Abstract: System, methods, and apparatuses used to monitor network traffic of a datacenter and report security threats are described. For example, one embodiment selects a first microservice of a first hierarchy, configures the microservices of a second lower-level hierarchy to remove the first microservice from load balancing decisions to the first hierarchy, moves the first microservice to another server, configures data plane connectivity to the first microservice to reflect a change in server, and configures the microservices of the second hierarchy to include the first microservice in load balancing decisions to the first hierarchy.

Abstract: Systems, methods, and apparatuses enable deploying and executing a security policy on endpoints in a network. In an embodiment, a security orchestrator determines a set of endpoints in a network and determines transformed endpoints from the determined set of endpoints through an endpoint transformation process. The security orchestrator determines a connectivity vector for at least a first transformed endpoint and a second transformed endpoint, where the connectivity vector includes properties associated with the corresponding transformed endpoint. Using the properties from the connectivity vector of the first transformed endpoint, a security policy is generated and deployed to the first transformed endpoint. Based on a comparison of the connectivity vectors of the first and second transformed endpoints indicating a similarity between the first and second transformed endpoints, the security policy is further deployed to the second transformed endpoint.

Abstract: Systems, methods, and apparatuses enable a microservice to identify server-to-server communication paths between servers in a networked environment. The system identifies a server connected to a security microservice managed by a management microservice. The system deploys a security policy on the identified server, and identifies the server-to-server communication paths between the identified server and one or more of a plurality of servers. The system identifies the active communication paths from the identified server to one or more of a plurality of servers, or a subset of communication paths determined based on search criteria. When the system identifies servers of the one or more of the plurality of servers without an existing security policy, the system processes the identified server. In one embodiment, processing the identified servers includes applying a security policy to the identified servers.

Abstract: Systems, methods, and apparatuses enable a microservice-based application to dynamically update components of the system without disrupting messaging occurring between microservices in the system. Microservices of a microservice-based application store data indicating mappings between data object versions and message object versions and which is used update system components in a controlled manner. As used herein, a data object generally refers to any data generated by a microservice and that can be sent to one or more other microservices using a publish-subscribe messaging pattern or other messaging architecture. A message object refers to data used to encapsulate one or more data objects and used to send the data object from one component to another in the system.

Abstract: Systems, methods, and apparatuses enable agent-less network traffic interception using an overlay network. The system creates an inspection namespace on a server computer and clones namespace properties of a default namespace on the server computer to the inspection namespace. The system creates an overlay network in the inspection namespace connecting the server computer to a security service. The system creates a namespace bridge between the default namespace and the inspection namespace to pass server traffic between the namespaces. The system then transmits server traffic to the security service using the overlay network and an encapsulation protocol.

Abstract: Systems, methods, and apparatuses enable an interface microservice to intercept and filter network traffic generated by virtual machines (VMs) and routed by a virtual switch (vSwitch). A vSwitch receiving network packets from the VMs is configured to route network packets to the interface microservice via a generated VLAN trunk. The interface microservice can retrieve and apply stored packet filters to the network packets intercepted by the microservice. If an intercepted network packet matches any of the applied packet filters, the interface microservice can perform various security operations, send the network packets to another microservice for security processing, or perform any other operations. For network packets which do not match a packet filter, the interface microservice forwards the packets to the originally intended destination.

Abstract: Systems, methods, and apparatuses enable to enable the insertion and configuration of interface microservices at servers or other types of computing devices in a computing environment in response to changes to security policies affecting one or components of the computing environment. In one embodiment, a security application detects servers in a computing environment and generates profile data for the detected servers. The security application assigns detected servers to security policy groups by applying a set of filters to the generated profile data for each server in an order specified by a set of precedence rules. The security policy groups are each associated with one or more security policies that define security rules and other configurations used to provide security services to servers that are members of the corresponding security policy group.

Abstract: Systems and methods are disclosed that relate to network security within a virtual network, and how to add microservices in a scalable virtual network. For example, one embodiment discloses a method of receiving a deployment request to deploy a security microservice in a security service, the deployment request including a deployment specification. The method further includes determining whether an interface microservice is available on one or more hosts by accessing one or more host records for the one or more hosts, and selecting a host on which to deploy the security microservice utilizing the deployment specification. When the interface microservice does not exist on the selected host, the method further includes initializing the interface microservice on the selected host, attaching the interface microservice to a hypervisor of the selected host, connecting the security microservice to the interface microservice of the selected host, and deploying the security microservice on the selected host.

Abstract: A system, method, and non-transitory computer-readable relating to network security are disclosed. In particular, embodiments described generally relate to systems and methods of stateless processing in a fault-tolerant microservice environment. In one example, a method is disclosed, which includes transmitting, by a first microservice, packet data and a context associated therewith; receiving the packet data and the context by a second microservice, the second microservice to: use the context to determine what security processing to perform, perform the security processing over the packet data, and transmit resulting data and the context to a third microservice; and receiving the resulting data and the context by the third microservice, the third microservice to: use the context to determine what security processing to perform, and perform the security processing over the resulting data.

Abstract: System, methods, and apparatuses enable a network security system to more efficiently perform pattern matching against data items. For example, the disclosed approaches may be used to improve the way in which a deep packet inspection (DPI) microservice performs pattern matching against data items (e.g., network traffic, files, email messages, etc.) in order to detect various types of network security threats (e.g., network intrusion attempts, viruses, spam, and other potential network security issues). A DPI microservice generally refers to an executable component of a network security system that monitors and performs actions relative to input data items for purposes related to computer network security.

Abstract: Systems and methods are disclosed that relate to network security to monitor and report threats in network traffic of a datacenter. For example, one embodiment discloses a method of receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data, performing a security service on the first encapsulated data using the first encapsulation context, transmitting by the first security microservice a second channel data encapsulation packet to a second security microservice, wherein the second channel encapsulation packet comprises a request for security services, receiving by the first security microservice a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load.

Abstract: Systems and methods are described herein generally relating to network security, and in particular, embodiments described relate to systems and methods for deploying microservices in a networked microservices system. For example, a method is disclosed, which calls for receiving a request to instantiate a microservice, selecting a suitable virtual machine (VM), wherein the selecting comprises calculating the suitability of the virtual machine based on a property load and a property weight, deploying the microservice on the selected virtual machine, configuring the microservice to communicate with an interface microservice, and configuring the microservice to perform security processing on packets processed within a security service.

Abstract: Systems and methods are described herein generally relating to network security, and in particular, embodiments described generally relate to real-time configurable load determination. For example, a method is disclosed, which calls for receiving a request to perform a security service, performing the security service on data included with the request; calculating a service load associated with and during the performing the security service, and transmitting a response to the request, wherein the response includes the calculated service load.

Abstract: System, methods, and apparatuses used to monitor network traffic of a datacenter and report security threats are described. For example, one embodiment selects a first microservice of a first hierarchy, configures the microservices of a second lower-level hierarchy to remove the first microservice from load balancing decisions to the first hierarchy, moves the first microservice to another server, configures data plane connectivity to the first microservice to reflect a change in server, and configures the microservices of the second hierarchy to include the first microservice in load balancing decisions to the first hierarchy.

Abstract: Systems, methods, and apparatuses enable updating security policies in response to detecting attack activity or security threats. In an embodiment, security microservices detect attack activity sent between resources within an internal network. In response, the security microservices correlate the attack activity to externally accessible resources that were the initial entry point for the attack activity to the internal network. Based on this correlation, the security microservices update security policies bi-directionally to prevent the spread of future attack activity in the internal network between resources at a same level in the internal network and between resources at different levels in the internal network.

Abstract: Systems, methods, and apparatuses enable a network security system to more efficiently process and respond to events generated by hypervisors and other associated components of a networked computer system. In this context, a hypervisor event refers broadly to any action that occurs related to one or more components of a hypervisor (including the hypervisor itself, virtual servers hosted by the hypervisor, etc.) and/or to data identifying the occurrence of the action(s) (e.g., a log entry, a notification message, etc.). A security service obtains and analyzes event data from any number of different types of hypervisors, where each different type of hypervisor may represent events differently and/or make event data accessible in different ways, among other differences.

Abstract: Systems, methods, and apparatuses enable optimizing a size of computer threat signature libraries used by computer security applications to detect potential occurrences of computer and network security threats. In an embodiment, a threat signature is a pattern used by a computer security application to detect instances of potential security threats. A threat signature library is a collection of individual threat signatures, the library used in conjunction with a threat library to enable detecting a range of threats to computing devices and networks (e.g., various known viruses, malware, spam, types of network-based attacks, etc.). Based on profile information collected for a computing device, a security orchestrator optimizes the size of security threat signature libraries to be used to provide security services to the device.

Abstract: Systems and methods are described herein generally relating to network security, and in particular, embodiments described generally relate to systems and methods for selecting microservices to process protocol data streams. For example, a method is disclosed, which calls for receiving a protocol packet, the protocol packet comprising a sequence number, generating a difference by subtracting a protocol message base from the sequence number, generating a first quotient by dividing the difference by a protocol common message length, generating a second value using the first quotient, determining a Transmission Control Protocol (TCP) reassembly resource using the generated second value, and transmitting the protocol packet to the determined TCP reassembly resource.

Abstract: Systems and methods are described herein generally relating to network security, and in particular, embodiments described generally relate to real-time configurable load determination. For example, a method is disclosed, which calls for receiving a request to perform a security service, performing the security service on data included with the request; calculating a service load associated with and during the performing the security service, and transmitting a response to the request, wherein the response includes the calculated service load.

Abstract: A system, method, and non-transitory computer-readable relating to network security are disclosed. In particular, embodiments described generally relate to systems and methods of stateless processing in a fault-tolerant microservice environment. In one example, a method is disclosed, which includes transmitting, by a first microservice, packet data and a context associated therewith; receiving the packet data and the context by a second microservice, the second microservice to: use the context to determine what security processing to perform, perform the security processing over the packet data, and transmit resulting data and the context to a third microservice; and receiving the resulting data and the context by the third microservice, the third microservice to: use the context to determine what security processing to perform, and perform the security processing over the resulting data.