Abstract: Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.

Abstract: Security of sensitive information stored on a computing system is protected by monitoring a set of performance indicators of the computing system and executing remedial measures to protect the sensitive information when the set of performance indicators indicates a likelihood of malicious activity. A particular technique involves limiting the amount of sensitive information looted during a malicious attack on a computing system. The technique includes monitoring a set of performance indicators of the computing system. The set of performance indicators provides a measure of sensitive information being accessed on the computing system. The technique further includes testing whether the monitored set of performance indicators indicates a likelihood of looting, and temporarily reducing access to the sensitive information on the computing system in response to the act of testing indicating a likelihood of looting.