Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: Zero trust and micro-segmentation techniques may be collectively used to enhance network security. To establish, refine, and enforce a zero-trust least-privileged policy, the network may be segmented to put each device of the network into a respective network of one, which forces all network traffic to pass through a zero-trust gatekeeper. The gatekeeper may then monitor and analyze the traffic to establish, refine, and enforce the zero-trust least-privileged policy, which reduces network access to only a limited set of network actions and/or paths. Using the gatekeeper, network traffic may be monitored to progressively establish the policy as well as to continually refine the policy. Recommended actions may be determined based on the analysis of the monitored network traffic and provided to the user to allow user feedback on the communication rules of zero-trust policy.

Abstract: A method and system to illuminate data related to an application, has been described. Initially a data analyzer at an application is installed. Next the installed data analyzer analyzes the data related to the application. Finally based on the analysis, the data is categorized in one or more of a plurality of categories.

Abstract: A computer-implemented method and a system provide a complete traceability of changes incurred in a security policy corresponding to a resource. A policy tracing engine (PTE) monitors and determines events of interest occurring at the resource. The PTE determines administrator-initiated intent-based changes and dynamic event-based changes incurred in the security policy and assigns a unique policy identifier (UPI) to the security policy. The UPI is a combination of unique identifiers assigned to the intent-based change and the event-based change. The PTE recomputes and stores the security policy and the UP in a policy database. The PTE receives network access information including the UPI from the corresponding resource deployed with the security policy. The PTE generates a traceability report that provides a complete traceability of each policy action performed in a networked environment to a source of each change incurred in the security policy as identified by the UPI.

Abstract: Instrumentation codes are inserted into predetermined portions of a bytecode. Every transaction referenced in the bytecode is virtually combined and arranged hierarchically to describe a virtual transaction stack describing the computer-based resources accessed during the transaction. Based at least on the origin of the transaction, the characteristics of the transaction and the computer-based resources accessed during the transaction, the sensitivity of the transaction, and the security context of each of the computer-based resources accessed during the transaction are determined. A policy store is searched for at least one access control policy referencing the transaction, or the computer-based resources requested accessed by the transaction. If such an access control policy is found, it is selectively modified to refer exclusively to the transaction and the corresponding sensitive computer-based resources.

Abstract: A method and a system for automatically managing security policies at multiple resources are provided. A policy management engine receives and deploys a security policy configured for each resource with one or more configuration parameters on a security component of each resource. The policy management engine determines modifications made to the security policy at a corresponding resource and automatically corrects the security policy at the corresponding resource. The policy management engine generates and renders a notification including the security policy, the modifications, and detailed information of the modifications and the automatic correction of the security policy to an administrator device. The detailed information includes a description, a type, a timestamp, number of instances, etc.

Abstract: Disclosed herein are a method, a device, and a non-transitory computer readable medium for detecting user migration from an enterprise network to a non-enterprise network by using DNS probing. The method includes detecting at least one of a change in state of network connection and change in operational state of a user migration computing device. A domain name system (DNS) query is generated in response to detecting the at least one of a change in state of network connection and change in operational state of a user migration computing device. Further, the DNS query is sent to at least one of a plurality of DNS servers. If an expected DNS response is received, it is determined that the user migration computing device is in the enterprise network. If expected DNS response is not received, that the user migration computing device is outside the enterprise network.

Abstract: A method and system for peer-to-peer communication across network is described. At an internet key exchange (IKE) daemon, an IKE packet including an application data packet and an IKE header is received. The received IKE packet is de-multiplexed to identify a data destination that receives the application data packet, the data destination identified based on a data destination identifier included in the IKE header. Finally, the application data packet is forwarded to a receiving peer when the data destination is the receiving peer.

Abstract: In a method of Local Peer to Peer Direct Connection in NAT and overlay network. A request is received from a first peer at a relay gateway to establish a direct connection with a second peer. The first peer and the second peer are located behind a NAT firewall. An authentication request is relayed from the first peer at the relay gateway. The authentication request is forwarded from the relay gateway to the second peer. Upon performing authentication at the second peer, an authentication response is received at the relay gateway. The authentication response is received from the relay gateway at the first peer. An internal route propagation is performed from the second peer to the first peer via the relay gateway. A Local Peer to Peer Direct Connection is established between the first peer and the second peer for packet flow through the direct connection.

Abstract: A method and system for determining a session count is described. At a user interface a request is received to determine a session count for a time period. Based on the received request, the session count is determined based on unique new session counts corresponding to one or more time intervals included in the time period and carry forward session count corresponding to an initial time interval included in the time period. Finally, the determined session count is displayed at the user interface.

Abstract: In randomized traffic selection in a IPsec network, a source node sends a packet to a destination node. The packet is encapsulated with an application specific metadata header and the source node encapsulates the packet in a transport protocol header (UDP/TCP). The application specific metadata header includes information such as a final destination node, a configured number of hops, a current hop count. A security association associated with an intermediate node is randomly selected by a randomized traffic selector algorithm. The security association is randomly selected from the list of security associations. Upon receiving the packet at the intermediate node, a current hop count is incremented. It is determined that the current hop count is equal to the configured number of hops. The packet is sent to the destination node via the intermediate node based on the randomly selected security association.

Abstract: A hostname based access configuration system (HNACS) is provided for configuring a host-based firewall to implement firewall policies referencing hostnames. The HNACS defines a hostname based firewall policy (HNFP) referencing a host server using a corresponding hostname instead of an internet protocol (IP) address. The HNACS incorporates the HNFP onto the host-based firewall but renders the HNFP non-implementable on the computing device until a domain name system (DNS) query is generated. If the DNS query includes the hostname in the HNFP, the HNACS determines a mapping between the hostname specified in the DNS query and an IP address corresponding to the hostname (obtained via a DNS response corresponding to the DNS query). Based on the mapping, the HNFP is transformed via an implicit replacement of the hostname in the HNFP with the IP address of the host server, thereby rendering the HNFP executable on the host-based firewall.

Abstract: A point-to-point Virtual Private Network (VPN) tunnel is established for facilitating fully cloaked transmission of a data packet from a source endpoint device to a destination endpoint device. The data packet includes a payload portion, an inner header, and an outer header. An ‘end-to-end key’, a ‘next-hop-destination key’ and a plurality of ‘next-hop’ keys are calculated. The end-to-end key is used at the source endpoint device and the destination endpoint device respectively to encrypt and decrypt the payload portion. The next-hop keys are used to encrypt the inner header during the hop-to-hop communication from one intermediary node to another, along the incrementally constructed path connecting the source endpoint device with the destination endpoint device. The encryption of the payload portion is maintained throughout the hop-to-hop communication regardless of the number of intermediary nodes traversed by the data packet en route to the destination endpoint device.

Abstract: In secure and seamless remote access to enterprise applications with zero user intervention, a first set of policies is generated at a controller based on a user role. A user device associated with the user role is in an enterprise network. The first set of policies is pushed to the security agent in the user device associated with a user, an enterprise server, and a secure remote access gateway from the controller. Upon determining that the user device moves to a remote network, a secure connection is initiated by the security agent from the user device to the secure remote access gateway. Upon determining by the controller that the user is authenticated for the secure connection, a second set of policies is generated by the controller for the user device, the enterprise server and the secure remote access gateway. The second set of policies is pushed to the devices.