Techniques for cybersecurity identity risk detection utilizing disk cloning and unified identity mapping

Assignee

• Wiz, Inc. · US

Inventors

• Daniel Hershko SHEMESH · Givat Shmuel, IL
• Yarin Miran · Rishon LeZion, IL
• Roy REZNIK · Tel Aviv-Yafo, IL
• Ami Luttwak · Binyamina - Givat Ada, IL
• Yinon COSTICA · Tel Aviv-Yafo, IL
• Avihai Berkovitz · Tel Aviv-Yafo, IL
• George PISHA · Givatayim, IL
• Yaniv Joseph Oliver · Tel Aviv-Yafo, IL
• Udi REITBLAT · Tel Aviv-Yafo, IL
• Or HELLER · Tel Aviv-Yafo, IL
• Raaz HERZBERG · Tel Aviv-Yafo, IL
• Osher HAZAN · Mazkeret Batya, IL
• Niv Roit BEN DAVID · Tel Aviv-Yafo, IL

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L67/1097
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A system and method for detecting a permission escalation event in a computing environment is disclosed. The method includes: generating a cloned disk based on an original disk of a resource deployed in a computing environment; detecting an identifier of a first principal on the cloned disk; detecting a second principal in the computing environment, the first principal authorized to assume the first principal; storing a representation of the computing environment in a security database, including: a first principal node representing the first principal, and a second principal node representing the second principal, further associated with a permission; querying the representation to determine a permission of the first principal; determining that the second principal includes a permission which the first principal does not include based on a result of querying the representation; and generating a permission escalation event.