Abstract: A system and method for detecting an application path utilizing active inspection of a cloud computing environment, includes selecting a reachable resource having at least one network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in the cloud computing environment, and accessible from a network which is external to the cloud computing environment; selecting a second resource having a second network path based on the network path of the reachable resource; and actively inspecting the second network path to determine if the second resource is accessible through the second network path from the reachable resource.

Abstract: A system and method for performing active inspection of a cloud computing environment includes selecting a reachable resource, having a network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in the cloud computing environment, and accessible from a network which is external to the cloud computing environment; determining a network protocol for the network path; and actively inspecting the network path to determine if an application utilizing the network protocol is deployed on the reachable resource as part of a technology stack of the reachable resource.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A method and system for providing textual insights on objects deployed in a cloud environment are provided. The method includes collecting object data on objects deployed in the cloud environment, wherein objects are deployed and operable at different layers of the cloud environment; identifying objects deployed in the cloud environment; constructing a visual representation of the cloud environment, including the identified objects and their relationships; and generating textual insights on the identified objects and their relationships using natural language processing.

Abstract: A system and method for agentless generation of a software bill of materials (SBOM) in a cloud computing environment is disclosed. The method includes: accessing a plurality of workloads in a cloud computing environment; detecting in each workload of the plurality of workloads a software component; generating for each workload an SBOM based on the detected software component; and storing each SBOM in a database.

Abstract: A system and method for reducing redundancy in inspecting container layers for cybersecurity objects includes: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate a diff output between a first container layer and a second container layer, wherein the second container layer is previously generated based off of the first container layer, wherein the diff includes at least an object; inspect the first container layer for a cybersecurity object; inspect the object for the cybersecurity threat; associate the cybersecurity object with the first container layer in response to detecting the cybersecurity object in the first container layer and not in the at least an object; and associate the cybersecurity object with the second container layer in response to detecting the cybersecurity object in the at least an object and not in the first container layer.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment configures a resource deployed in a cloud computing environment to deploy thereon a sensor, configured to listen on a data link layer for an event. The method further includes detecting a potential cybersecurity threat on the resource; sending a definition based on the cybersecurity threat to the sensor, wherein the definition includes a logical expression, which when applied to an event produces a binary outcome, and wherein the sensor is further configured to apply the definition to the event; determining that the potential cybersecurity threat is an actual cybersecurity threat in response to the produced binary outcome having a predetermined value; and generating an instruction to perform a mitigation action based on the actual cybersecurity threat.

Abstract: A system and method for detecting privilege escalation on a resource deployed in a computing environment is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; receiving from the sensor a permission-based event based on a first actor, the permission-based event indicating a first permission set of the first actor; querying a database to detect a second permission set of the first actor; detecting that the first permission set includes a permission which is not in the second permission set; determining that the resource is involved in a privilege escalation event in response to detecting that the first permission set includes a permission which is not in the second permission set; and initiating a mitigation action in response to the determined privilege escalation event.

Abstract: A system and method for detecting a cybersecurity event based on multiple cybersecurity data sources is disclosed. The method includes: receiving data from a first cybersecurity source, the first cybersecurity source configured to generate data based on a resource deployed in a computing environment; receiving data from a second cybersecurity source, the second cybersecurity source configured to generate data based on the resource deployed in the computing environment, wherein the second cybersecurity source has a source type which is different from a source type of the first cybersecurity source; detecting a cybersecurity event on the resource based on data received from the first cybersecurity source and data received from the second cybersecurity source; and initiating a mitigation action for the resource in response to detecting the cybersecurity event.

Abstract: A system and method for inspecting live virtual instance in a cloud computing environment for cybersecurity threats utilizes a disk cloning technique. The method includes selecting a live virtual instance in a cloud computing environment, wherein the live virtual instance includes a disk having a disk descriptor with an address in a cloud storage system. An instruction to clone the disk of the live virtual instance is generated, and when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the live virtual instance. The cloned disk is inspected for a cybersecurity threat and the cloned disk is released in response to completing the inspection of the disk.

Abstract: A system and method for reducing network communication from a sensor for detecting cybersecurity threats is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; configuring the sensor to generate an event set from a plurality of events, based on a rule; detecting that a number of events in the event set exceeds a predetermined threshold; determining that a cybersecurity event occurred in response to detecting that the number of events exceeds the predetermined threshold; and initiating a mitigation action based on the cybersecurity event.

Abstract: A system and method for applying a policy on a network path is disclosed. The method includes: selecting a reachable resource having a network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in a cloud computing environment, having access to an external network which is external to the cloud computing environment; actively inspecting the network path to determine if the network path of the reachable resource is accessible from the external network; applying a policy on the accessible network path, wherein the policy includes a conditional rule; initiating a mitigation action, in response to determining that the conditional rule is not met; and applying the policy on another network path, in response to determining that the conditional rule is met.

Abstract: A method and system for providing textual insights on objects deployed in a cloud environment are provided. The method includes collecting object data on objects deployed in the cloud environment, wherein objects are deployed and operable at different layers of the cloud environment; identifying objects deployed in the cloud environment; constructing a visual representation of the cloud environment, including the identified objects and their relationships; and generating textual insights on the identified objects and their relationships using natural language processing.

Abstract: A system and method for performing authorization based active inspection of network paths for a resource, deployed in a cloud computing environment, includes receiving at least one network path to access the resource, wherein the resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the resource is accessible through the at least one network path from a network external to the cloud computing environment and requires access authorization.

Abstract: A system and method for performing active inspection of a cloud computing environment includes receiving at least one network path to access a first resource, wherein the first resource is a cloud object deployed in the cloud computing environment, and potentially accessible from a network which is external to the cloud computing environment; and actively inspecting the at least one network path to determine if the first resource is accessible through the at least one network path from a network external to the cloud computing environment.

Abstract: A system and method for performing active inspection of vulnerability exploitation in a cloud computing environment. The method includes receiving at least one network path to access a first resource, wherein the first resource is a cloud object is deployed in the cloud computing environment and having a known vulnerability, wherein the first resource is potentially accessible from a network which is external to the cloud computing environment; actively inspecting the at least one network path to determine if the first resource is accessible through the at least one network path from a network external to the cloud computing environment; and triggering the known vulnerability to determine if the first resource can be exploited with the known vulnerability, in response to determining that the first resource is accessible through the external network.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A method and system for determining abnormal configuration of network objects deployed in a cloud computing environment are provided. The method includes collecting network object data on a plurality of network objects deployed in the cloud computing environment; constructing a network graph based on the collected network object data, wherein the network graph includes a visual representation of network objects identified in the cloud computing environment; determining relationships between the identified network objects in the network graph, wherein the determined relationships between the identified network objects includes descriptions of connections between the identified network objects; and analyzing the network graph and the determined relationships to generate insights, wherein the generated insights include at least a list of abnormal connections between the identified network objects.