Abstract: In an embodiment, a method for deep application discovery and forensics of a reference system includes a computing device, such as an orchestrator, receiving and/or obtaining from an inspection layer executing on the reference system, during runtime of the reference system, architecture and configuration information describing the reference system. Also, the computing device generates, during runtime of the reference system, dependency matrices describing relationships between components of the reference system which allow for generation, during runtime of the reference system, at least one threat model describing vulnerabilities of the reference system based on the dependency matrices. The inspection layer identifies the applications and databases accessed by the applications.

Abstract: In an embodiment, a method for deep application discovery and forensics of a reference system includes a computing device, such as an orchestrator, receiving and/or obtaining from an inspection layer executing on the reference system, during runtime of the reference system, architecture and configuration information describing the reference system. Also, the computing device generates, during runtime of the reference system, dependency matrices describing relationships between components of the reference system which allow for generation, during runtime of the reference system, at least one threat model describing vulnerabilities of the reference system based on the dependency matrices. The inspection layer identifies the applications and databases accessed by the applications.

Abstract: According to another embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to receive, at a first host on which an application instance is operating, an application or data security policy for a first data socket descriptor indicating to perform one or more actions including to mirror one or more payloads received or transmitted by the first data socket descriptor of the application instance. The logic is also configured to cause the processing circuit to perform, by the first host, at least one action selected from a group of actions in response to the indication by the application and data security policy to perform the one or more actions, the group of actions including allow-and-analyze, drop-and-analyze, and mirror.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic causes the processing circuit to monitor a plurality of application instances operating on a first host. The logic also causes the processing circuit to detect that a first application thread has been called by a first application instance operating on the first host and determine whether the first application thread is registered to be called by the first application instance on the first host by consulting a registration index. Moreover, the logic causes the processing circuit to quarantine the first application thread in response to a determination that the first application thread is not registered to be called by the first application instance on the first host.

Abstract: In one embodiment, a system includes a sender host having a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to select a plurality of base parameters commonly identifiable by a sender host and a receiver host and determine at least one external event that triggers a change in selection of the plurality of base parameters to a plurality of changed parameters. The logic also causes the processing circuit to generate a unique security key using the plurality of base parameters in response to a determination that the at least one external event has not occurred, generate the unique security key using the plurality of changed parameters in response to a determination that the at least one external event has occurred, and send, by the sender host, a message including the unique security key to the receiver host.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to maintain application and data security policies at a data socket descriptor level. The logic is also configured to cause the processing circuit to manage behavior and security of data socket descriptors used by application instances executed on virtual and/or physical compute platforms. According to another embodiment, a method includes maintaining application and data security policies at a data socket descriptor level and managing behavior and security of data socket descriptors used by application instances executed on virtual and/or physical compute platforms.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to collect all data socket descriptor databases from individual servers operating in a data center, each data socket descriptor database storing attributes of a base socket and one or more data socket descriptors used by an application or application instance operating on an individual server. The logic is also configured to cause the processing circuit to store data from the data socket descriptor databases for all applications and application instances operating in the data center in a central data socket descriptor database, the central data socket descriptor database being configured to store attributes of all data socket descriptors used by all applications or application instances operating in the data center.

Abstract: According to one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to determine, by an application operating on a first host in a network, one or more security features and/or capabilities available to the application for protecting the application and first data used by the application from unauthorized activity. The logic is also configured to cause the processing circuit to send, by an ADPL operating on the first host via a data socket descriptor, a first message to one or more peer applications in the network, the first message including indication of the one or more security features and/or capabilities available to the application. The logic may further cause the processing circuit to receive a second message indicating security features available to a peer application in the network operating on another host.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to receive security results, using an application and data protection layer (ADPL) operating on a first host, from an end point protection agent (EPPA) configured to protect the first host. The logic is also configured to cause the processing circuit to provide the security results to one or more local applications operating on the first host. According to another embodiment, a method includes receiving security results, using an ADPL operating on a first host, from an EPPA configured to protect the first host. The method also includes providing the security results to one or more local applications operating on the first host. Other systems, methods, and computer program products are described in accordance with more embodiments.

Abstract: According to one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to generate a multi-context ADPL tag unique to a pair of data socket descriptors on which data is to be received and/or transmitted by a first application instance operating on the system and a second application instance operating on a second host. The logic is also configured to cause the processing circuit to embed the ADPL tag as part of an application payload in response to the first application instance calling an API configured to transmit the application payload out from the system via a sender data socket descriptor. More systems, methods, and computer program products are described in accordance with other embodiments.

Abstract: In one embodiment, a method includes receiving, at a first host, a security profile related to a first data socket descriptor indicating risk to data security of a second host. The method also includes, in response to the risk indicated by the security profile, performing by the first host, at least one action selected from a group of actions. The group of actions includes a cache flush on a cache of the first host according to a cache flush policy, cache locking on data stored in the cache of the first host, data redaction on data of a payload prior to being sent by the first host, memory locking of data stored in an in-memory database of the first host, and encryption of data stored in the in-memory database of the first host or encryption of selected data fields of a payload prior to being sent from the first host.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic causes the processing circuit to monitor a plurality of application instances operating on a first host. The logic also causes the processing circuit to detect that a first application thread has been called by a first application instance operating on the first host and determine whether the first application thread is registered to be called by the first application instance on the first host by consulting a registration index. Moreover, the logic causes the processing circuit to quarantine the first application thread in response to a determination that the first application thread is not registered to be called by the first application instance on the first host.