Abstract: An apparatus includes an interface and a processor. The interface is configured to receive attributes of communication connections of multiple workloads running in a computing system. The processor is configured to automatically segment the multiple workloads into groups based on the attributes of the communication connections, wherein the workloads in each group collectively run a respective application.

Abstract: A method includes, in a computer, running a hypervisor that allocates resources of a memory and of a network to one or more Virtual Machines (VMs), which run VM processes and communicate over network connections. First information is extracted by monitoring the network connections in the hypervisor. Second information is extracted by directly accessing, in the hypervisor, regions of the memory assigned to the VMs. An association is established between a given network connection and a given VM process, by correlating the first information with the second information.

Abstract: An apparatus includes an interface and a processor. The interface is configured to receive attributes of communication connections of multiple workloads running in a computing system. The processor is configured to automatically segment the multiple workloads into groups based on the attributes of the communication connections, wherein the workloads in each group collectively run a respective application.

Abstract: A method includes, in a computer, running a hypervisor that allocates resources of a memory and of a network to one or more Virtual Machines (VMs), which run VM processes and communicate over network connections. First information is extracted by monitoring the network connections in the hypervisor. Second information is extracted by directly accessing, in the hypervisor, regions of the memory assigned to the VMs. An association is established between a given network connection and a given VM process, by correlating the first information with the second information.

Abstract: A method for securing a computer system includes detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack. The investigation directives are distributed to one or more software agents that are each associated with one or more endpoints of the computer system. At least one infected endpoint in the computer system, which is subject to the malware attack, is identified by the software agents using the investigation directives.

Abstract: A network security apparatus includes an interface and a processor. The interface is configured to communicate at least with an endpoint computer over a network. The processor is configured to create a trap resource that is shared between the network security apparatus and an operating system of the endpoint computer, to detect ransomware activity in the shared resource, and to initiate a responsive action in response to the detected ransomware activity.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.

Abstract: A method for securing a computer system includes detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack. The investigation directives are distributed to one or more software agents that are each associated with one or more endpoints of the computer system. At least one infected endpoint in the computer system, which is subject to the malware attack, is identified by the software agents using the investigation directives.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method includes discovering identities of one or more applications that run on one or more Virtual Machines (VMs) at a given time. A set of signatures, which characterize hostile traffic that is expected to threaten the discovered applications, is selected. Network traffic exchanged with the one or more VMs for is searched for the hostile traffic using the selected set of signatures.

Abstract: A method includes, in a computer network that includes multiple endpoints, configuring a network element to forward one or more specified packets from a selected endpoint to a detection unit. A malicious network-mapping software running on the selected endpoint is identified by analyzing the forwarded packets in the detection unit.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.

Abstract: A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.