Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: Systems and methods include receiving network communication information about hosts in a network and applications executed on the hosts; automatically generating one or more microsegments in the network based on analysis of the obtained network communication information, wherein each microsegment of the one or more microsegments is a grouping of resources including the hosts and the applications executed on the hosts that have rules for network communication; and providing the one or more microsegments to one or more hosts of the hosts, for use by the one or more hosts to allow or block communications locally based on the one or more microsegments. Each of the one or more microsegments can be a grouping of workloads inside a data center.

Abstract: The methods described herein include receiving a plurality of packets associated with a file, each of the plurality of packets comprising content, and a source domain; extracting one or more features from content of a first packet of the plurality of packets; applying a trained machine learning model to the extracted one or more features to determine a probability of maliciousness associated with the first packet; responsive to determining that the probability maliciousness of the first packet is between a first threshold value and a second threshold value, labeling the first packet as having an uncertain maliciousness; extracting one or more features from content of a second packet of the plurality of packets; and applying the trained machine learning model to the extracted one or more features of the first packet and the second packet to determine a probability of maliciousness associated with the second packet.

Abstract: Systems and methods for troubleshooting and performance analysis of a cloud-based service include receiving metrics over time from a plurality of analyzers, wherein the metrics include service-related metrics and network-related metrics related to a cloud-based service, wherein each analyzer of the plurality of analyzers is executed at one of a user device accessing the cloud-based service and in the cloud-based service, and wherein at least one analyzer is executed in the cloud-based service; analyzing the metrics to determine a status of the cloud-based service over the time; and identifying issues related to the cloud-based service utilizing the analyzed metrics over the time, wherein the issues include any of an issue on a particular user device, an issue in a network between a particular user device and the cloud service, and an issue within the cloud service.

Abstract: Systems and methods for in-memory malware unpacking and deobfuscation in a sandbox include, responsive to receiving unknown content, scanning an image of the unknown content for packed, obfuscated, or encrypted code; responsive to detecting the packed, obfuscated, or encrypted code performing steps of unpacking, deobfuscating, or decrypting the packed, obfuscated, or encrypted code; executing the unpacked, deobfuscated, or decrypted code; monitoring execution of the unpacked, deobfuscated, or decrypted code; obtaining events during the scanning and the execution; and providing the obtained events to the sandbox for use in a sandbox analysis for classifying the content as one of malware and clean.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: Systems and methods of Exact Data Matching (EDM) for identifying related tokens in data content using structured signature data implemented in a cloud-based system receiving data sets and customer configuration from a customer, wherein the data sets include customer specific sensitive data from a structured data source with each token represented by a hash value and the customer configuration includes one or more primary keys for a plurality of records in the data sets; distributing the data sets and the customer configuration to a plurality of nodes in the cloud-based system; performing monitoring of content between a client of the customer and an external network; detecting a presence of a plurality of tokens associated with a record in the customer specific sensitive data based on the monitoring; and performing a policy-based action in the cloud-based system based on the detecting.

Abstract: Systems and methods include connecting to and authenticating a plurality of user devices; utilizing a plurality of RESTful (Representational State Transfer web service) endpoints to communicate with the plurality of user devices; providing any of policy and configuration to the plurality of user devices utilizing version number via a RESTful endpoint; caching the any of policy and configuration for each device of the plurality of user devices; and receiving metrics based on measurements at the plurality of user devices according to corresponding policy and configuration, via a RESTful endpoint.

Abstract: Systems and methods for alerting administrators of a monitored digital user experience include performing inline monitoring of network access between one or more users each with an associated user device executing an agent application, the Internet, and one or more cloud applications and private applications. The systems and methods also include obtaining device, application, and network metrics related to the inline monitoring from a cloud system and a logging and analytics system. The systems and methods further include comparing the metrics to one or more alerts comprising alert rules. The systems and methods yet further include sending a notification to one or more administrators when the metrics include data that satisfies the alert rules of the one or more alerts.

Abstract: Techniques for using trace with tunnels and cloud-based systems for determining measures of network performance are presented. In an embodiment, a method includes determining a client application is being executed; determining an endpoint associated with the client application, based on any of monitoring application logs associated with the client application and network flows associated with the client application; and causing one or more probes to the determined endpoint and deriving metrics based on the one or more probes for determining performance of the client application.

Abstract: Systems and methods include obtaining a plurality of parameters associated with a host; determining a fingerprint of the host utilizing the plurality of parameters; and providing the fingerprint to cloud service for enrollment and management of the host in the cloud service. The cloud service can include microsegmentation of the host. The cloud service can include any of Internet access for the host and private resource access by the host.

Abstract: Systems and methods include, responsive to a request from a user for one or more Business-to-Business (B2B) applications, redirecting the request, by a cloud-based system, to an identity provider to authorize the user; displaying the one or more B2B applications that the user is authorized to access; responsive to a selection of a B2B application of the one or more B2B applications, creating a first tunnel from the B2B application to the cloud-based system; and stitching the first tunnel between the B2B application and the cloud-based system with a second tunnel between the user and the cloud-based system. The systems and methods further include, responsive to the user being unauthorized for any of the one or more B2B applications, omitting the one or more B2B applications from the displaying, such that the one or more B2B applications are invisible to the user.

Abstract: Systems and methods include receiving a request for resources that are one of web content and a cloud application from a user device; determining the request requires isolation based on any of policy, category of the web content, type of the user device, and location of the user device; rendering content associated with the request in a secure environment that is isolated from the user device; and providing image content based on the content to the user device. The user device can execute a web browser that loads the image content utilizing a JavaScript application and that interacts with the image content by sending keyboard and mouse inputs via a WebSocket channel.

Abstract: Cloud-based data loss prevention (DLP) systems and methods include monitoring a file to be checked for sensitive data from a user associated with a tenant; obtaining one or more dictionaries for the tenant; identifying a DLP match based on any of identifying exact document matches between the file and files in the one or more dictionaries, identifying same text in the file as in an indexed document in the one or more dictionaries, identifying content in the file that contains a subset of text in an indexed document in the one or more dictionaries, and identifying content that is similar but not exact as the text in an indexed document in the one or more dictionaries; and, responsive to the DLP match, blocking the file in the cloud-based system.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Disclosed is a computer implemented method for malware detection that analyses a file on a per packet basis. The method receives a packet of one or more packets associated a file, and converting a binary content associated with the packet into a digital representation and tokenizing plain text content associated with the packet. The method extracts one or more n-gram features, an entropy feature, and a domain feature from the converted content of the packet and applies a trained machine learning model to the one or more features extracted from the packet. The output of the machine learning method is a probability of maliciousness associated with the received packet. If the probability of maliciousness is above a threshold value, the method determines that the file associated with the received packet is malicious.

Abstract: Systems and methods for policy based agentless file transfer in zero trust private networks. Various systems and methods include receiving a request for a file transfer; determining a file transfer protocol; evaluating one or more criteria associated with the request, the criteria being associated with any of an end user and the contents of the file; and allowing or denying the file transfer based on the evaluating. Responsive to an end user's policy including a requirement for file inspection, the steps can further include sending the file to a sandbox for inspection, and receiving a result of the inspection from the sandbox.

Abstract: Techniques for deep tracing of one or more users via a cloud-based system include receiving a request from an administrator to actively troubleshoot a user; causing a user device associated with the user to create a deep tracing session based on the request; assisting the user device in performing one or more traces of a plurality of traces to a destination; receiving results from any of the plurality of traces and results from metrics collected at the user device; and displaying a network map between the user device and the destination.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include identifying one or more of a proxy and a tunnel in a network path, determining a relative location of the proxy and the tunnel in the network path, performing a plurality of traces, for a plurality of legs of the network path based on the locations of the proxy and the tunnel, and aggregating details related to the plurality of legs of the network path to provide a holistic view of the network. The different protocols include Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).