Abstract: The technology disclosed herein relates to data discovery in computing environments, that provide access to data. In one example, a computer-implemented method includes identifying a first sampling criterion used for classification of a data store with respect to a target data type during a previous scan of the data store. The data store stores a set of data objects. The method includes selecting a second sampling criterion, from a plurality of sampling criteria, based on the first sampling criterion, and deploying one or more scanners configured to select a subset of data objects, from the set of data objects stored in the data store, based on the second sampling criterion. The subset comprises some, but not all, of the set of data objects. The method includes generating a classification result based on a number of instances of the target data type in the subset of data objects.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system that analyzes data posture in a cloud environment database using a snapshot of the database. A computer-implemented method includes receiving a request to access a database in the cloud environment, wherein the database includes a first authentication requirement. The method includes identifying a snapshot of the database, wherein the snapshot includes a second authentication requirement that is different than the first authentication requirement. The method includes accessing the snapshot using the second authentication requirement, generating a representation of the database using the snapshot, and generating a data posture analysis result indicative of a data posture of the database based on scanning the representation of the database.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, and qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against at least one risk criterion. A representation of propagation of the breach attack along the network communication paths is generated, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: The technology disclosed relates to a system and method for detecting risk events in cloud environment that obtains set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of event log and to label each detected instance with a signature identifier that identifies one or more risk signatures that corresponds to the detected instance. Result metadata is received indicative of the detected instances, based on the result metadata, context information associated with the detected instances is obtained based on cloud infrastructure graph. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.

Abstract: The disclosed technology receives a control input identifying a sampling criterion for classifying a data store storing a set of data objects in a computing environment as corresponding to a target data type and deploys one or more scanners configured to select a representative subset of data objects, from the set of data objects, based on the sampling criterion. A scanner result generated by the one or more scanners is received that represents detected instances, in the representative subset of data objects, of one or more pre-defined data patterns of the target data type. A classification result is generated based on a comparison of the number of detected instances of the one or more pre-defined data patterns to a threshold. The classification result represents a classification of the data store as having correspondence to the target data type. A computing action is performed based on the classification result.

Abstract: A computer-implemented method includes parsing a collection of granular privileges to generate a plurality of privilege groups. Each respective privilege group, of the plurality of privilege groups, groups two or more granular privileges having a threshold similarity to a target action represented by the respective privilege group. The method includes identifying a set of privilege grant times each representing a time at which a corresponding granular privilege was granted to a subject identity. The method includes mapping the set of privilege grant times to the plurality of privilege groups, and generating an infrastructure graph based on the mapping. The infrastructure graph includes identity nodes that represent the subject identities, resource nodes that represent the subject resources, and edges that represent the set of privilege grant times mapped to the plurality of privilege groups.

Abstract: A computer-implemented method includes detecting occurrence of an event in a cloud environment, obtaining an indication of an identity associated with the event, obtaining an indication of a usage time stamp representing usage time of a privilege in association with the identity for the event, and classifying the privilege into a classification group selected from a plurality of predefined classification groups. Each respective classification group groups a respective set of privileges defined in the cloud environment. The method includes obtaining a grant time stamp representing a grant time of at least one privilege, in the respective set of privileges in the classification group, to the identity and, based on the usage time stamp and the grant time stamp, generating an excessive privilege determination that indicates the classification group includes at least one excessive privilege. The method includes performing a computing action based on the excessive privilege determination.

Abstract: The technology disclosed relates to a system and method for detecting risk events in cloud environment that obtains set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of event log and to label each detected instance with a signature identifier that identifies one or more risk signatures that corresponds to the detected instance. Result metadata is received indicative of the detected instances, based on the result metadata, context information associated with the detected instances is obtained based on cloud infrastructure graph. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment that invokes an incremental change detector to perform an infrastructure scan of the cloud environment and return a scan result that identifies one or more changes to one or more infrastructure assets in the cloud environment. The scan result includes, for each particular change in the one or more changes, first information indicative of the particular change. A data scan is constrained to the one or more infrastructure assets having the one or more changes and second information associated with the one or more changes is obtained based on the data scan. A cloud infrastructure graph is updated based on one or more of the first information or the second information. The cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method of risk event detection and remediation. An event is detected in a cloud environment and a pre-defined risk signature is obtained that identifies one or more entities in the cloud environment and represents an instance of a risk event relative to the one or more entities. The pre-defined risk signature includes a reference to a remediation workflow having one or more commands for one or more remediation actions in the cloud environment. Th pre-defined risk signature is determined to have a threshold match to the event and, based on the determination that the pre-defined risk signature has a threshold match to the event, the remediation workflow is obtained based on the reference. The one or more commands are executed in the cloud environment.

Abstract: The technology disclosed relates to detection of data traffic in computing environments, such as cloud environments. Example systems and methods detect a plurality of workloads in a virtual network in a computing environment and deploy a plurality of probe agents to the plurality of workloads. Each respective probe agent detects network traffic on a respective workload of the plurality of workloads, scans a data packet that is at least one of sent or received by the respective workload, generates a data classification relative to the data packet, and generates a scan result that includes packet payload information and an indication of the data classification. The scan results are received from the plurality of probe agents and a computing action is performed based on scan results.

Abstract: The disclosed technology receives a control input identifying a sampling criterion for classifying a data store storing a set of data objects in a computing environment as corresponding to a target data type and deploys one or more scanners configured to select a representative subset of data objects, from the set of data objects, based on the sampling criterion. A scanner result generated by the one or more scanners is received that represents detected instances, in the representative subset of data objects, of one or more pre-defined data patterns of the target data type. A classification result is generated based on a comparison of the number of detected instances of the one or more pre-defined data patterns to a threshold. The classification result represents a classification of the data store as having correspondence to the target data type. A computing action is performed based on the classification result.

Abstract: A computer-implemented method includes detecting occurrence of an event in a cloud environment, obtaining an indication of an identity associated with the event, obtaining an indication of a usage time stamp representing usage time of a privilege in association with the identity for the event, and classifying the privilege into a classification group selected from a plurality of predefined classification groups. Each respective classification group groups a respective set of privileges defined in the cloud environment. The method includes obtaining a grant time stamp representing a grant time of at least one privilege, in the respective set of privileges in the classification group, to the identity and, based on the usage time stamp and the grant time stamp, generating an excessive privilege determination that indicates the classification group includes at least one excessive privilege. The method includes performing a computing action based on the excessive privilege determination.

Abstract: The technology disclosed relates to analysis of data posture of a cloud environment. In particular, disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in cloud assets. A computing system is configured to access data in plurality of cloud resources and, on a cloud resource-by-cloud resource basis, attribute a plurality of data sensitivity parameters to the data in a given cloud resource of the plurality of cloud resources, and generate a peak value indicating an appraisal of the data in given cloud resource based on the plurality of data sensitivity parameters attributed to the data. A graphical interface includes graphical objects configured to visually represent plurality of cloud resources, plurality of data sensitivity parameters, and the peak values generated for the plurality of cloud resources.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths.

Abstract: The technology disclosed relates to analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analysis of infrastructure posture of a cloud environment, that include detecting a triggering criterion corresponding to initiation of an update scan of the infrastructure posture of the cloud environment, and invoking an incremental change detector based on the triggering criterion. The incremental change detector is configured to scan the cloud environment and return a scan result that identifies one or more changes to a set of infrastructure assets in the cloud environment within a selected time period. A cloud infrastructure graph is updated based on the one or more changes to the set of infrastructure assets, wherein the cloud infrastructure graph defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources.

Abstract: The technology disclosed relates to analysis of data posture of a cloud environment. In particular, the disclosed technology relates to a system and method for analyzing cloud assets, such as storage resources, compute resources, etc. to detect peak signals based on occurrences of sensitive data types or other data classifications in the cloud assets. A system for prioritized presentation of high-value cloud resources susceptible to cloud security risks includes a processor, a display, and memory accessible by the processor and executable to, on a cloud resource-by-cloud resource basis, analyze data in a given cloud resource, and attribute a plurality of data sensitivity parameters to the data in the given cloud resource, and a peak value indicating an appraisal of the data in the given cloud resource. A graphical interface includes graphical objects configured to display the given cloud resource, the plurality of data sensitivity parameters, and the peak value.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, and qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against at least one risk criterion. A representation of propagation of the breach attack along the network communication paths is generated, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: A system for streamlined analysis of access sub-networks in a cloud environment is disclosed. The system comprises memory storing access sub-networks in a cloud environment between a plurality of resources and a plurality of users, memory storing user-to-role mappings for roles assigned to the plurality of users, and accumulation logic having access to the access sub-networks and to the user-to-role mappings. The accumulation logic is configured to traverse the access sub-networks to build a number U user-to-resource mappings between the plurality of users and the plurality of resources, and evaluate the U user-to-resource mappings against the user-to-role mappings to accumulate a number R role-to-resource mappings between the roles and the plurality of resources.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.