Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: A system for streamlined analysis of access sub-networks in a cloud environment is disclosed. The system comprises memory storing access sub-networks in a cloud environment between a plurality of resources and a plurality of users, memory storing user-to-role mappings for roles assigned to the plurality of users, and accumulation logic having access to the access sub-networks and to the user-to-role mappings. The accumulation logic is configured to traverse the access sub-networks to build a number U user-to-resource mappings between the plurality of users and the plurality of resources, and evaluate the U user-to-resource mappings against the user-to-role mappings to accumulate a number R role-to-resource mappings between the roles and the plurality of resources.

Abstract: The technology disclosed relates to a computing system configured to execute a cloud scanner in a cloud environment to discover one or more data stores in the cloud environment and return metadata representing a data schema of data objects in the one or more data stores, traverse the data objects in the one or more data stores based on the metadata to identify a plurality of data items, execute a content-based data classifier against the plurality of data items to identify a set of data items, in the plurality of data items, as conforming to one or more data profiles, and generate a graphical interface including one or more graphical objects configured to display a representation of the one or more data profiles, wherein the graphical interface is configured to filter the plurality of data items based on a selected data profile selected from the one or more data profiles.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a data schema detection system that uses a content-based data classifier to classify data items in a cloud environment. A computer-implemented method includes accessing a data store in the cloud environment and obtaining metadata representing a structure of schema objects in the data store. The method includes executing, based on the metadata, a content-based data classifier to classify data items in the schema objects and outputting a classifier result that represents the classification of the data in the schema objects.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system that analyzes data posture in a cloud environment database using a snapshot of the database. A computer-implemented method includes receiving a request to access a database in the cloud environment, wherein the database includes a first authentication requirement. The method includes identifying a snapshot of the database, wherein the snapshot includes a second authentication requirement that is different than the first authentication requirement. The method includes accessing the snapshot using the second authentication requirement, generating a representation of the database using the snapshot, and generating a data posture analysis result indicative of a data posture of the database based on scanning the representation of the database.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system that analyzes data posture in a cloud environment database using a snapshot of the database. A computer-implemented method includes receiving a request to access a database in the cloud environment, wherein the database includes a first authentication requirement. The method includes identifying a snapshot of the database, wherein the snapshot includes a second authentication requirement that is different than the first authentication requirement. The method includes accessing the snapshot using the second authentication requirement, generating a representation of the database using the snapshot, and generating a data posture analysis result indicative of a data posture of the database based on scanning the representation of the database.

Abstract: A system for streamlined analysis of access sub-networks in a cloud environment is disclosed. The system comprises memory storing access sub-networks in a cloud environment between a plurality of resources and a plurality of users, memory storing user-to-role mappings for roles assigned to the plurality of users, and accumulation logic having access to the access sub-networks and to the user-to-role mappings. The accumulation logic is configured to traverse the access sub-networks to build a number U user-to-resource mappings between the plurality of users and the plurality of resources, and evaluate the U user-to-resource mappings against the user-to-role mappings to accumulate a number R role-to-resource mappings between the roles and the plurality of resources.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: The technology disclosed relates to streamlined analysis of infrastructure posture of a cloud environment. In particular, it relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, and constructing a cloud infrastructure map that graphically depicts the pairs of the compute resources and the storage resources as nodes, and the network communication paths as edges between the nodes.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a data schema detection system that uses a content-based data classifier to classify data items in a cloud environment. A computer-implemented method includes accessing a data store in the cloud environment and obtaining metadata representing a structure of schema objects in the data store. The method includes executing, based on the metadata, a content-based data classifier to classify data items in the schema objects and outputting a classifier result that represents the classification of the data in the schema objects.

Abstract: A system for streamlined analysis of access sub-networks in a cloud environment is disclosed. The system comprises memory storing access sub-networks in a cloud environment between a plurality of resources and a plurality of users, memory storing user-to-role mappings for roles assigned to the plurality of users, and accumulation logic having access to the access sub-networks and to the user-to-role mappings. The accumulation logic is configured to traverse the access sub-networks to build a number U user-to-resource mappings between the plurality of users and the plurality of resources, and evaluate the U user-to-resource mappings against the user-to-role mappings to accumulate a number R role-to-resource mappings between the roles and the plurality of resources.

Abstract: The technology disclosed relates to in-cloud, constant time content scanning. In particular, it relates to obtaining administrative access to a cloud environment account for bulk content scanning of storage resources, and deploying serverless, containerized scanners to run locally on the cloud environment account, including queuing objects in the cloud environment account, partitioning the objects into a plurality of object chunks, and depending upon a M number of object chunks in the plurality of object chunks, initializing a N number of instances of the serverless, containerized scanners, where M»N. Each initialized serverless, containerized scanner scans a corresponding object chunk exactly once to detect a multiplicity of different data patterns.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a graphical query builder for generating a subject path signature, for example representing a vulnerability path in the cloud environment. A computer-implemented method includes generating a graphical user interface having configurable node elements and edge elements and, in response to user input on the graphical user interface, configuring the node elements to represent entities in a subject path signature in the cloud environment and the edge elements to represent relationships between the entities in the subject path signature. The method also includes generating a query representing the subject path signature, executing the query to qualify a set of network paths in the cloud environment as conforming to the subject path signature, and outputting query results identifying the qualified set of network paths.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to a system that analyzes data posture in a cloud environment database using a snapshot of the database. A computer-implemented method includes receiving a request to access a database in the cloud environment, wherein the database includes a first authentication requirement. The method includes identifying a snapshot of the database, wherein the snapshot includes a second authentication requirement that is different than the first authentication requirement. The method includes accessing the snapshot using the second authentication requirement, generating a representation of the database using the snapshot, and generating a data posture analysis result indicative of a data posture of the database based on scanning the representation of the database.

Abstract: The technology disclosed relates to streamlined analysis of infrastructure posture of a cloud environment. In particular, it relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, and constructing a cloud infrastructure map that graphically depicts the pairs of the compute resources and the storage resources as nodes, and the network communication paths as edges between the nodes.

Abstract: The technology disclosed relates to in-cloud, constant time content scanning. In particular, it relates to obtaining administrative access to a cloud environment account for bulk content scanning of storage resources, and deploying serverless, containerized scanners to run locally on the cloud environment account, including queuing objects in the cloud environment account, partitioning the objects into a plurality of object chunks, and depending upon a M number of object chunks in the plurality of object chunks, initializing a N number of instances of the serverless, containerized scanners, where M>>N. Each initialized serverless, containerized scanner scans a corresponding object chunk exactly once to detect a multiplicity of different data patterns.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet's source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet's target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.