to evaluate the potential attack. The response packet is optionally delayed by a predefined time duration and/or until the cloud provider has acknowledged receipt of the notification.

Abstract: Methods, apparatus and computer program products are provided for detection of anomalies in containers using corresponding container profiles. An exemplary method comprises: obtaining at least one container and a corresponding container profile from a container registry, wherein the container profile characterizes an expected normal operation of an application executing in the container; comparing a behavior of the application executing in the container to the expected normal operation in the corresponding container profile to determine if the container exhibits anomalous behavior; and providing a notification of the anomalous behavior when the container exhibits the anomalous behavior. The container profile is obtained, for example, by monitoring a behavior of (i) a plurality of versions of the at least one container, and/or (ii) the at least one application executing in the at least one container on a plurality of different container host devices.

Abstract: The life cycle of one or more containers related to one or more containerized applications is managed by determining that a predefined retention time for a first container of the plurality of containers has elapsed; in response to the determining, performing the following honeypot container creation steps: suspending new session traffic to the first container; maintaining the first container as a honeypot container; and identifying communications sent to the honeypot container as an anomalous communication. Alert notifications are optionally generated for the anomalous communication.

Abstract: Existing policies enforced at or above an operating system (OS) layer of a device are obtained. Translation rules are stored that include data structure descriptions of conditions, corresponding actions performed when the conditions are satisfied, and attributes specified in the existing policies, and attributes of one or more layers below the OS layer that are relevant to policy enforcement in the one or more layers below the OS layer. The existing policies are parsed using the data structure descriptions to identify the conditions, corresponding actions, and attributes specified in the existing policies. New policies are generated that are consistent with the existing policies. The new policies include the identified attributes specified in the existing policies and the attributes relevant to policy enforcement in the one or more layers below the OS layer. The new policies are enforced in the one or more layers below the OS layer.

Abstract: A method and system for implementing cloud native application threat detection. Specifically, the disclosed method and system entail configuring a webhook within a build pipeline for cloud native applications, which when triggered by the detection of modifications to container configuration and/or definition files associated with the cloud native applications, forwards exact copies of the cloud native applications to a threat detection service for cyber security assessing. Further, based on the assessing, cloud native applications may be impeded from continuing, or alternatively, may be permitted to continue along, the build pipeline.

Abstract: Life cycle management techniques are provided for cloud-based application executors with key-based access to other devices. An exemplary method comprises determining that a retention time for a first cloud-based application executor (e.g., a virtual machine or a container) has elapsed, wherein the first cloud-based application executor has key-based access to at least one other device using a first key; in response to the determining, performing the following steps: creating a second cloud-based application executor; and determining a second key for the second cloud-based application executor that is different than the first key, wherein the second cloud-based application executor uses the first key to add the second key to one or more trusted keys of the at least one other device and deactivates the first key from the one or more trusted keys.

Abstract: Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.

Abstract: An enterprise storage system and method detects the probability of encryption of data by comparing the level of randomness in the data to a set of increasing thresholds to determine the severity of encryption. Encryption exceeding a high predetermined threshold is determined to be due to ransomware. Upon determining the level of encryption, an appropriate action is taken based upon one or both of the policy of the enterprise or local governmental regulations as to encryption or non-encryption of data.