Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: Systems, methods, and computer-readable media for attack surface score computation can include the following processes. An attack surface score service receives information identifying open ports associated with an application. The attack surface score service determines an attack surface score for the application based on the information and common attack ports. A policy engine determines whether to implement a policy for reducing vulnerability of the application to attacks to yield a determination. The policy engine implements a vulnerability reduction policy based on the determination.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for generating an application protectability index for network applications and a corresponding protectability scheme. In one aspect, a method includes identifying, by a network controller, network layers associated with an application; determining, by the network controller, a corresponding security index for the application at each of the network layers to yield a plurality of security indexes, each of the plurality of security indexes providing an objective assessment of protectability of the application at a corresponding one of the network layers; determining, by the network controller, an application protectability index; and providing an application protectability scheme for protecting the application based on the application protectability index.

Abstract: Systems, methods, and computer-readable media for attack surface score computation can include the following processes. An attack surface score service receives information identifying open ports associated with an application. The attack surface score service determines an attack surface score for the application based on the information and common attack ports. A policy engine determines whether to implement a policy for reducing vulnerability of the application to attacks to yield a determination. The policy engine implements a vulnerability reduction policy based on the determination.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: Systems, methods, and computer-readable media for application placement can include the following processes. A security score service determines a respective security posture score for each of a plurality of candidate hosts of an enterprise network. A user then identify a set of performance parameters and security parameters for a host in an enterprise network to execute a workload thereon. An application placement engine selects a host from the plurality of candidate hosts having a security posture score matching the performance parameters and the security parameters for executing the workload. An application deployment engine places the workload on the host.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: Systems and methods provide for enriching flow data to analyze network security, availability, and compliance. A network analytics system can capture flow data and metadata from network elements. The network analytics system can enrich the flow data by in-line association of the flow data and metadata. The network analytics system can generate multiple planes with each plane representing a dimension of enriched flow data. The network analytics system can generate nodes for the planes with each node representing a unique value or set of values for the dimensions represented by planes. The network analytics system can generate edges for the nodes of the planes with each edge representing a flow between endpoints corresponding to the nodes. The network analytics system can update the planes in response to an interaction with the planes or in response to a query.

Abstract: Systems, methods, and computer-readable media for application placement can include the following processes. A security score service determines a respective security posture score for each of a plurality of candidate hosts of an enterprise network. A user then identify a set of performance parameters and security parameters for a host in an enterprise network to execute a workload thereon. An application placement engine selects a host from the plurality of candidate hosts having a security posture score matching the performance parameters and the security parameters for executing the workload. An application deployment engine places the workload on the host.

Abstract: Systems, methods, and computer-readable media for attack surface score computation can include the following processes. An attack surface score service receives information identifying open ports associated with an application. The attack surface score service determines an attack surface score for the application based on the information and common attack ports. A policy engine determines whether to implement a policy for reducing vulnerability of the application to attacks to yield a determination. The policy engine implements a vulnerability reduction policy based on the determination.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for generating an application protectability index for network applications and a corresponding protectability scheme. In one aspect, a method includes identifying, by a network controller, network layers associated with an application; determining, by the network controller, a corresponding security index for the application at each of the network layers to yield a plurality of security indexes, each of the plurality of security indexes providing an objective assessment of protectability of the application at a corresponding one of the network layers; determining, by the network controller, an application protectability index; and providing an application protectability scheme for protecting the application based on the application protectability index.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for receiving, at an authentication service of an enterprise network and from a user device, a request to access an application; determining a user status associated with the request based on information received from at least an identity service engine; determining, based on the user status, whether the user device meets a set of security parameters for accessing the application, to yield a determination; and determining, based on the determination, whether to grant or deny the request for accessing the application.

Abstract: Systems and methods provide for enriching flow data to analyze network security, availability, and compliance. A network analytics system can capture flow data and metadata from network elements. The network analytics system can enrich the flow data by in-line association of the flow data and metadata. The network analytics system can generate multiple planes with each plane representing a dimension of enriched flow data. The network analytics system can generate nodes for the planes with each node representing a unique value or set of values for the dimensions represented by planes. The network analytics system can generate edges for the nodes of the planes with each edge representing a flow between endpoints corresponding to the nodes. The network analytics system can update the planes in response to an interaction with the planes or in response to a query.

Abstract: Aspects of the disclosed technology provide methods for automatically tuning load-balancer configurations in a network environment. In some implementations, a process of the disclosed technology includes steps for collecting flow records of traffic flow segments at a middle box in a network environment, the traffic flow segments corresponding to one or more traffic flows passing through the middle box, analyzing the flow records to identify one or more traffic patterns in the network environment, and automatically updating a load balancer configuration based on the one or more traffic patterns, wherein updating the load balancer configuration improves at least one traffic flow parameter for at least one of the traffic flows passing through the middle box. Systems and machine-readable media are also provided.

Abstract: Systems, methods, and computer-readable media for flow stitching network traffic flow segments at a middlebox in a network environment. In some embodiments, flow records of traffic flow segments at a middlebox in a network environment are collected. The flow records can include transaction identifiers assigned to the traffic flow segments. Sources and destinations of the traffic flow segments with respect to the middlebox can be identified using the flow records. Further, the traffic flow segments can be stitched together to form a plurality of stitched traffic flows at the middlebox based on the transaction identifiers and the sources and destinations of the traffic flow segments in the network environment with respect to the middlebox. A configuration of the middlebox operating in the network environment can be identified based on the stitched traffic flows at the middlebox in the network environment.

Abstract: Systems, methods, and computer-readable media for flow stitching network traffic flow segments at a middlebox in a network environment. In some embodiments, flow records of traffic flow segments at a middlebox in a network environment are collected. The flow records can include transaction identifiers assigned to the traffic flow segments. Sources and destinations of the traffic flow segments with respect to the middlebox can be identified using the flow records. Further, the traffic flow segments can be stitched together to form a plurality of stitched traffic flows at the middlebox based on the transaction identifiers and the sources and destinations of the traffic flow segments in the network environment with respect to the middlebox. A configuration of the middlebox operating in the network environment can be identified based on the stitched traffic flows at the middlebox in the network environment.

Abstract: Systems and methods provide for enriching flow data to analyze network security, availability, and compliance. A network analytics system can capture flow data and metadata from network elements. The network analytics system can enrich the flow data by in-line association of the flow data and metadata. The network analytics system can generate multiple planes with each plane representing a dimension of enriched flow data. The network analytics system can generate nodes for the planes with each node representing a unique value or set of values for the dimensions represented by planes. The network analytics system can generate edges for the nodes of the planes with each edge representing a flow between endpoints corresponding to the nodes. The network analytics system can update the planes in response to an interaction with the planes or in response to a query.

Abstract: Systems, methods, and computer-readable media for flow stitching network traffic flow segments at a middlebox in a network environment. In some embodiments, a method can include collecting flow records of traffic flow segments at a middlebox in a network environment including one or more transaction identifiers assigned to the traffic flow segments. The traffic flow segments can correspond to one or more traffic flows passing through the middlebox and flow directions of the traffic flow segments with respect to the middlebox can be identified using the flow records. The traffic flow segments can be stitched together based on the one or more transaction identifiers and the flow directions of the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox. The stitched traffic flow can be incorporated as part of network traffic data for the network environment.

Abstract: Systems, methods, and computer-readable media for providing interoperability between nodes in separate networks as part of a federated network. In some embodiments, a system can identify a first cluster of nodes in a first network and a second cluster of nodes in a second network. The system can provide interoperability between the first cluster of nodes and the second cluster of nodes. First analytics for the first cluster of nodes can be generated using first network traffic data gathered based on first network traffic flowing through the first cluster of nodes by a group of sensors implemented in the first network. The second cluster of nodes can access the first analytics for the first cluster of nodes as part of providing the interoperability between the first cluster of nodes in the first network and the second cluster of nodes in the second network.