Abstract: Systems, methods, and apparatuses enable a security orchestrator to detect a virtual machine deployed in a virtual environment. The virtual machine includes a tag storing information associated with the virtual machine. The security orchestrator determines that the tag contains one or more security elements, the security elements indicating information for determining security settings and policies to be applied to the virtual machine. The security orchestrator determines the security settings and policies associated with the one or more security elements. The security orchestrator then assigns or applies the security settings and policies for the virtual machine based on values of the one or more security elements.

Abstract: A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.

Abstract: Example firewalls disclosed herein populate a first dynamic object of a firewall rule with first information to identify a first updateable set of devices that satisfy a first one of a plurality of conditions associated with the firewall rule, the first information based on first data obtained from an appliance that monitors communication traffic in at least a portion of a network. Disclosed example firewalls also populate a second dynamic object of the firewall rule with second information to identify a second updateable set of devices that satisfy a second one of the conditions associated with the firewall rule, the second information based on second data obtained from a data source different from the appliance. Disclosed example firewalls further apply, based on evaluation of the first dynamic object and the second dynamic object, the firewall rule to first network traffic associated with a first device in communication with the network.

Abstract: Systems, methods, and apparatuses enable one or more security microservices to optimize a security configuration of a networked environment by applying security policies to resource groups passively to determine whether network sets, resource groups, or security policies should be modified, prior to active enforcement. When security policies are applied passively, security actions that are performed in response to a violation of security policy do not impact network traffic. The one or more security microservices evaluate the results of the passive application of security policies to determine whether there is at least one recommended modification to network sets, resource groups, or security policies. When there is at least one recommended modification, the modification is applied.

Abstract: Systems, methods, and apparatuses enable one or more security microservices to resolve the disparate impact of security exploits to resources within a resource group. When a resource group is determined to be impacted by a security exploit, the one or more security microservices determines whether the members of the resource group are disparately impacted. In response, the one or more security microservices splits the resource group into an impacted resource group and a non-impacted resource group and applies exploit mitigation to the resource group members in the impacted resource group. When the one or more security microservices determine that the resource group members of the split resource group are no longer disparately impacted, the one or more security microservices combine the impacted resource group and the non-impacted resource group back into a single resource group.

Abstract: System, methods, and apparatuses used to monitor network traffic of a datacenter and report security threats are described. For example, one embodiment selects a first microservice of a first hierarchy, configures the microservices of a second lower-level hierarchy to remove the first microservice from load balancing decisions to the first hierarchy, moves the first microservice to another server, configures data plane connectivity to the first microservice to reflect a change in server, and configures the microservices of the second hierarchy to include the first microservice in load balancing decisions to the first hierarchy.

Abstract: Systems, methods, and apparatuses enable deploying and executing a security policy on endpoints in a network. In an embodiment, a security orchestrator determines a set of endpoints in a network and determines transformed endpoints from the determined set of endpoints through an endpoint transformation process. The security orchestrator determines a connectivity vector for at least a first transformed endpoint and a second transformed endpoint, where the connectivity vector includes properties associated with the corresponding transformed endpoint. Using the properties from the connectivity vector of the first transformed endpoint, a security policy is generated and deployed to the first transformed endpoint. Based on a comparison of the connectivity vectors of the first and second transformed endpoints indicating a similarity between the first and second transformed endpoints, the security policy is further deployed to the second transformed endpoint.

Abstract: Systems, methods, and apparatuses enable a microservice to identify server-to-server communication paths between servers in a networked environment. The system identifies a server connected to a security microservice managed by a management microservice. The system deploys a security policy on the identified server, and identifies the server-to-server communication paths between the identified server and one or more of a plurality of servers. The system identifies the active communication paths from the identified server to one or more of a plurality of servers, or a subset of communication paths determined based on search criteria. When the system identifies servers of the one or more of the plurality of servers without an existing security policy, the system processes the identified server. In one embodiment, processing the identified servers includes applying a security policy to the identified servers.

Abstract: Example firewalls disclosed herein populate a first dynamic object of a firewall rule with first information to identify a first updateable set of devices that satisfy a first one of a plurality of conditions associated with the firewall rule, the first information based on first data obtained from an appliance that monitors communication traffic in at least a portion of a network. Disclosed example firewalls also populate a second dynamic object of the firewall rule with second information to identify a second updateable set of devices that satisfy a second one of the conditions associated with the firewall rule, the second information based on second data obtained from an external data source. Disclosed example firewalls further determine, based on the first dynamic object and the second dynamic object, whether the firewall rule is to apply to first network traffic associated with a first device in communication with the network.

Abstract: Systems, methods, and apparatuses enable a microservice-based application to dynamically update components of the system without disrupting messaging occurring between microservices in the system. Microservices of a microservice-based application store data indicating mappings between data object versions and message object versions and which is used update system components in a controlled manner. As used herein, a data object generally refers to any data generated by a microservice and that can be sent to one or more other microservices using a publish-subscribe messaging pattern or other messaging architecture. A message object refers to data used to encapsulate one or more data objects and used to send the data object from one component to another in the system.

Abstract: Systems, methods, and apparatuses enable a security microservice to provision security services to a resource (e.g., a virtual machine) by assigning the virtual machine to an island virtual switch. An island virtual switch is a virtual switch that does not have a direct connection to a physical link, and instead interfaces with a network traffic interceptor having a connection to a virtual switch with a connection to a physical link, to direct network traffic to and form the assigned virtual machine. The network traffic interceptor performs intercept operations on at least a portion of network traffic between the virtual switch and the island virtual switch associated with the virtual machine in order to perform security operations of the portion of network traffic.

Abstract: Systems, methods, and apparatuses enable a security service configurator to configure security policies for network traffic sent from internal resources of a secure environment. The security service configurator receives an indication of intrusion activity in network activity directed to a first internal resource of the secure environment. The security service configurator determines the occurrence a pivot of an intrusion between the first internal resource and a second internal resource within the secure environment. In response, the security service configurator configures an extrusion detection policy for the second internal resource. When the security service configurator receives an indication of extrusion activity in network activity directed from the second internal resource to a system external to the secure environment, the security service configurator performs a security process on the network activity.

Abstract: Systems, methods, and apparatuses enable agent-less network traffic interception using an overlay network. The system creates an inspection namespace on a server computer and clones namespace properties of a default namespace on the server computer to the inspection namespace. The system creates an overlay network in the inspection namespace connecting the server computer to a security service. The system creates a namespace bridge between the default namespace and the inspection namespace to pass server traffic between the namespaces. The system then transmits server traffic to the security service using the overlay network and an encapsulation protocol.

Abstract: Systems, methods, and apparatuses enable a machine learning model to determine a risk probability of a URL. A query configurator receives a URL in a query and normalizes the URL. The normalized URL is segmented into a plurality of segments. The plurality of segments is serially provided to the machine learning model trained to provide an indication of risk associated with the URL. The indication of risk associated with the URL can be a probability value based on one or more risk probabilities determined for segment-segment transitions of the URL. A security service compares the probability value of the URL to a threshold value and performs a security action based on a result of comparing the probability value to the threshold value.

Abstract: Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services controller and perform a mutually authenticated key exchange procedure using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and a VNF manager. The security monitoring VNF is further configured to receive personalization data from the VNF manager via the secure communication path and perform a personalization operation to configure one or more functions of the security monitoring VNF based on the personalization data. Other embodiments are described and claimed.

Abstract: Systems, methods, and apparatuses enable a security orchestrator to detect a virtual machine deployed in a virtual environment. The virtual machine includes a tag storing information associated with the virtual machine. The security orchestrator determines that the tag contains one or more security elements, the security elements indicating information for determining security settings and policies to be applied to the virtual machine. The security orchestrator determines the security settings and policies associated with the one or more security elements. The security orchestrator then assigns or applies the security settings and policies for the virtual machine based on values of the one or more security elements.

Abstract: System, methods, and apparatuses used to monitor network traffic of a datacenter and report security threats are described. For example, one embodiment selects a first microservice of a first hierarchy, configures the microservices of a second lower-level hierarchy to remove the first microservice from load balancing decisions to the first hierarchy, moves the first microservice to another server, configures data plane connectivity to the first microservice to reflect a change in server, and configures the microservices of the second hierarchy to include the first microservice in load balancing decisions to the first hierarchy.

Abstract: Systems, methods, and apparatuses enable an interface microservice to intercept and filter network traffic generated by virtual machines (VMs) and routed by a virtual switch (vSwitch). A vSwitch receiving network packets from the VMs is configured to route network packets to the interface microservice via a generated VLAN trunk. The interface microservice can retrieve and apply stored packet filters to the network packets intercepted by the microservice. If an intercepted network packet matches any of the applied packet filters, the interface microservice can perform various security operations, send the network packets to another microservice for security processing, or perform any other operations. For network packets which do not match a packet filter, the interface microservice forwards the packets to the originally intended destination.

Abstract: Systems, methods, and apparatuses enable to enable the insertion and configuration of interface microservices at servers or other types of computing devices in a computing environment in response to changes to security policies affecting one or components of the computing environment. In one embodiment, a security application detects servers in a computing environment and generates profile data for the detected servers. The security application assigns detected servers to security policy groups by applying a set of filters to the generated profile data for each server in an order specified by a set of precedence rules. The security policy groups are each associated with one or more security policies that define security rules and other configurations used to provide security services to servers that are members of the corresponding security policy group.

Abstract: Systems and methods are disclosed that relate to network security within a virtual network, and how to add microservices in a scalable virtual network. For example, one embodiment discloses a method of receiving a deployment request to deploy a security microservice in a security service, the deployment request including a deployment specification. The method further includes determining whether an interface microservice is available on one or more hosts by accessing one or more host records for the one or more hosts, and selecting a host on which to deploy the security microservice utilizing the deployment specification. When the interface microservice does not exist on the selected host, the method further includes initializing the interface microservice on the selected host, attaching the interface microservice to a hypervisor of the selected host, connecting the security microservice to the interface microservice of the selected host, and deploying the security microservice on the selected host.