Abstract: An apparatus for securing a cloud-provider system includes one or more network interfaces and one or more processors. The network interfaces are configured for connecting to a network. The processors are configured to allocate resources of the cloud-provider system for use by tenants of the cloud-provider system, to allocate to the tenants one or more Internet Protocol (IP) address ranges, to assign multiple IP addresses, scattered across the IP address ranges, for use by one or more honeypot servers, and to secure the cloud-provider system against hostile attacks, by processing network traffic associated with the assigned IP addresses using at least the honeypot servers.

Abstract: A network security apparatus includes an interface and a processor. The interface is configured to communicate at least with an endpoint computer over a network. The processor is configured to create a trap resource that is shared between the network security apparatus and an operating system of the endpoint computer, to detect ransomware activity in the shared resource, and to initiate a responsive action in response to the detected ransomware activity.

Abstract: An apparatus for securing a cloud-provider system includes one or more network interfaces and one or more processors. The network interfaces are configured for connecting to a network. The processors are configured to allocate resources of the cloud-provider system for use by tenants of the cloud-provider system, to allocate to the tenants one or more Internet Protocol (IP) address ranges, to assign multiple IP addresses, scattered across the IP address ranges, for use by one or more honeypot servers, and to secure the cloud-provider system against hostile attacks, by processing network traffic associated with the assigned IP addresses using at least the honeypot servers.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method includes, in a computer network that includes multiple endpoints, configuring a network element to forward one or more specified packets from a selected endpoint to a detection unit. A malicious network-mapping software running on the selected endpoint is identified by analyzing the forwarded packets in the detection unit.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.

Abstract: A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.