`
`
`as) United States
`
`
`
`
`
`
`
`a2) Patent Application Publication 10) Pub. No.: US 2020/0244678 Al
`
`
`
`
`
`
`(43) Pub. Date: Jul. 30, 2020
`
`SHUA
`
`
`US 20200244678A1
`
`
`
`
`
`
`(54)
`
`
`(71)
`
`(72)
`
`(73)
`
`(21)
`
`(22)
`
`
`(60)
`
`
`(51)
`
`
`
`
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES
`
`
`
`
`
`
`
`
`
`
`Applicant: Orea Security LTD., Tel Aviv (IL)
`
`
`
`
`
`Inventor: Avi SHUA, Tel Aviv (IL)
`
`
`
`
`
`
`Assignee: Orea Security LTD., Tel Aviv (IL)
`
`
`
`Appl. No.: 16/585,967
`
`
`
`Filed:
`Sep. 27, 2019
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`
`
`Provisional application No. 62/797,718, filed on Jan.
`
`
`28, 2019.
`Publication Classification
`
`
`
`Int. Cl.
`
`
`
`
`HO4L 29/06
`
`
`GO6F 9/455
`
`
`G06F 16/11
`
`
`
`(2006.01)
`
`
`(2006.01)
`
`
`(2006.01)
`
`
`
`(52) U.S. Cl
`
`
`
`
`
`
`CPC...... HOAL 63/1416 (2013.01); GO6F 9/45558
`
`
`
`
`
`
`(2013.01); HO4L 63/1441 (2013.01); GO6F
`
`
`
`
`2009/45583 (2013.01); GOOF 2009/45587
`
`
`
`
`
`
`(2013.01); GO6F 2009/45595 (2013.01); GO6F
`
`
`16/128 (2019.01)
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`
`
`
`
`A system and method for securing virtual cloud assets in a
`
`
`
`
`
`
`
`cloud computing environment against cyber threats. The
`
`
`
`
`
`
`method includes: determining a location of a snapshot of at
`
`
`
`
`
`
`
`
`
`least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is instantiated in the cloud
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computing environment; accessing the snapshot of the vir-
`
`
`
`
`
`
`
`
`
`tual disk based on the determined location; analyzing the
`
`
`
`
`
`
`
`
`snapshot of the protected virtual cloud asset
`to detect
`
`
`
`
`
`
`
`
`potential cyber threats risking the protected virtual cloud
`
`
`
`
`
`
`
`
`asset; and alerting detected potential cyber threats based on
`
`
`
`a determinedpriority.
`
`
`100
`S
`
`
`
`
`User Console
`
`
`180
`
`
` External
`
`
`
`
` Network
`systems
`
`
`170
`
`
`
`12
`
`
`
`
`
`
`Management
`
`
`Console
`
`
`150
`
`
`
`
`
` Cloud Computing Platform
`
`
`
`Orca Security Ltd.
`Exhibit 2189
`Wiz v. Orca
`IPR2024-01109, -01190, -01191
`Ex. 2189-001
`
`Ex. 2189-001
`
`Orca Security Ltd.
`Exhibit 2189
`Wiz v. Orca
`IPR2024-01109, -01190, -01191
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Jul. 30,2020 Sheet 1 of 4
`
`
`
`US 2020/0244678 Al
`
`
`100
`
`
`
`
`User Console
`
`
`
`180
`
`
`
`
`
`systems
`
`Network
`
`170
`
`external
`
`
`
`
`
`
`
`
`Management
`
`Gonsole
`
`150
`
`
`
`
`
`Cloud Gomputing Platform
`
`116
`
`
`
`
`
`FIG. 1A
`
`Ex. 2189-002
`
`Ex. 2189-002
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Jul. 30,2020 Sheet 2 of 4
`
`
`
`US 2020/0244678 Al
`
`140
`
`
`
`
`
`
`
`
`
`
`Security System
`
`
`
`
`
`
`
`
`
`
`FIG. 1B
`
`Ex. 2189-003
`
`Ex. 2189-003
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Jul. 30,2020 Sheet 3 of 4
`
`
`
`US 2020/0244678 Al
`
`
`
`a 200
`
`
`
`
`
`
`
`
`
`
`Receive a request to scan a VM for vulnerabilities
`
`
`
`
`
`
`
`
`
`
`
`
`
`Determine a location of the virtual disk of the VM and its snapshot
`
`
`
`
`Access a snapshotof virtual disk
`
`
`
`
`
`Analyze the snapshot
`
`
`
`
`
`Report detected threats
`
`
`
`
`
`
`Trigger a mitigation action
`
`S210
`
`
`
`$220
`
`
`
`
`
`
`$230
`
`
`
`
`
`
`
`
`
`End
`
`
`
`
`FIG, 2
`
`Ex. 2189-004
`
`Ex. 2189-004
`
`

`

`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Jul. 30,2020 Sheet 4 of 4
`
`
`
`US 2020/0244678 Al
`
`340
`
`
`
`
`
`
`
`
`
`
`Storage
`
`330
`
`
`
`Processing
`
`Circuitry
`310
`
`
`
`Network
`
`Interface
`
`
`
`FIG. 3
`
`Ex. 2189-005
`
`Ex. 2189-005
`
`

`

`
`
`US 2020/0244678 Al
`
`
`
`
`
`
`Jul. 30, 2020
`
`
`
`
`
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES
`
`
`
`
`
`
`
`
`
`[0001] This application claims the benefit of U.S. Provi-
`
`
`
`
`
`
`
`
`sional Application No. 62/797,718 filed on Jan. 28, 2019, the
`
`
`
`
`
`
`
`
`contents of which are hereby incorporated by reference.
`TECHNICAL FIELD
`
`
`
`
`
`
`
`
`
`
`[0002] This disclosure relates generally to cyber-security
`
`
`
`
`
`
`
`
`systems and, more specifically, to techniques for securing
`virtual machines.
`
`
`
`
`
`
`
`
`
`
`BACKGROUND
`
`
`
`
`
`
`
`
`[0003] Organizations have increasingly adapted their
`
`
`
`
`
`
`
`
`applications to be run from multiple cloud computing plat-
`
`
`
`
`
`
`
`
`forms. Some leading public cloud service providers include
`
`
`
`
`
`
`Amazon®, Microsoft®, Google®, and the like.
`
`
`
`
`
`
`
`
`
`[0004] Virtualization is a key role in a cloud computing,
`
`
`
`
`
`
`
`
`allowing multiple applications and users to share the same
`
`
`
`
`
`
`
`cloud computing infrastructure. For example, a cloud stor-
`
`
`
`
`
`
`
`
`age service can maintain data of multiple different users.
`
`
`
`
`
`
`
`
`[0005]
`In one instance, virtualization can be achieved by
`means of virtual machines. A virtual machine emulates a
`
`
`
`
`
`
`
`
`
`
`
`
`
`number of “computers” or instances, all within a single
`
`
`
`
`
`
`
`physical device. In more detail, virtual machines provide the
`
`
`
`
`
`
`
`
`ability to emulate a separate operating system (OS), also
`
`
`
`
`
`
`
`referred to as a guest OS, andtherefore a separate computer,
`
`
`
`
`
`
`
`
`from an existing OS(the host). This independent instance is
`
`
`
`
`
`
`typically isolated as a completely standalone environment.
`
`
`
`
`
`
`
`[0006] Modem virtualization technologies
`also
`are
`
`
`
`
`
`
`adapted by cloud computing platforms. Examples for such
`
`
`
`
`
`
`technologies include virtual machines, software containers,
`
`
`
`
`
`
`
`and serverless functions. With their computing advantages,
`
`
`
`
`
`
`
`
`applications and virtual machines running on top of virtu-
`
`
`
`
`
`alization technologies are also vulnerable to some cyber
`
`
`
`
`
`
`
`
`threats. For example, virtual machines can execute vulner-
`
`
`
`
`
`
`able software applications or infected operating systems.
`
`
`
`
`
`
`
`Protection of a cloud computing infrastructure, and
`[0007]
`
`
`
`
`
`
`
`
`particularly of virtual machines can be achieved via inspec-
`
`
`
`
`
`
`
`tion of traffic. Traditionally, traffic inspection is performed
`
`
`
`
`
`
`
`
`by a network device connected between a client and a server
`
`
`
`
`
`
`
`
`
`(deployed in a cloud computing platform or a data center)
`
`
`
`
`
`
`
`hosting virtual machines. Traffic inspection may not provide
`
`
`
`
`
`
`
`an accurate indication of the security status of the server due
`
`
`
`
`
`
`
`
`
`to inherent limitations, such as encryption and whether the
`
`
`
`
`
`necessary data is exposed in the communication.
`
`
`
`
`
`
`
`Furthermore, inspection of computing infrastruc-
`[0008]
`
`
`
`
`
`
`
`ture may be performed by a network scanner deployed out
`
`
`
`
`
`
`
`
`
`of path. The scanner queries the server to determine if the
`
`
`
`
`
`
`
`server executes an application that possess a security threat,
`
`
`
`
`
`
`such as vulnerability in the application. The disadvantage of
`
`
`
`
`
`
`
`
`
`such a scanner is that the server may not respond to all
`
`
`
`
`
`
`
`
`queries by the scanner, or not expose the necessary data in
`
`
`
`
`
`
`
`
`the response. Further, the network scanner usually commu-
`
`
`
`
`
`
`
`
`
`nicates with the server, and the network configuration may
`
`
`
`
`
`
`
`
`prevent it. In addition, some types of queries may require
`
`
`
`
`
`
`
`credentials to access the server. Such credentials may not be
`available to the scanner.
`
`
`
`
`
`
`
`
`
`
`
`
`[0009] Traffic inspection may also be performed by a
`traffic monitorthatlistensto traffic flows between clients and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the server. The traffic monitor can detect some cyberthreats,
`
`
`
`
`
`
`
`
`e.g., based on the volumeoftraffic. However, the monitor
`
`
`
`
`
`
`
`
`
`can detect threats only based on the monitored traffic. For
`
`
`
`
`
`
`example, misconfiguration of the server may not be detected
`
`
`
`
`
`
`
`
`
`by the traffic monitor. As such,traffic monitoring would not
`
`
`
`
`
`
`
`allow detection of vulnerabilities in software executed by
`the server.
`
`
`
`
`
`
`
`
`
`
`
`[0010]
`To overcome the limitations of traffic inspection
`
`
`
`
`
`
`
`solutions, some cyber-security solutions, such as vulnerabil-
`
`
`
`
`
`
`
`ity managementand security assessmentsolutions are based
`
`
`
`
`
`
`
`
`on agents installed in each server in a cloud computing
`
`
`
`
`
`
`
`
`platform or data center. Using agents is a cumbersome
`
`
`
`
`
`
`
`solution for a number of reasons, including IT resources
`
`
`
`
`
`
`management, governance, and performance. For example,
`
`
`
`
`
`
`
`
`installing agents in a large data center may take months.
`
`
`
`
`
`
`
`
`It would therefore be advantageous to provide a
`[0011]
`
`
`
`
`
`
`
`security solution that would overcomethe deficiencies noted
`above.
`
`
`SUMMARY
`
`
`
`
`
`
`
`
`
`[0012] Asummary of several example embodiments of the
`
`
`
`
`
`
`
`
`disclosure follows. This summary is provided for the con-
`
`
`
`
`
`venience of the reader to provide a basic understanding of
`
`
`
`
`
`
`
`
`
`
`such embodiments and does not wholly define the breadth of
`
`
`
`
`
`
`
`the disclosure. This summary is not an extensive overview
`
`
`
`
`
`
`of all contemplated embodiments, and is intended to neither
`
`
`
`
`
`
`
`
`
`identify key or critical elements of all embodiments nor to
`
`
`
`
`
`
`
`
`
`
`delineate the scope of anyor all aspects. Its sole purpose is
`
`
`
`
`
`
`to present some concepts of one or more embodiments in a
`
`
`
`
`
`
`
`
`simplified form as a prelude to the more detailed description
`
`
`
`
`
`
`
`
`
`that is presented later. For convenience, the term “some
`
`
`
`
`
`
`embodiments” or “certain embodiments” may be used
`
`
`
`
`
`
`herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`
`
`
`
`
`
`
`
`
`[0013] Certain embodiments disclosed herein include a
`
`
`
`
`
`
`
`method for securing virtual cloud assets in a cloud comput-
`
`
`
`
`
`
`
`ing environment against cyber threats, comprising: deter-
`
`
`
`
`
`
`
`mining a location of a snapshot of at least one virtual disk
`
`
`
`
`
`
`
`
`
`of a protected virtual cloud asset, wherein the virtual cloud
`
`
`
`
`
`
`
`asset is instantiated in the cloud computing environment;
`
`
`
`
`
`
`
`
`
`accessing the snapshot of the virtual disk based on the
`
`
`
`
`
`
`
`determined location; analyzing the snapshotof the protected
`
`
`
`
`
`
`
`
`virtual cloud asset to detect potential cyber threats risking
`
`
`
`
`
`
`
`
`the protected virtual cloud asset; and alerting detected
`
`
`
`
`
`
`potential cyber threats based on a determinedpriority.
`
`
`
`
`
`
`
`
`[0014] Certain embodiments disclosed herein also include
`
`
`
`
`
`
`
`
`a non-transitory computer readable medium having stored
`
`
`
`
`
`
`
`thereon instructions for causing a processing circuitry to
`
`
`
`
`
`
`execute a process, the process comprising: determining a
`
`
`
`
`
`
`
`
`
`
`location of a snapshot of at least one virtual disk of a
`
`
`
`
`
`
`
`
`
`protected virtual cloud asset, wherein the virtual cloud asset
`
`
`
`
`
`
`
`is instantiated in the cloud computing environment; access-
`
`
`
`
`
`
`
`
`
`ing the snapshotof the virtual disk based on the determined
`
`
`
`
`
`
`
`location; analyzing the snapshot of the protected virtual
`
`
`
`
`
`
`
`
`
`cloud asset
`to detect potential cyber threats risking the
`
`
`
`
`
`
`
`
`protected virtual cloudasset; and alerting detected potential
`
`
`
`
`
`cyber threats based on a determinedpriority.
`
`
`
`
`
`
`
`
`[0015] Certain embodiments disclosed herein also include
`
`
`
`
`
`
`
`
`
`
`a system for securing virtual cloud assets in a cloud com-
`
`
`
`
`
`
`puting environment against cyber threats, comprising: a
`
`
`
`
`
`
`
`processing circuitry; and a memory, the memory containing
`
`
`
`
`
`
`instructions that, when executed by the processing circuitry,
`
`
`
`
`
`
`
`configure the system to: determine a location of a snapshot
`
`
`
`
`
`
`
`
`
`
`of at least one virtual disk of a protected virtual cloudasset,
`wherein the virtual cloud asset is instantiated in the cloud
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computing environment; access the snapshot of the virtual
`
`
`
`
`
`
`
`
`disk based on the determined location; analyze the snapshot
`
`
`
`
`
`
`
`
`of the protected virtual cloud asset to detect potential cyber
`
`Ex. 2189-006
`
`Ex. 2189-006
`
`

`

`
`
`US 2020/0244678 Al
`
`
`
`
`
`
`Jul. 30, 2020
`
`
`
`
`
`
`
`
`
`
`threats risking the protected virtual cloud asset; and alert
`
`
`
`
`
`
`
`detected potential cyber threats based on a determined
`
`priority.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`
`
`features, and
`[0016] The foregoing and other objects,
`
`
`
`
`
`advantages of the disclosed embodiments will be apparent
`
`
`
`
`
`
`
`from the following detailed description taken in conjunction
`
`
`
`
`with the accompanying drawings.
`
`
`
`
`
`
`
`
`
`[0017]
`FIGS. 1A and 1B are network diagramsutilized to
`describe the various embodiments.
`
`
`
`
`
`
`
`
`
`
`
`FIG. 2 is a flowchart illustrating a method detecting
`[0018]
`
`
`
`
`
`
`cyber threats, including potential vulnerabilities in virtual
`
`
`
`
`
`
`machines executed in a cloud computing platform according
`to some embodiments.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0019]
`FIG. 3 is an example block diagram ofthe security
`
`
`
`
`system according to an embodiment.
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`
`It is important to note that the embodiments dis-
`[0020]
`
`
`
`
`
`
`
`closed herein are only examples of the many advantageous
`
`
`
`
`
`
`
`uses of the innovative teachings herein. In general, state-
`
`
`
`
`
`
`ments madein the specification of the present application do
`
`
`
`
`
`
`
`
`
`not necessarily limit any of the various claimed embodi-
`
`
`
`
`
`
`
`
`ments. Moreover, some statements may apply to some
`
`
`
`
`
`
`
`
`inventive features but not
`to others. In general, unless
`
`
`
`
`
`
`
`otherwise indicated, singular elements maybe in plural and
`
`
`
`
`
`
`
`
`
`vice versa with no loss of generality. In the drawings, like
`
`
`
`
`
`
`
`numerals refer to like parts through several views.
`
`
`
`
`
`
`
`
`
`
`FIGS. 1A and 1B show an example network dia-
`[0021]
`
`
`
`
`
`
`
`
`gram 100 utilized to describe the various embodiments. A
`
`
`
`
`
`
`cloud computing platform 110 is communicably connected
`
`
`
`
`
`
`
`
`
`to anetwork 120. Examples of the cloud computing platform
`
`
`
`
`
`
`
`
`110 may include a public cloud, a private cloud, a hybrid
`
`
`
`
`
`
`
`
`
`
`cloud, and the like. Examples for a public cloud, but are not
`
`
`
`
`
`
`limited to, AWS® by Amazon®, Microsoft Azure®, Google
`
`
`
`
`
`
`
`
`Cloud®, and the like. In some configurations, the disclosed
`
`
`
`
`
`
`
`embodiments operable in on premise virtual machines envi-
`
`
`
`
`
`
`
`
`ronments. The network 120 may bethe Internet, the world-
`
`
`
`
`
`
`
`
`
`wide-web (WWW), a local area network (LAN), a wide area
`
`
`
`
`
`network (WAN), and other networks.
`
`
`
`
`
`
`
`[0022] The arrangement of the example cloud computing
`
`
`
`
`
`
`
`
`platform 110 is shown in FIG. 1B. As illustrated,
`the
`
`
`
`
`
`
`
`
`
`platform 110 includes a server 115 and a storage 117, serving
`
`
`
`
`
`
`
`
`
`
`
`
`as the storage space for the server 115. The server 115 is a
`
`
`
`
`
`
`
`physical device hosting at least one virtual machine (VM)
`
`
`
`
`
`
`
`
`
`
`119. The VM 119 is a protected VM, which may be any
`
`
`
`
`
`
`
`
`virtual cloud asset including, but not limited to, a software
`
`
`
`
`
`
`
`container, a micro-service, a serverless function, and the
`like.
`
`
`
`
`
`
`
`
`
`
`
`
`[0023] The storage 117 emulates virtual discs for the VMs
`
`
`
`
`
`
`
`
`
`executed in by the server 115. The storage 117 is typically
`
`
`
`
`
`
`
`
`connected to the server 115 through a high-speed connec-
`
`
`
`
`
`
`
`
`
`
`tion, such as optic fiber allowing fast retrieval of data. In
`
`
`
`
`
`
`
`
`
`other configurations, the storage 117 may be part of the
`
`
`
`
`
`
`
`
`server 115. In this example illustrated in FIG. 1B, virtual
`
`
`
`
`
`
`
`
`
`
`
`disk 118-1 is allocated for the VM 119. The server 115, and
`
`
`
`
`
`
`
`hence the VM 119, may be executed in a client environment
`
`
`
`
`
`130 within the platform 110.
`
`
`
`
`
`
`
`
`[0024] The client environment 130 is an environment
`
`
`
`
`
`
`
`
`within the cloud computing platform 110 utilized to execute
`
`
`
`
`
`
`
`cloud-hosted applications of the client. A client may belong
`
`
`
`
`
`
`
`
`
`to a specific tenant. In some example embodiment, the client
`
`
`
`
`
`
`
`
`environment 130 may bepart of a virtualized environment
`
`
`
`
`
`
`
`a
`or on-premises virtualization environment,
`such as
`
`VMware® based solution.
`
`
`
`
`
`
`
`
`
`
`
`[0025] Also deployed in the cloud computing platform
`
`
`
`
`
`
`
`
`110 is a security system 140 configured to perform the
`
`
`
`
`
`
`various disclosed embodiments. In some embodiments, the
`
`
`
`
`
`
`
`
`system 140 maybepart of the client environment 130. In an
`
`
`
`
`
`
`
`embodiment, the security system 140 mayberealized as a
`
`
`
`
`
`
`
`physical machine configured to execute a plurality of virtual
`
`
`
`
`
`
`
`
`instances, such as, but not
`limited to virtual machines
`
`
`
`
`
`
`
`executed by a host server. In yet another embodiment, the
`
`
`
`
`
`
`
`
`security system 140 may be realized as a virtual machine
`
`
`
`
`
`
`
`
`executed by a host server. Such a host server is a physical
`
`
`
`
`
`
`
`
`machine (device) and may be either the server 115, a
`
`
`
`
`
`
`
`dedicated server, a different shared server, or another virtu-
`
`
`
`
`
`
`
`alization-based computing entity, such as a serverless func-
`tion.
`
`
`
`
`
`
`
`
`
`
`
`In an embodiment, the interface between the client
`[0026]
`
`
`
`
`
`
`
`
`environment130 andthe security system 140 can be realized
`
`
`
`
`
`
`
`
`
`using APIs or services provided by the cloud computing
`
`
`
`
`
`
`
`
`platform 110. For example, in AWS, a cross account policy
`
`
`
`
`
`
`
`
`
`
`service can be utilized to allow interfacing the client envi-
`
`
`
`
`
`
`
`ronment 130 with the security system 140.
`
`
`
`
`
`
`
`
`
`In the deployment, illustrated in FIG. 1, the con-
`[0027]
`
`
`
`
`
`
`figuration of resources of the cloud computing platform 110
`
`
`
`
`
`
`is performed by means of the management console 150. As
`
`
`
`
`
`
`
`
`
`such, the management console 150 may be queried on the
`
`
`
`
`
`
`
`current deployment and settings of resources in the cloud
`
`
`
`
`
`
`
`computing platform 110. Specifically, the management con-
`
`
`
`
`
`
`
`
`
`sole 150 may be queried, by the security system 140, about
`
`
`
`
`
`
`
`
`as the location(e.g., virtual address) of the virtual disk 118-1
`
`
`
`
`
`
`
`
`
`in the storage 117. The system 140 is configuredto interface
`
`
`
`
`
`
`
`
`with the management console 150 through, for example, an
`API.
`
`
`
`
`
`
`
`
`
`
`Insome example embodiments, the security system
`[0028]
`
`
`
`
`
`
`
`
`
`140 mayfurther interface with the cloud computing platform
`
`
`
`
`
`
`
`
`
`110 and external systems 170. The external systems may
`
`
`
`
`
`
`
`include intelligence systems, security information and event
`
`
`
`
`
`
`
`management (SIEM) systems, and mitigation tools. The
`
`
`
`
`
`
`
`external intelligence systems may include common vulner-
`
`
`
`
`
`
`
`abilities and exposures (CVE®) databases, reputation ser-
`
`
`
`
`
`
`
`vices, security systems (providing feeds on discovered
`
`
`
`
`
`
`
`threats), and so on. The information provided by the intel-
`
`
`
`
`
`
`
`ligence systems may detect certain known vulnerabilities
`
`
`
`
`
`identified in, for example, a CVE database.
`
`
`
`
`
`
`
`
`[0029] According to the disclosed embodiments, the secu-
`
`
`
`
`
`
`
`rity system 140 is configured to detect vulnerabilities and
`
`
`
`
`
`
`
`
`
`
`other cyber threats related to the execution VM 119. The
`
`
`
`
`
`
`
`
`
`detection is performed while the VM 119 is live, without
`
`
`
`
`
`
`
`
`
`
`using any agent installed in the server 115 or the VM 119,
`
`
`
`
`
`
`
`
`and without relying on cooperation from VM 119 guest OS.
`
`
`
`
`
`
`
`
`
`Specifically, the security system 140 can scan and detect
`
`
`
`
`
`
`vulnerable software, non-secure configuration, exploitation
`
`
`
`
`
`
`
`
`attempts, compromisedasserts, data leaks, data mining, and
`
`
`
`
`
`
`
`
`
`
`so on. The security system 140 may be further utilized to
`
`
`
`
`
`
`
`
`provide security services, such as incident response, anti-
`
`
`
`
`
`
`
`ransomware, and cyber insurance by accessing the security
`
`posture.
`
`
`
`
`
`
`
`
`
`In some embodiments, the security system 140 is
`[0030]
`
`
`
`
`
`
`
`
`configured to query the cloud management console 150 for
`
`
`
`
`
`
`
`
`
`
`the address ofthe virtual disk 118-1 serving the VM 119 and
`
`
`
`
`
`
`
`
`a location of the snapshot. A VM’s snapshotis a copy of the
`
`
`
`
`
`
`
`
`
`machine’s virtual disk (or disk file) at a given point in time.
`
`
`
`
`
`
`
`
`
`
`Snapshots provide a change log for the virtual disk and are
`
`Ex. 2189-007
`
`Ex. 2189-007
`
`

`

`
`
`US 2020/0244678 Al
`
`
`
`
`
`Jul. 30, 2020
`
`
`
`
`
`
`
`
`
`
`used to restore a VM to a particular point in time when a
`
`
`
`
`
`
`
`
`
`
`failure error occurs. Typically, any data that was writable on
`
`
`
`
`
`
`
`
`
`a VM becomes read-only when the snapshot
`is taken.
`
`
`
`
`
`
`
`
`
`Multiple snapshots of a VM can be created at multiple
`
`
`
`
`
`
`
`
`possible point-in-time restore points. When a VMreverts to
`
`
`
`
`
`
`
`
`
`
`a snapshot, current disk and memory states are deleted and
`
`
`
`
`
`
`
`
`
`the snapshot becomes the new parent snapshot for that VM.
`
`
`
`
`
`
`
`
`[0031] The snapshot of the VM 119 is located and may be
`
`
`
`
`
`
`
`
`
`saved from the virtual disk 118-1 is accessed by the system
`
`
`
`
`
`
`
`
`140. In an embodiment, the VM’s 119 snapshot may be
`
`
`
`
`
`
`
`
`
`copied to the system 140. If such a snapshot doesnotexist,
`
`
`
`
`
`
`
`
`
`
`the system 140 maytake a new snapshot, or request such an
`
`
`
`
`
`
`
`
`action. The snapshots may be taken at a predefined schedule
`
`
`
`
`
`
`
`
`or upon predefined events (e.g., a network event or abnormal
`
`
`
`
`
`
`
`event). Further, the snapshots may be accessed or copied on
`
`
`
`
`
`
`
`
`a predefined schedule or upon predefined events. It should
`
`
`
`
`
`
`
`
`
`be noted that when the snapshotis taken or copied, the VM
`119 still runs.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0032]
`It should be noted that the snapshot of the virtual
`
`
`
`
`
`
`
`
`
`disk 118-1 may not be necessary stored in the storage 117,
`
`
`
`
`
`
`
`but for ease of the discussion it is assumedthat the snapshot
`
`
`
`
`
`
`
`
`
`
`is saved in the storage 117. It should be further noted that the
`
`
`
`
`
`
`
`snapshotis being accessed without cooperation of the guest,
`virtual OS of the virtual machine.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0033] The snapshotis parsed and analyzed by the security
`
`
`
`
`
`
`
`
`
`system 140 to detect vulnerabilities. This analysis of the
`
`
`
`
`
`
`
`
`snapshot does not require any interaction and/or information
`
`
`
`
`
`
`
`
`from the VM 119. As further demonstrated herein,
`the
`
`
`
`
`
`
`
`analysis of the snapshot by the system 140 does not require
`
`
`
`
`
`
`
`
`
`
`any agent installed on the server 115 or VM 119.
`
`
`
`
`
`
`
`
`
`
`[0034] Various techniques can be utilized to analyze the
`
`
`
`
`
`
`
`snapshots, depending on the type of vulnerability and cyber
`
`
`
`
`
`
`
`threats to be detected. Following are some example embodi-
`
`
`
`
`
`
`
`
`ments for techniques that may be implemented by the
`
`
`
`security system 140.
`
`
`
`
`
`
`
`
`
`
`In an embodiment,
`[0035]
`the security system 140 is
`
`
`
`
`
`
`
`
`configured to detect whether there is vulnerable code
`
`
`
`
`
`
`
`
`
`executed by the VM 119. The VM 119 being checked may
`
`
`
`
`
`
`
`
`
`be running, paused, or shutdown. To this end, the security
`
`
`
`
`
`
`
`system 140 is configured to match installed application lists,
`
`
`
`
`
`
`
`with their respective versions, to a knownlist of vulnerable
`
`
`
`
`
`
`
`
`applications. Further, the security system 140 may be con-
`
`
`
`
`
`
`
`
`figured to match the application files, either directly (using
`
`
`
`
`
`binary comparison) or by computing a cryptographic hash
`
`
`
`
`
`
`
`
`against database of files in vulnerable applications. The
`
`
`
`
`
`
`
`matching may be also on sub-modules of an application.
`
`
`
`
`
`
`
`
`Alternatively, the security system 140 mayreadinstallation
`
`
`
`
`
`
`
`
`logs of package managers usedto install the packagesof the
`
`application.
`
`
`
`
`
`
`
`
`
`In yet another embodiment, the security system
`[0036]
`
`
`
`
`
`
`
`
`140 is configured to verify whether the vulnerability is
`
`
`
`
`
`
`
`relevant to the VM 119. For example,if there is a vulnerable
`
`
`
`
`
`
`
`
`
`
`version or module not in use, the priority of that issue is
`
`
`reduced dramatically.
`
`
`
`
`
`
`
`
`
`
`
`To this end, the security system 140 may be con-
`[0037]
`
`
`
`
`
`
`
`
`
`figured to check the configuration files of the applications
`
`
`
`
`
`
`
`
`
`and operating system of the VM 119; to verify access times
`
`
`
`
`
`
`
`
`
`to files by the operating system; and/or to analyze the active
`
`
`
`
`
`
`
`application and/or system logs in order to deduce what
`
`
`
`
`
`applications and modules are running.
`
`
`
`
`
`
`
`
`
`In yet another embodiment, the security system
`[0038]
`
`
`
`
`
`
`
`140 mayinstantiate a copy of the VM 119 and/or a subset of
`
`
`
`
`
`
`
`
`applications of the VM 119 on the server 115 or a separate
`
`
`
`
`
`
`
`
`server and monitorall activity performed by the instance of
`
`the VM. The execution of the instance of the VM is an
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`isolated sandbox, which can be a full VM or subset of it,
`
`
`
`
`
`
`
`such as a software container (e.g., Docker® container) or
`
`
`
`
`
`
`
`anothervirtualized instances. The monitored activity may be
`
`
`
`
`
`
`further analyzed to determine abnormality. Such analysis
`
`
`
`
`
`
`
`may include monitoring of API activity, process creation,
`
`
`
`
`
`
`
`file activity, network communication, registry changes, and
`
`
`
`
`
`
`
`
`
`active probing of the said subset
`in order to assess its
`
`
`
`
`
`
`
`
`
`security posture. This may include, but not
`limited to,
`
`
`
`
`
`
`
`
`actively communicating with the VM 119, using either
`
`
`
`
`
`
`
`legitimate communicate and/or attack attempts, to assess its
`
`
`
`
`
`
`
`
`posture and by that deriving the security posture of the entire
`VM 119.
`
`
`
`
`
`
`
`
`
`
`[0039]
`In order to determine if the vulnerability is relevant
`
`
`
`
`
`
`
`
`
`to the VM 119, the security system 140 is configured to
`
`
`
`
`
`
`
`
`analyze the machine memory, as reflected in the pagefile.
`
`
`
`
`
`
`
`
`
`
`
`The pagefile is saved in the snapshot and extends how much
`
`
`
`
`
`
`
`system-committed memory
`(also known as
`“virtual
`
`
`
`
`
`
`
`
`memory”) a system can back. In an embodiment, analyzing
`
`
`
`
`
`
`
`
`
`the page file allows deduction of running applications and
`
`
`
`
`modules by the VM 119.
`
`
`
`
`
`
`
`
`
`In an embodiment,
`[0040]
`the security system 140 is
`
`
`
`
`
`
`
`configured to read process identification number (PID)files
`
`
`
`
`
`
`
`
`
`and check their access or write times, which are matched
`
`
`
`
`
`
`
`
`against process descriptors. The PID can be used to deduce
`
`
`
`
`
`
`
`
`
`which processes are running, and hence the priority of
`
`
`
`
`
`
`
`vulnerabilities detected in processes existing on the disk. It
`should be noted the PID files are also maintained in the
`
`
`
`
`
`
`
`
`
`
`
`snapshot.
`
`
`
`
`
`
`
`
`
`In yet another embodiment, the security system
`[0041]
`
`
`
`
`
`
`
`
`140 is configured to detect cyberthreats that do not represent
`
`
`
`
`
`
`
`
`vulnerabilities. For example, the security system 140 may
`
`
`
`
`
`
`
`
`detect and alert on sensitive data not being encrypted on the
`
`
`
`
`
`
`
`
`
`
`logical disk, private keys found on the disks, system cre-
`
`
`
`
`
`
`
`
`
`dentials stored clearly on the disk, risky application features
`
`
`
`
`
`
`
`
`(e.g., support of weak cipher suites or authentication meth-
`
`
`
`
`
`
`
`ods), weak passwords, weak encryption schemes, a disable
`
`
`
`
`
`
`
`address space layout randomization (ASLR) feature, suspi-
`
`
`
`
`
`
`
`
`cious manipulation to a boot record, suspicious PATH,
`
`
`
`
`LD_LIBRARY_PATH, or LD_PRELOADdefinitions, ser-
`
`
`
`
`
`
`vices running on startup, and the like.
`
`
`
`
`
`
`
`
`
`
`[0042]
`In an embodiment, the security system 140 may
`
`
`
`
`
`
`
`
`further monitor changesin sensitive machine areas, and alert
`
`
`
`
`
`
`
`on unexpected changes (e.g., added or changed application
`
`
`
`
`
`
`
`files without installation). In an example embodiment, this
`
`
`
`
`
`can be achieved by computing a cryptographic hash of the
`
`
`
`
`
`
`
`
`
`sensitive areas in the virtual disk and checking for differ-
`ences over time.
`
`
`
`
`
`
`
`
`
`
`
`
`[0043]
`In some embodiments, the detected cyber threats
`
`
`
`
`
`
`
`
`(including vulnerabilities) are reported to a user console 180
`
`
`
`
`
`
`and/or a security information and event management
`
`
`
`
`
`
`
`
`
`
`(SIEM) system (not shown). The reported cyber threats may
`
`
`
`
`
`
`
`
`be filtered or prioritized based in part on their determined
`
`
`
`
`
`
`
`
`
`risk. Further, the reported cyber threats may befiltered or
`
`
`
`
`
`
`
`
`prioritized based in part on the risk level of the machine.
`
`
`
`
`
`
`
`
`
`This also reduces the numberofalerts reported to the user.
`
`
`
`
`
`
`
`
`
`[0044]
`In an embodiment, any detected cyber threats
`
`
`
`
`
`
`
`related to sensitive data (including personally identifiable
`
`
`
`
`
`
`
`
`
`information, PII) is reported at a higher priority.
`In an
`
`
`
`
`
`
`
`embodiment, such data is determined by searching for the
`
`
`
`
`
`
`
`
`PII, analyzing the application logs to determine whether the
`
`
`
`
`
`
`
`
`machine accessed PII/PI] containing servers, or whether the
`
`
`
`
`
`
`
`
`logs themselves contain PII, and searching the machine
`
`
`
`
`
`
`
`memory, as reflected in the pagefile, for PII.
`
`Ex. 2189-008
`
`Ex. 2189-008
`
`

`

`
`
`US 2020/0244678 Al
`
`
`
`
`
`
`Jul. 30, 2020
`
`
`
`
`
`
`
`
`
`
`
`In an embodiment, the security system 140 may
`[0045]
`determine the risk of the VM 119 based on communication
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with an untrusted network. This can be achieved by analyz-
`
`
`
`
`
`
`
`
`
`
`ing the VM’s 119 logs as saved in the virtual disk and can
`
`
`
`
`
`be derived from the snapshot.
`
`
`
`
`
`
`
`
`
`[0046]
`In an example embodiment, the security system
`
`
`
`
`
`
`
`
`140 may cause an execution of one or more mitigation
`
`
`
`
`
`
`
`actions. Examples of such actions may include blocking
`
`
`
`
`
`
`
`traffic from untrusted networks, halting the operation of the
`
`
`
`
`
`
`
`
`
`VM, quarantining an infected VM, and the like. The miti-
`
`
`
`
`
`
`
`
`gation actions may be performed by a mitigation tool and not
`
`
`
`the system 140.
`
`
`
`
`
`
`
`
`
`[0047]
`It should be noted that the example implementation
`
`
`
`
`
`
`
`
`shown in FIG. 1 is described with respect to a single cloud
`
`
`
`
`
`
`
`computing platform 110 hosting a single VM 119 in a single
`
`
`
`
`
`
`
`
`server 115, merely for simplicity purposes and without
`
`
`
`
`
`
`
`limitation on the disclosed embodiments. Typically, virtual
`
`
`
`
`
`
`
`
`
`machines are deployed and executed in a single cloud
`
`
`
`
`
`
`computing platform, a virtualized environment, or data
`
`
`
`
`
`
`
`
`
`center and can be protected without departing from the
`
`
`
`
`
`
`
`
`
`
`scope of the disclosure. It should be further noted that the
`
`
`
`
`
`
`
`disclosed embodiments can operate using multiple security
`
`
`
`
`
`
`
`
`
`systems 140, each of which may operate in a different client
`environment.
`
`
`
`
`
`
`
`
`
`FIG. 2 shows an example flowchart 200 illustrating
`[0048]
`
`
`
`
`
`
`