Abstract: Systems and methods include receiving network communication information about hosts in a network and applications executed on the hosts; automatically generating one or more microsegments in the network based on analysis of the obtained network communication information, wherein each microsegment of the one or more microsegments is a grouping of resources including the hosts and the applications executed on the hosts that have rules for network communication; and providing the one or more microsegments to one or more hosts of the hosts, for use by the one or more hosts to allow or block communications locally based on the one or more microsegments. Each of the one or more microsegments can be a grouping of workloads inside a data center.

Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: Systems and methods include operating a local security agent that is configured to allow or block flows based on security policies, to implement microsegmentation; and, responsive to a block of a flow, creating a synthetic audit event that reflects what the flow would have been had it not been blocked. The steps can include creating a packet for the flow and transmitting the packet with an indicator that it represents the synthetic audit event. The steps can include receiving the security policies which include an indicator on which blocks to create the synthetic audit event.

Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: Systems and methods include receiving network communication information about hosts in a network and applications executed on the hosts; automatically generating one or more microsegments in the network based on analysis of the obtained network communication information, wherein each microsegment of the one or more microsegments is a grouping of resources including the hosts and the applications executed on the hosts that have rules for network communication; and providing the one or more microsegments to one or more hosts of the hosts, for use by the one or more hosts to allow or block communications locally based on the one or more microsegments. Each of the one or more microsegments can be a grouping of workloads inside a data center.

Abstract: Systems and methods include, subsequent to performing auto segmentation on a network that includes a set of policies of allowable and block communications, observing communication between a plurality of hosts on the network; determining unassigned communication paths based on the observing that are either blocked because of a lack of a policy of the set of policies or because there is no policy of the set of policies for coverage thereof; and assigning the unassigned communication paths to corresponding policies of the set of policies. The assigning can be based on heuristics. The assigning can be performed without reperforming auto segmentation.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: A technique for microsegmentation includes receiving information related to hosts and applications operating in a network where the information was obtained based on a survey of the network; identifying a plurality of microsegments utilizing the information, each microsegment includes a set of hosts similar to one another; for each of the plurality of microsegments, identifying security policies that control access to hosts in each microsegment; and providing the plurality of microsegments and corresponding security policies for approval thereof.

Abstract: A computer system automatically generates a proposal for network application security policies to be applied on a telecommunications network. The system provides output representing the proposed network application security policies to a user. The user provides input either approving or disapproving of the network application security policies. If the user approves, then the system applies the of the proposed microsegmentation. This process may be repeated for a plurality of hosts and subsets thereof within the same network, and may be repeated over time to modify one or more existing network application security policies. The network application security policies govern inbound and outbound connections to the hosts in the network.

Abstract: Systems and methods include, subsequent to performing auto segmentation on a network that includes a set of policies of allowable and block communications, observing communication between a plurality of hosts on the network; determining unassigned communication paths based on the observing that are either blocked because of a lack of a policy of the set of policies or because there is no policy of the set of policies for coverage thereof; and assigning the unassigned communication paths to corresponding policies of the set of policies. The assigning can be based on heuristics. The assigning can be performed without reperforming auto segmentation.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: A computer system automatically generates a proposal for performing microsegmentation on a network. The system provides output representing the proposed microsegmentation to a user. The user provides input either approving or disapproving of the proposed microsegmentation. If the user approves of the proposed microsegmentation, then the system implements the microsegmentation. Otherwise, the system does not implement the proposed microsegmentation. This process may be repeated for a plurality of proposed microsegmentations within the same network, and may be repeated over time to modify one or more existing microsegmentations. The system advantageously performs the vast majority of the work required to microsegment the network automatically, leaving only the task of review and approval to the user. This both saves a significant amount of time and increases the quality of the microsegmentation in comparison to microsegmentation solely performed manually by one or more humans.