Search

US-12625955-B2 - Techniques for representation of remediation action in a cybersecurity graph database

US12625955B2US 12625955 B2US12625955 B2US 12625955B2US-12625955-B2

Abstract

A system and method for generating a compact representation of a computing environment having a remediated cybersecurity threat is disclosed. In an embodiment, the method includes generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk; traversing a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detecting a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node.

Inventors

  • Itay Arbel
  • Mattan Shalev
  • Yaniv Shaked
  • Alon SCHINDEL
  • Ami Luttwak
  • Roy Reznik
  • Yinon COSTICA
  • Eric Abramov

Assignees

  • Wiz, Inc.

Dates

Publication Date
20260512
Application Date
20230306

Claims (19)

  1. 1 . A method for generating a compact representation of a computing environment having a remediated cybersecurity threat, comprising: generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk, wherein the forensic artifact is an indicator that a digital asset was accessed by an unauthorized party; traversing a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detecting in the security graph a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node.
  2. 2 . The method of claim 1 , further comprising: initiating the remediation action on the inspectable disk prior to initiating the remediation action on the disk of the resource.
  3. 3 . The method of claim 1 , further comprising: traversing the security graph to detect a cybersecurity risk node connected to a node representing the resource; and initiating the remediation action further based on a cybersecurity threat represented by the cybersecurity risk node.
  4. 4 . The method of claim 3 , further comprising: initiating an inspection of the inspectable disk to detect a cybersecurity object associated with the cybersecurity threat.
  5. 5 . The method of claim 3 , further comprising: detecting a second remediation node connected to: the cybersecurity risk node, and the node representing the forensic finding.
  6. 6 . The method of claim 5 , further comprising: initiating a second remediation action.
  7. 7 . The method of claim 1 , further comprising: detecting a second forensic node connected to the remediation node; and initiating an inspection of the inspectable disk based on the second forensic node to detect another forensic artifact.
  8. 8 . The method of claim 1 , wherein the remediation action is any one of: generating a notification, generating a ticket in a ticketing system, adding a rule to a policy, updating a rule to a policy, deleting a cryptographic key, removing a permission, revoking network access, sandboxing the resource associated with the disk, based on which the inspectable disk was generated, and any combination thereof.
  9. 9 . The method of claim 1 , wherein the forensic artifact is any one of: a file containing metadata, a file containing content of a deleted file, a cookie, a content extracted from a cache memory, a content extracted from a cache storage, website data, a disk image, a file attribute value, a record in a network log, a record in a cloud log, and any combination thereof.
  10. 10 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for generating a compact representation of a computing environment having a remediated cybersecurity threat, the process comprising: generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk, wherein the forensic artifact is an indicator that a digital asset was accessed by an unauthorized party; traversing a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detecting in the security graph a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node.
  11. 11 . A system for generating a compact representation of a computing environment having a remediated cybersecurity threat, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate an inspectable disk based on a disk of a resource in the computing environment; detect a forensic artifact on the inspectable disk, wherein the forensic artifact is an indicator that a digital asset was accessed by an unauthorized party; traverse a security graph for a forensic finding based on the forensic artifact, wherein the security graph includes a representation of the computing environment; detect in the security graph a remediation node connected to a node representing the forensic finding; and initiate a remediation action, represented by the remediation node.
  12. 12 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: initiate the remediation action on the inspectable disk prior to initiating the remediation action on the disk of the resource.
  13. 13 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: traverse the security graph to detect a cybersecurity risk node connected to a node representing the resource; and initiate the remediation action further based on a cybersecurity threat represented by the cybersecurity risk node.
  14. 14 . The system of claim 13 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: initiate an inspection of the inspectable disk to detect a cybersecurity object associated with the cybersecurity threat.
  15. 15 . The system of claim 13 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: detect a second remediation node connected to: the cybersecurity risk node, and the node representing the forensic finding.
  16. 16 . The system of claim 15 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: initiate a second remediation action.
  17. 17 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry, further configures the system to: detect a second forensic node connected to the remediation node; and initiate an inspection of the inspectable disk based on the second forensic node to detect another forensic artifact.
  18. 18 . The system of claim 11 , wherein the remediation action is any one of: generating a notification, generating a ticket in a ticketing system, adding a rule to a policy, updating a rule to a policy, deleting a cryptographic key, removing a permission, revoking network access, sandboxing the resource associated with the disk, based on which the inspectable disk was generated, and any combination thereof.
  19. 19 . The system of claim 11 , wherein the forensic artifact is any one of: a file containing metadata, a file containing content of a deleted file, a cookie, a content extracted from a cache memory, a content extracted from a cache storage, website data, a disk image, a file attribute value, a record in a network log, a record in a cloud log, and any combination thereof.

Description

TECHNICAL FIELD The present disclosure relates generally to digital forensics and specifically to performing forensic analysis in a cloud computing environment. BACKGROUND Cybersecurity is a field in computer science which is concerned with providing security to digital assets, managing digital identity and authorization, and the like. Digital assets are often defined within a network of computers, such as a cloud computing environment. Cloud computing environments, such as virtual private clouds (VPCs) are deployed on cloud computing infrastructures, such as Amazon® Web Service (AWS), Google® Cloud Platform (GCP), Microsoft® Azure, and the like. Bad actors desire access to such assets, which can include provisioned hardware (allowing a bad actor to utilize cloud computing resources for nefarious purposes), sensitive data, and the like. While there are many solutions which attempt to curtail such penetrations, inevitably, some will succeed. The field of digital forensics is concerned with detecting cybersecurity breaches. This is advantageous as it allows, on one hand, to ascertain what damage has been done to, or using, the digital assets, and on the other hand, one it is ascertained that damage has been done or is being done, such knowledge allows to initiate remediation actions. Utilizing forensic software requires resources and is obstructive to the normal operation of a computing environment. For example, a disk which undergoes forensic analysis needs to devote access operations (e.g., read, write, etc.) to the forensic analysis software. This is an issue where a breach event is suspected, but not confirmed, as it can result in performing analysis on a disk which was not compromised, and yet resources had to be devoted to determine that. It would therefore be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. Certain embodiments disclosed herein include a method for generating a compact representation of a computing environment having a remediated cybersecurity threat. The method also includes generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk; traversing a security graph for a forensic finding based on the forensic artifact, where the security graph includes a representation of the computing environment; detecting a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node. Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process. The non-transitory computer readable medium also includes generating an inspectable disk based on a disk of a resource in the computing environment; detecting a forensic artifact on the inspectable disk; traversing a security graph for a forensic finding based on the forensic artifact, where the security graph includes a representation of the computing environment; detecting a remediation node connected to a node representing the forensic finding; and initiating a remediation action, represented by the remediation node. Certain embodiments disclosed herein also include a system for generating a compact representation of a computing environment having a remediated cybersecurity threat. The system also includes a processing circuitry. The system also includes a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate an inspectable disk based on a disk of a resource in the computing environment; detect a forensic artifact on the inspectable disk; traverse a security graph for a forensic finding based on the forensic artifact, where the security graph includes a representation of the computing environment; detect a remediation node connected to a node representing the forensic finding; and initiate a remediation action, represented by the remediation node. BRIEF DESCRIPTION OF THE DRAWINGS The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the