Search

CA-3250971-C - SYSTEM AND METHOD FOR GENERATING CYBERSECURITY REMEDIATION IN COMPUTING ENVIRONMENTS

CA3250971CCA 3250971 CCA3250971 CCA 3250971CCA-3250971-C

Abstract

A system and method initiating remediation actions in response to a cybersecurity issue in a computing environment is disclosed. The method includes: configuring a virtual instance in a computing environment to communicate with an inspection environment; configuring the virtual instance to receive in the computing environment a plurality of remediation scripts from the inspection environment; generating a remediation infrastructure including a plurality of remediation actions, each remediation action corresponding to at least a remediation script of the plurality of remediation scripts; detecting a cybersecurity issue in the computing environment; configuring the virtual instance to initiate a remediation action of the plurality of remediation actions, based on detecting the cybersecurity issue; and receiving a feedback in the inspection environment from the virtual instance in response to initiating the remediation action.

Inventors

  • Itay Arbel
  • Solal Raveh
  • Orr SHAMLI
  • Chris Beckett
  • Ben Grynhaus
  • Eyal Zisman

Assignees

  • Wiz, Inc.

Dates

Publication Date
20260505
Application Date
20241028
Priority Date
20231214

Claims (20)

  1. CLAIMS What is claimed is: 1. A method for initiating remediation actions in response to a cybersecurity issue in a computing environment, comprising: configuring a virtual instance in a computing environment to communicate with an inspection environment; configuring the virtual instance to receive in the computing environment a plurality of remediation scripts from the inspection environment; generating a remediation infrastructure including a plurality of remediation actions, each remediation action corresponding to at least a remediation script of the plurality of remediation scripts; detecting a cybersecurity issue in the computing environment; configuring the virtual instance to initiate a remediation action of the plurality of remediation actions, based on detecting the cybersecurity issue; and receiving a feedback in the inspection environment from the virtual instance in response to initiating the remediation action.
  2. 2. The method of claim 1, further comprising: inspecting the computing environment for a cybersecurity object, wherein the cybersecurity object indicates the cybersecurity issue.
  3. 3. The method of claim 1, further comprising: associating a first group of remediation actions of the plurality of remediation actions with a first group of user accounts; and associating a second group of remediation actions of the plurality of remediation actions with a second group of user accounts, wherein each group of user accounts is authorized to initiate only a remediation action associated with the respective user group.
  4. 4. The method of claim 3, further comprising: disabling a first remediation action of the plurality of remediation actions.31
  5. 5. The method of claim 4, further comprising: detecting a condition in the computing environment; and disabling the first remediation action based on the detected condition.
  6. 6. The method of claim 5, further comprising: enabling a second remediation based on the detected condition.
  7. 7. The method of claim 3, further comprising: disabling a first remediation action of the plurality of remediation actions only for the first group of user accounts.
  8. 8. The method of claim 3, further comprising: associating a first remediation action with the first user group, wherein the first user group is authorized to initiate the first remediation action only on a first preauthorized resource in the computing environment.
  9. 9. The method of claim 8, further comprising: associating the first remediation action with the second user group, wherein the second user group is authorized to initiate the first remediation action on any resource in the computing environment.
  10. 10. The method of claim 8, further comprising: associating the first remediation action with the second user group, wherein the second user group is authorized to initiate the first remediation action only on a second preauthorized resource, which is different from the first preauthorized resource.
  11. 11. The method of claim 1, further comprising: generating an indicator value for each remediation action, the indicator value indicating a determined degree of disruption of the remediation action.32
  12. 12. The method of claim 11, further comprising: providing a permission to initiate a first remediation action to a first principal, in response to determining that a determined degree of disruption of the first remediation action is at, or exceeds, a threshold value.
  13. 13. The method of claim 12, further comprising: providing the permission to the first principal only in response to detecting a condition in the computing environment.
  14. 14. The method of claim 1, further comprising: configuring the virtual instance to receive a customized remediation script.
  15. 15. The method of claim 1, further comprising: initiating a second remediation action, in response to the feedback indicating that the remediation action was unsuccessful.
  16. 16. The method of claim 1, further comprising: generating a notification, in response to the feedback indicating that the remediation action was successful.
  17. 17. The method of claim 1, further comprising: configuring the virtual instance to send a status report respective of the remediation infrastructure.
  18. 18. A non-transitory computer-readable medium storing a set of instructions for initiating remediation actions in response to a cybersecurity issue in a computing environment, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: configure a virtual instance in a computing environment to communicate with an inspection environment;33 configure the virtual instance to receive in the computing environment a plurality of remediation scripts from the inspection environment; generate a remediation infrastructure including a plurality of remediation actions, each remediation action corresponding to at least a remediation script of the plurality of remediation scripts; detect a cybersecurity issue in the computing environment; configure the virtual instance to initiate a remediation action of the plurality of remediation actions, based on detecting the cybersecurity issue; and receive a feedback in the inspection environment from the virtual instance in response to initiating the remediation action.
  19. 19. A system for initiating remediation actions in response to a cybersecurity issue in a computing environment comprising: a processing circuitry; a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: configure a virtual instance in a computing environment to communicate with an inspection environment; configure the virtual instance to receive in the computing environment a plurality of remediation scripts from the inspection environment; generate a remediation infrastructure including a plurality of remediation actions, each remediation action corresponding to at least a remediation script of the plurality of remediation scripts; detect a cybersecurity issue in the computing environment; configure the virtual instance to initiate a remediation action of the plurality of remediation actions, based on detecting the cybersecurity issue; and receive a feedback in the inspection environment from the virtual instance in response to initiating the remediation action.
  20. 20. The system of claim 19, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:34 inspect the computing environment for a cybersecurity object, wherein the cybersecurity object indicates the cybersecurity issue.

Description

SYSTEM AND METHOD FOR GENERATING CYBERSECURITY REMEDIATION IN COMPUTING ENVIRONMENTS TECHNICAL FIELD [0001]The present disclosure relates generally to cybersecurity remediation, and particularly to providing a remediation infrastructure for a cloud computing environment. BACKGROUND [0002]Cybersecurity threats can be present in computing environments in various ways. For example, in cloud computing environments, some threats include vulnerabilities, misconfigurations, exposures, exploitations, and the like. [0003]Various solutions exist which monitor computing environments for cybersecurity threats, including threat detection, digital forensic solutions, and the like. While monitoring often requires read-level access to a computing environment, remediation and mitigation require performing and initiating actions in the computing environment which typically need a higher level of permissions and access than simply read-level access. [0004]For reasons such as this, remediation solutions are slow to be adopted since organizations are hesitant to allow a third party such access on a continuous basis. Alternatively, remediation solutions can be maintained and provided by the organization itself in the computing environment, however, this requires a specialization that is costly to maintain. [0005]It would therefore be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY [0006]A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in2 a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. [0007]A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions. [0008]In one general aspect, method may include configuring a virtual instance in a computing environment to communicate with an inspection environment. Method may also include configuring the virtual instance to receive in the computing environment a plurality of remediation scripts from the inspection environment. Method may furthermore include generating a remediation infrastructure including a plurality of remediation actions, each remediation action corresponding to at least a remediation script of the plurality of remediation scripts. Method may in addition include detecting a cybersecurity issue in the computing environment. Method may moreover include configuring the virtual instance to initiate a remediation action of the plurality of remediation actions, based on detecting the cybersecurity issue. Method may also include receiving a feedback in the inspection environment from the virtual instance in response to initiating the remediation action. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. [0009]Implementations may include one or more of the following features. Method may include: inspecting the computing environment for a cybersecurity object, where the cybersecurity object indicates the cybersecurity issue. Method may include: associating a first group of remediation actions of the plurality of remediation actions with a first group of user accounts; and associating a second group of remediation actions of the plurality of remediation actions with a second group of user accounts, where each group of user accounts is authorized to initiate only a remediation action associated with the respective user group. Method may include: disabling a first remediation action of the plurality of3 remediation actions. Method may include: detecting a condition in the computing environment; and disabling the first remediation action based on the detected condition. Method may include: enabling a second remediation based on the detected condition. Method may include: disabling a first remediation action of the plurality of remediation actions only for the first group of user accounts. Method may include: ass