Abstract: A system and method provide detection of a malware attack path. The method includes detecting at a first time a malware object on a first workload deployed in the compute environment, wherein the first workload is represented by a first node in a security graph, the security graph including a representation of the compute environment; querying the security graph to detect a second node connected to the first node, wherein the connection indicates that the first workload represented by the first node can access a second workload represented by the second node; and generating an instruction to inspect the second workload represented by the second node at a second time, occurring after the first time.

Abstract: A system and method for inspecting a resource in an on-premises environment for a cybersecurity threat are disclosed. According to an embodiment, the method includes initiating a network communication between an on-premises environment and an inspection environment; scanning the on-premises environment for a workload, the workload including a disk; generating an inspectable disk based on the disk; providing access to an inspector deployed in the inspection environment to inspect the inspectable disk for a cybersecurity object; and releasing a resource allocated to the inspectable disk in response to detecting that inspection of the inspectable disk is complete.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for agentless detection of sensitive data in a cloud computing environment is presented. The method includes inspecting a disk for a cybersecurity object, the cybersecurity object indicating sensitive data, wherein the disk is deployed in a cloud computing environment; extracting a data schema from the cybersecurity object, in response to detecting the cybersecurity object on the disk; generating a classification of the data schema; determining that the data schema corresponds to sensitive data based on the generated classification; detecting in the disk a plurality of data files, each data file including the data schema; generating in a security database: a representation of the data schema, and a representation of each data file; and rendering a visual representation of the cloud computing environment including a representation of the data schema based on a query result of the security database.

Abstract: A system and method for reducing redundancy in inspecting container layers for cybersecurity objects includes: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate a diff output between a first container layer and a second container layer, wherein the second container layer is previously generated based off of the first container layer, wherein the diff includes at least an object; inspect the first container layer for a cybersecurity object; inspect the object for the cybersecurity threat; associate the cybersecurity object with the first container layer in response to detecting the cybersecurity object in the first container layer and not in the at least an object; and associate the cybersecurity object with the second container layer in response to detecting the cybersecurity object in the at least an object and not in the first container layer.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.

Abstract: A system and method for detection of cyber threats embedded in cloud applications are provided. The method includes inspecting a plurality of computing resources to detect code of at least one cloud application executed in a cloud environment; filtering the detected code to remove a portion of the code that is non-unique for the at least one cloud application; performing static analysis on the unique portion of the code to identify a mismatch between the unique portions of the code and its verified version stored in a code repository; and comparing each identified mismatch with at least a vulnerability tool, wherein a mismatch is a potential cyber threat embedded in the code.

Abstract: A system and method for generating a compact representation of a computing environment having a remediated cybersecurity threat is disclosed. In an embodiment, the method includes generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk; traversing a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detecting a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node.

Abstract: A system and method for determining an artificial intelligence (AI) security posture management (SPM) of a cloud computing environment. The method includes: inspecting the cloud computing environment for components of an AI pipeline; generating an AI pipeline representation based on a representation of each component of the AI pipeline in a security database; inspecting the cloud computing environment for a cybersecurity object associated with a component of the AI pipeline; analyzing the AI pipeline for a cybersecurity risk based on a result of inspecting the cloud computing environment for the cybersecurity object; and initiating a remediation action in the cloud computing environment in response to detecting the cybersecurity risk.

Abstract: A system and method for generating a subgraph view of a security graph is presented. The method includes generating a representation in a security database to represent an element of a first computing environment based on a predefined data schema, including at least: a principal data structure and a resource data structure, wherein the security database further includes a representation of the first computing environment; generating a tag as a data field in a database storing therein the security database; selecting a representation from the plurality of representations; associating the selected representation with the generated tag; and generating a subgraph, the subgraph including at least the selected representation associated with the generated tag and a child representation of the at least the selected representation, wherein the selected representation is connected to at least a child representation via a vertex.

Abstract: A system and method traces suspicious activity to a workload based on a forensic log. The method includes detecting in at least one cloud log of a cloud computing environment a plurality of events, each event indicating an action in the cloud computing environment; extracting from an event of the plurality of events an identifier of a cloud entity, wherein the event includes an action which is predetermined as indicative of a suspicious event; traversing a security graph to detect a node representing the cloud entity, wherein the security graph further includes a representation of the cloud computing environment; detecting that the node representing the cloud entity is connected to a node representing a cybersecurity vulnerability; and initiating a mitigation action for the cloud entity based on the cybersecurity vulnerability.

Abstract: A system and method for reducing false positive detection of cybersecurity events is disclosed. The method includes: configuring a plurality of resources to deploy a sensor, each sensor configured to listen on a data link layer for an event; receiving from each sensor a plurality of events, each event including an event type; generating a group of resources having a common attribute; generating a noise metric for the group of resources based on a number of events of an event type; generating a threshold based on the noise metric; configuring each sensor of a resource from the group of resources to detect a number of events exceeding the threshold; detecting a cybersecurity event in response to determining that a first resource from the group of resources has a number of events of a first type exceeding the threshold; and initiating a mitigation action based on the detected cybersecurity event.

Abstract: A system and method for generating a database query based on a natural language query improves database utilization is presented. The method includes receiving a natural language query directed to a security database, wherein the security database includes a representation of a computing environment; selecting a first database query from a plurality of database queries; generating a second database query based on the first database query adapted by the received natural language query; and executing the second database query on the security database.

Abstract: A system and method for agentless detection of sensitive data in a cloud computing environment includes generating a snapshot from a managed database service, the snapshot including a plurality of data files stored in a bucket on a cloud computing environment; deploying a virtual instance based on the snapshot to generate a database, the database including a database management system (DBMS); querying the DBMS to fetch data from the database; classifying the fetched data, wherein the fetched data is classified as sensitive data or non-sensitive data; and generating a node on a security graph stored in a graph database to represent the fetched data and the classification thereof, wherein the security graph includes a representation of the cloud computing environment.

Abstract: A system and method for detecting excessive permissions of a principal in a cloud computing environment utilizes code objects of infrastructure as code. The method also includes accessing a configuration code, the configuration code including a plurality of code objects, where a code object of the plurality of code objects corresponds to a deployed principal in the cloud computing environment; detecting in a log a plurality of access events, each access event associated with a first principal deployed in the cloud computing environment based on a first code object of the plurality of code objects; determining that the first code object includes a permission which is not utilized in any of the plurality of access events; and initiating a mitigation action for the first principal based on the permission.

Abstract: A system and method for detecting sensitive data vulnerability in a cloud computing environment is presented. The method includes detecting data associated with a cloud entity in a cloud computing environment; determining that the detected data is sensitive data based on metadata; detecting a node representing a resource associated with the cloud entity in a security database, wherein the security database includes a representation of the cloud computing environment; detecting a network reachability path to the resource, wherein the network reachability path allows access to the resource from a network external to the cloud computing environment; inspecting the resource for a vulnerability; and executing an instruction to secure the sensitive data in response to determining that the resource includes the vulnerability and that the network reachability path allows access to the cloud entity from the network external to the cloud computing environment.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning is presented. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for initiating cybersecurity remediation based on a digital forensic finding is presented. The method includes detecting a forensic artifact on a disk of a resource in a computing environment; generating an inspectable disk based on the disk of the resource; inspecting the inspectable disk for a cybersecurity object based on the forensic artifact; and initiating a remediation action on the disk based on the cybersecurity object detected on the inspectable disk.

Abstract: A system and method for detecting privilege escalation on a resource deployed in a computing environment is presented. The method includes configuring the resource to deploy thereon a sensor, the sensor configured to detect events on a data link layer of the resource; receiving from the sensor a detection indicating a permission-based event of a first actor, the permission-based event indicating a first permission set of the first actor; querying a database to detect a second permission set of the first actor; detecting that the first permission set includes a permission which is not in the second permission set; detecting a privilege escalation event in response to detecting that the first permission set includes a permission which is not in the second permission set; and initiating a mitigation action in response to detecting the privilege escalation event.

Abstract: A cybersecurity system provides the ability to detect security risks in a cross-platform cloud solution. A unified data schema is used to abstract resources, principals and others across multiple platforms. A security graph is generated to present a unified view of cloud environments, which are then easily queried using the structure of the data schema. The solution allows a compact representation of cloud environments, which is scalable and multi-layered. Various enrichments may be added to the security graph, which are generated for example based on policies, and inspection of workloads in the cloud environment. The security graph allows for representation of production environments, staging environments, as well as code for deploying workloads in the cloud environment. Thus the solution is also able to present a complete picture of a user's entire cloud environment.