Search

US-12621315-B2 - Telemetry-driven automatic identity-based micro-segmentation recommendations and runtime enforcement

US12621315B2US 12621315 B2US12621315 B2US 12621315B2US-12621315-B2

Abstract

In an embodiment, a method manages application security in a microservices environment. A local control plane collects telemetry data from microservices via their APIs, aggregates the data into a payload, and transmits it to a central control plane through a message queue. The central control plane constructs a graph representing microservice interactions based on the telemetry data and compares the current graph to a previous version. The method further includes checking whether a destination service matches a malicious hostname or IP address and marking the connection as denied if malicious. The method further includes evaluating compliance with predefined policies and denying interactions that violate those policies for each interaction.

Inventors

  • Priyanka Mohan Tembey
  • Vrajesh Rajesh Bhavsar
  • Ashley Michelle Chapman Roof

Assignees

  • Operant AI, Inc.

Dates

Publication Date
20260505
Application Date
20240116

Claims (20)

  1. 1 . A computer-implemented method of managing security of an application, the computer-implemented method executed using one or more processors of a server computer and comprising: using a local control plane deployed within a computing environment: interfacing with application programming interfaces (APIs) of microservices executing in the computing environment and obtaining telemetry data; aggregating the telemetry data into a telemetry data payload; and sending a message containing the telemetry data payload to a message queue service of a central control plane; using the central control plane: for a graph node representing a microservice, based on the telemetry data payload, obtaining a set of graph edges, the set of graph edges including information representing interaction between the microservices; comparing the set of graph edges with a previous set of graph edges, the previous set of graph edges determined based on previous telemetry data; and for each graph edge of the set of graph edges: comparing at least one of a host name or an internet protocol (IP) of an edge associated destination service with a corresponding one of a malicious host name or a malicious IP to determine whether the destination service is malicious; when the destination service is determined to be malicious, marking the graph edge as denied; comparing a graph edge associated interaction with compliance policies to determine whether the interaction is allowed, and when the interaction violates the compliance policies, marking the graph edge as denied; and generating a set of incremental recommendation microsegments; using the local control plane: fetching the set of incremental recommendation microsegments; and enforcing the set of incremental recommendation microsegments for the microservices executing in the computing environment.
  2. 2 . The computer-implemented method of claim 1 , further comprising obtaining application programming interface (API) data for each graph edge from the set of graph edges, and wherein the API data includes API security metrics.
  3. 3 . The computer-implemented method of claim 2 , wherein the API security metrics comprise one or more of an edge identifier (ID) or an API method for each graph edge.
  4. 4 . The computer-implemented method of claim 1 , wherein the telemetry data includes graph edge data comprising a source node representing a source service; a source namespace; a destination node representing a destination service; a destination namespace; and time at which an interaction between the source node and the destination node occurred.
  5. 5 . The computer-implemented method of claim 1 , wherein the telemetry data includes graph node data comprising a node identifier (ID); an identity; a namespace; a security configuration; and a timestamp.
  6. 6 . The computer-implemented method of claim 1 , wherein the telemetry data includes data security metric comprising one or more of an edge identifier (ID); a query method; or a data resource.
  7. 7 . The computer-implemented method of claim 1 , wherein the telemetry data includes information about service owners, the information comprising an email of an owner; a service name; and a role of the owner.
  8. 8 . The computer-implemented method of claim 1 , wherein the comparing the set of graph edges with the previous set of graph edges includes identifying a drift in the set of graph edges, and wherein graph edges from the set of graph edges identified as belonging to the drift are configured by default to be recommended as allowed.
  9. 9 . The computer-implemented method of claim 1 , wherein the compliance policies include information about a service name; a namespace; and a rule set.
  10. 10 . The computer-implemented method of claim 1 , the set of incremental recommendation microsegments including at least information about a source node; a destination service; and whether interaction between the source node and the destination service is allowed or denied.
  11. 11 . The computer-implemented method of claim 10 , wherein the local control plane comprises a plurality of sidecar processes, each sidecar process among the plurality of sidecar processes being generated for and corresponding to each microservice among the microservices; wherein each sidecar process among the plurality of sidecar processes is configured to have access to data flowing in and out of a corresponding microservice of the microservices and to enforce a micro-segmentation policy for the microservice.
  12. 12 . The computer-implemented method of claim 11 , wherein the data flowing in and out of the corresponding microservice includes at least one of request source hostname, request destination hostname, request destination port, request source service name, or request destination service name.
  13. 13 . The computer-implemented method of claim 11 , wherein the data flowing in and out of the corresponding microservice includes at least one request API endpoint, request API method, request protocol, request authentication headers, response code, response error message, response error status, or number of requests.
  14. 14 . The computer-implemented method of claim 11 , wherein the enforcing an incremental recommendation microsegment for a microservice includes configuring a sidecar corresponding to the microservice via a control API corresponding to the sidecar, to enforce a micro-segmentation policy associated with the incremental recommendation microsegment.
  15. 15 . The computer-implemented method of claim 11 , wherein the micro-segmentation policy for each microservice enforces zero trust for all communications for that microservice.
  16. 16 . The computer-implemented method of claim 10 , the method further comprising: receiving an input specifying feedback related to the set of incremental recommendation microsegments; based on the input, modifying the set of incremental recommendation microsegments; and based on the modified incremental recommendation microsegments, generating a new list of micro-segmentation policies.
  17. 17 . The computer-implemented method of claim 16 , wherein the micro-segmentation policies are configured to be stored in a policy database ordered by customer environment identifiers.
  18. 18 . The computer-implemented method of claim 10 , wherein the source node and the destination service comprise runtime identity information, wherein the runtime identity information includes at least one of: certificate identifiers of service accounts, API keys, or service account role.
  19. 19 . The computer-implemented method of claim 1 , wherein the telemetry data payload is processed in an event-based asynchronous manner.
  20. 20 . The computer-implemented method of claim 1 , wherein the telemetry data is collected at runtime in real-time.

Description

BENEFIT CLAIM This application claims the benefit under 35 U.S.C. 119(e) of provisional application No. 63/448,814, filed Feb. 28, 2023, the entire contents of which are hereby incorporated by reference for all purposes as if fully set forth herein. COPYRIGHT NOTICE A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright or rights whatsoever. © 2022-2023 Operant AI, Inc. TECHNICAL FIELD One technical field of the present disclosure is computer-implemented methods of network management, security engineering, and security management. Another technical field is cloud computing. BACKGROUND The approaches described in this section are approaches that could be pursued but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. Security engineering is the technical field of understanding networked resources and topologies, determining potential attack vectors, and hardening distributed systems against improper or unauthorized access. Data breaches cost organizations millions of dollars per year. They are usually carried out with compromised account credentials, followed by a lateral movement attack. In a lateral movement attack, the attacker uses the compromised credentials under the guise of an apparently trustworthy identity to move laterally through an organization's networks and ultimately gain access to valuable data assets in the backend networks. After accessing these data assets, the attacker proceeds to steal the data and exfiltrate it to an external location from which the data can be sold in third-party markets or used for other nefarious purposes, especially in the case of personally identifiable information (PII) data, such as stolen credit card information. Traditionally, stopping lateral movement attacks has involved segmenting networks and Internet Protocol (IP) addresses into known, trusted networks and unknown, untrusted networks; communication between known IP addresses or subnets is allowed, while connections from unknown networks and IP addresses are denied. Such a “micro-segmentation” technique has been extended to internal application networks as applications have been decomposed into the classical three-tier architecture of front-end, application, and database elements. Such a multi-layer adaptation of micro-segmentation can allow known application tiers to communicate with a database tier while blocking the front-end tier from directly communicating with the database tier. Since the front-end tier is logically closer to public networks, such an approach can make the overall application more susceptible to a lateral attack. These rules can be expressed using a set of collected, stored, or configured IP addresses or networks as a client identity since communication patterns between application components typically do not change at runtime. The enforcement of such micro-segmentation policies can occur at so-called east-west firewall layers between the front-end, application, and database tiers Segmenting networks continued to stay relevant as hardware firewalls gave way to software firewalls through the advent of virtualization, which caused security engineers to define micro-segmentation rules as policies encoded within software-defined firewalls. While micro-segmentation continues to serve as an effective defensive technique against lateral movement attacks, micro-segmentation suffers from significant deployment hurdles in cloud-native application stacks. This mismatch is amplified as attack surfaces expand within an application's networks. Consequently, security engineering has developed an acute need for improved technical measures to protect cloud-based applications from lateral attacks and other forms of cyberattacks. SUMMARY The appended claims may serve as a summary of the invention. BRIEF DESCRIPTION OF THE DRAWINGS In the drawings: FIG. 1 illustrates an example computer display device with a graphical user interface showing a network graph generated according to an embodiment. FIG. 2 illustrates a distributed computer system showing the context of use and principal functional elements with which one embodiment could be implemented. FIGS. 3A and 3B illustrate example algorithms and data transformations that can generate a runtime application security graph in real-time using an embodiment. FIG. 4 illustrates a computer system with which one embodiment could be implemented. DETAILED DESCRIPTION In the following description, for the purposes of explanation, numerous specific details are set for