Abstract: A system and method for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment. The method includes: inspecting a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key; detecting in a security database a representation of the public CNP key; generating a lateral movement path, the lateral movement path including an identifier of a second workload, the second workload represented by a representation connected to the representation of the public CNP key.

Abstract: A system and method for inspecting virtual instances in a cloud computing environment for cybersecurity threats utilizing disk cloning. The method includes: selecting a virtual instance in a cloud computing environment, wherein the virtual instance includes a disk having a disk descriptor with an address in a cloud storage system; generating an instruction to clone the disk of the virtual instance, the instruction when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the virtual instance; inspecting the cloned disk for a cybersecurity threat; and releasing the cloned disk in response to completing the inspection of the cloned disk.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment configures a resource deployed in a cloud computing environment to deploy thereon a sensor, configured to listen on a data link layer for an event. The method further includes detecting a potential cybersecurity threat on the resource; sending a definition based on the cybersecurity threat to the sensor, wherein the definition includes a logical expression, which when applied to an event produces a binary outcome, and wherein the sensor is further configured to apply the definition to the event; determining that the potential cybersecurity threat is an actual cybersecurity threat in response to the produced binary outcome having a predetermined value; and generating an instruction to perform a mitigation action based on the actual cybersecurity threat.

Abstract: A system and method for detecting privilege escalation on a resource deployed in a computing environment is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; receiving from the sensor a permission-based event based on a first actor, the permission-based event indicating a first permission set of the first actor; querying a database to detect a second permission set of the first actor; detecting that the first permission set includes a permission which is not in the second permission set; determining that the resource is involved in a privilege escalation event in response to detecting that the first permission set includes a permission which is not in the second permission set; and initiating a mitigation action in response to the determined privilege escalation event.

Abstract: A system and method for detecting a cybersecurity event based on multiple cybersecurity data sources is disclosed. The method includes: receiving data from a first cybersecurity source, the first cybersecurity source configured to generate data based on a resource deployed in a computing environment; receiving data from a second cybersecurity source, the second cybersecurity source configured to generate data based on the resource deployed in the computing environment, wherein the second cybersecurity source has a source type which is different from a source type of the first cybersecurity source; detecting a cybersecurity event on the resource based on data received from the first cybersecurity source and data received from the second cybersecurity source; and initiating a mitigation action for the resource in response to detecting the cybersecurity event.

Abstract: A system and method for reducing network communication from a sensor for detecting cybersecurity threats is disclosed. The method includes: configuring the resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event; configuring the sensor to generate an event set from a plurality of events, based on a rule; detecting that a number of events in the event set exceeds a predetermined threshold; determining that a cybersecurity event occurred in response to detecting that the number of events exceeds the predetermined threshold; and initiating a mitigation action based on the cybersecurity event.

Abstract: A system and method for inspecting live virtual instance in a cloud computing environment for cybersecurity threats utilizes a disk cloning technique. The method includes selecting a live virtual instance in a cloud computing environment, wherein the live virtual instance includes a disk having a disk descriptor with an address in a cloud storage system. An instruction to clone the disk of the live virtual instance is generated, and when executed causes generation of a cloned disk descriptor, the cloned disk descriptor having a data field including the address of the disk of the live virtual instance. The cloned disk is inspected for a cybersecurity threat and the cloned disk is released in response to completing the inspection of the disk.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and method for detecting lateral movement based on a compromised cryptographic network protocol (CNP) key in a cloud computing environment includes inspecting a workload for a private CNP key, including metadata and a public CNP key hash; storing in a security graph: a private CNP key node representing the private CNP key, and a workload node representing the workload, wherein the security graph represents the cloud computing environment in which the workload is deployed; connecting in the security graph the private CNP key node to a public CNP key node in response to determining that the public CNP key hash of the private CNP key matches a public key hash associated with the public CNP key node; and generating a lateral movement path in response to determining that the private CNP key is compromised, the path including another workload node connected to the public CNP key.

Abstract: A system and method for generating a contextual cloud risk assessment of a cloud computing environment. The method includes accessing a plurality of cloud assessment policies, wherein a policy including a query executable on a security graph; applying the plurality of cloud assessment policies to the representation of the first cloud computing environment; generating a risk assessment report based on an output generated by applying a policy of the plurality of cloud assessment polices; and initiating a mitigation action based on a cybersecurity risk from the risk assessment report.

Abstract: A system and method for generating a compact forensic event log based on a cloud log, includes: traversing a security graph to detect a node representing a cloud entity in a cloud computing environment, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity threat connected to the node representing the cloud entity; parsing a cloud log of the cloud computing environment to detect a data record, the data record including an attribute of the node representing the cloud entity; and generating a compact forensic event log including the detected data record.

Abstract: A system and method detects an exploited vulnerable cloud entity. The method includes: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.

Abstract: A system and method for prioritizing alerts and mitigation actions against cyber threats in a cloud computing environment. The method includes detecting an alert based on a cloud entity deployed in a cloud computing environment, wherein the alert including an identifier of the cloud entity and a severity indicator, and wherein the cloud computing environment is represented in a security graph; generating a severity index for the received alert based on the identifier of the cloud entity and the severity indicator; and initiating a mitigation action based on the severity index.

Abstract: A system and method traces suspicious activity to a workload based on a forensic log. The method includes detecting in at least one cloud log of a cloud computing environment a plurality of events, each event indicating an action in the cloud computing environment; extracting from an event of the plurality of events an identifier of a cloud entity, wherein the event includes an action which is predetermined as indicative of a suspicious event; traversing a security graph to detect a node representing the cloud entity, wherein the security graph further includes a representation of the cloud computing environment; detecting that the node representing the cloud entity is connected to a node representing a cybersecurity vulnerability; and initiating a mitigation action for the cloud entity based on the cybersecurity vulnerability.

Abstract: A system and method for detecting a cloud detection and response (CDR) event from a cloud log. The method includes detecting an identifier of a cloud entity in a cloud log, wherein the cloud log includes a plurality of records generated by a cloud computing environment; detecting a node in a security graph based on the identifier of the cloud entity, wherein the security graph includes a representation of the cloud computing environment; generating a CDR event in response to determining from the security graph that the first node is associated with a cybersecurity threat; and initiating a mitigation action based on the cybersecurity threat.

Abstract: A method for detecting escalation paths in a cloud environment is provided. The method includes accessing a security graph representing cloud objects and their connections in the cloud environment; analyzing each cloud object to detect an escalation hop from a current cloud object to a next cloud object, wherein the analysis is based, in part, on a plurality of risk factors and reachability parameters determined for each cloud object; and marking the security graph with each identified escalation path in the security graph, wherein an escalation path is a collection of escalation hops from a source cloud object to a destination cloud object.

Abstract: A system and method for detecting a vulnerable workload deployed in a cloud environment based on a code object of an infrastructure as code file utilizes a security graph. The method includes: extracting the code object from a state file, which includes a mapping between the code object to a first deployed workload and a second deployed workload; generating a node representing the code object in the security graph; generating a connection in the security graph between the node representing the code object and a node representing the first workload and a connection between the node representing the code object and a node representing the second workload; and determining that the second workload is a vulnerable workload, in response to detecting that the first workload node is associated with a cybersecurity threat, and that the nodes representing the workloads are each connected to the node representing the code object.

Abstract: A system and method for detecting unauthorized access to a cloud application hosted in a cloud-computing platform are presented. The method comprising: identifying, by a managed proxy device, a first access attempt to a cloud application at a first time and from a first location; identifying, by a managed proxy device, a second access attempt to the cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.

Abstract: A system and method for detecting unauthorized access to a cloud application hosted in a cloud-computing platform are presented. The method comprising: identifying, by a managed proxy device, a first access attempt to a cloud application at a first time and from a first location; identifying, by a managed proxy device, a second access attempt to the cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.

Abstract: A method and proxy device for detecting bypass vulnerabilities in a cloud-computing platform are provided. The method includes identifying an access attempt by a client device to a cloud-based application hosted in the cloud-computing platform; identifying login information corresponding to the identified access attempt; requesting authenticated login information from a central authentication system; correlating the login information corresponding to the access attempt with the authenticated login information; determining, based on the correlation, whether a bypass vulnerability exists; and generating a bypass event when it is determined that the bypass vulnerability has been exploited wherein the bypass event indicates that the access attempt to the cloud-based application has not been properly authenticated.