Cyberark Software Ltd.

Asaf Hecht

Omer Tsarfati

Michael Balber

Hadas Elkabir

Tal Kandel

Lavi Lazarovitz

Mark Cherp

Nir Chako

Omar Tsarfati

Niv Rabin

Kobi Ben Naim

Noa Moyal

Shaked Reiner

Or Ben-Porath

Gal Naor

Emmanuel Ouanounou

Techniques include securely accessing data associated with authorization of an identity, the identity being capable of accessing an access-controlled network resource based on assertion of an authentication credential to an entity associated with the access-controlled network resource; generating a secret data element based on the data associated with authorization of the identity and based on application of a first secret logic algorithm; and making the secret data element available to be embedded in the authentication credential. The entity associated with the access-controlled network resource is configured to: validate the identity based on the secret data element being included in the authentication credential; and access the data associated with authorization of the identity based on application of a second secret logic algorithm to the secret data element.

Authentication credential with embedded authentication information

Disclosed embodiments relate to systems and methods for composite risk scores for network resources. Techniques include retrieving data associated with multiple network resources. The retrieved data is used to perform a first assessment for each of the multiple network resources to estimate a vulnerability level for each of the multiple network resources. The retrieved dated is also used to perform a second assessment for each of the multiple network resources to estimate an importance level for each of the multiple network resources. Based on a result of the first assessment and a result of the second assessment, a composite risk score for each of the multiple network resources is determined. When needed, a security response is performed based on the determined composite risk score of a specific network resource among the multiple network resources.

Analyzing and addressing security threats in network resources

Techniques include securely accessing data associated with at least one identity capable of accessing one or more access-controlled network resources; generating an intermediate value based on the data associated with the at least one identity; generating, based on application of a secret logic algorithm to the intermediate value, a secret data element; making available, the secret data element, to be embedded in an authentication credential associated with the at least one identity; identifying an attempt to change the authentication credential, the attempt including new authentication credential data to replace data in the authentication credential; validating, conditional on a determination whether the new authentication credential data includes the secret data element in a predefined location, the attempt to change the authentication credential; and determining, based on the validating, whether to perform a control action based on the new authentication credential data.

Detecting and preventing unauthorized credential change

Disclosed embodiments relate to systems and methods for dynamically and proactively scanning a computing environment for application misconfiguration security threats. Techniques include identifying an application configured for network communications; analyzing a network security configuration of the application; identifying, based on the analyzing, a target network address that the application is configured to use to redirect a network device to a target network resource; comparing the target network address to a whitelist of trusted target network addresses; assessing, based on the comparing, whether the network security configuration is misconfigured; and determining, based on the assessment, whether to provide a configuration validation status for the application.

On-demand and proactive detection of application misconfiguration security threats

Disclosed embodiments relate to systems and methods for dynamically performing entity-specific security assessments for entities of virtualized network environments. Techniques include identifying an entity associated with a virtualized network environment, identifying a plurality of security factors, determining entity-specific weights to the plurality of security factors, and generating a composite exposure assessment for the entity. Further techniques include selecting at least two security factors of the plurality of security factors, identifying the weights corresponding to the selected security factors, and calculating the composite exposure assessment using the selected security factors and corresponding weights, analyzing the composite exposure assessment, and generating at least one of: a security recommendation based on the analysis to alter a scope of privileges of the entity, a notification providing an indication of the composite exposure assessment, or a visual representation of the composite exposure assessment of the entity.

Dynamically generating multi-factor entity risk assessments within virtualized environments

Disclosed embodiments relate to systems and methods for securely providing secrets. Techniques include receiving, from an entity, trigger information indicative of an action to be performed by at least one service based on the trigger information; identifying at least one secret expected to be used by the at least one service to perform the action, the at least one secret being identified based on information correlating the trigger information to the at least one secret; and causing the at least one secret to be provided to the at least one service, wherein the at least one secret is provided to the at least one service independent of any request for the at least one secret.

Push architecture for secure provision of secrets

Described herein are methods, systems, and computer-readable storage media for generation of a secure and dynamically mutable operating system. Techniques include receiving a request to execute an application causing instantiation of an operating system by identifying one or more needed modules that include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application. Techniques may further include assigning a separate memory space with a separate virtual address for each of the one or more modules, generating a unique cryptographic key for each of the one or more modules, storing each virtual address and corresponding unique cryptographic key together. Further the operating system generation system encrypts each of the one or more modules using their corresponding unique cryptographic key.

Customizable and dynamically mutable operating systems

Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.

Security risk assessment and control for code

Described herein are methods, systems, and computer-readable storage media for participating in a validation process with the host computing device. Techniques include receiving, from the host computing device, a second key that is part of a cryptographic key pair comprising a first key and the second key. Techniques further include, encrypting, using the second key and as part of the validation process, data at the peripheral device and sending the encrypted data to the host computing device. Further, the host computing device validates an identity of the peripheral device based on a decryption, using the first key, of the encrypted data.

Identity-based security layer for peripheral computing devices

Disclosed embodiments relate to systems and methods for securing the use of temporary access tokens in network environments. Techniques include identifying a request for an action involving a target network resource requiring a temporary access token; receiving, from the target network resource, a temporary access token; storing the temporary access token separate from the network identity; generating a customized replacement token having an attribute different from the temporary access token such that the customized replacement token cannot be used directly with the target network resource; providing the customized replacement token to the network identity; monitoring use of the customized replacement token to detect an activity identified as being at least one of potentially anomalous or potentially malicious; receiving an access request to access the target network resource; and based on the detected activity, denying the access request from the network identity.

Protections against security vulnerabilities associated with temporary access tokens

Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.

Recovery of state, configuration, and content for virtualized instances

Disclosed embodiments relate to systems and methods for analyzing and addressing least-privilege security threats on a composite basis. Techniques include identifying a permission associated with a secured resource, identifying attributes associated with the permission, weighting the attributes, and, based on the attributes and their weights, creating a normalized score corresponding to the risk presented by the permission. Further techniques include identifying attributes associated with the secured resource, identifying special risk factors, and creating weighted scores based on the resource attributes and special risk factors. Other techniques include aggregating the weighted scores and using the weighted scores to identify insecure areas within the system.

Analyzing and addressing least-privilege security threats on a composite basis

Disclosed embodiments include techniques for automatically provisioning dynamic privileged access resources. Aspects may involve receiving a notification that an identity is seeking to participate in a privileged session with an access-restricted network resource, and automatically provisioning, in response to the notification, a privileged access resource for use by the identity in participating in the privileged session with the access-restricted network resource. Further, aspects may include determining that the privileged session with the access-restricted network resource has ended, and automatically deprovisioning, based on the determination, the privileged access resource.

Automated creation of dynamic privileged access resources

Disclosed embodiments relate to systems and methods for providing an end-to-end secure lifecycle of data. Techniques include receiving a request from a client to access data; reserving a designated memory region; protecting the designated memory region using access restriction to certain processes of an operating system; receiving data from a trusted source; injecting the data into the designated memory region in a zero-copy manner; sending the data to the client in a zero-copy manner; receiving an indication that the client performed an interaction; and in response to the indication, disposing of the data and the designated memory region.

End-to-end secure lifecycle of secrets with minimal footprint

Described herein are methods, systems, and computer-readable storage media for managing cryptographic keys needed for peripheral devices to securely communicate with host computing devices. Techniques include receiving, at a centralized identity management resource, a first key that is part of a cryptographic key pair comprising the first key and a second key, wherein the second key is stored at a peripheral device for use by the peripheral device in encrypting data. Techniques further include identifying a first host computing device that is permitted to engage in secure communications with the peripheral device. Further, making available the first key from the centralized identity management resource to the first host computing device to enable the first host computing device to decrypt the encrypted data.

Growing community of inventors

Tel Aviv, Israel

Asaf Hecht