Confluera 2.0: The XDR for Cloud Workloads

Gautam Agrawal
VP Of Products

In December 2019, we launched Confluera 1.0, and committed ourselves to enabling better detection and response capabilities for the enterprise workload infrastructure. That promise led us to plan for Confluera 2.0 almost a year ago. While the year has been extremely challenging for everyone around the globe, our team has been heads down on building the next generation of detection and response solution for cloud workloads. Now the time has come to reveal more about our Confluera 2.0 launch.

Confluera 2.0 consists of following broad features that take our customers to the next level in their incident response efforts by equipping them with threat interception capabilities including:

  • Unparalleled detection and response capability for workloads, with real-time attack narratives;
  • Holistic integration of security signals from the environment, and external threat intel;
  • Operational security insights from activities within the infrastructure; and
  • Next-generation threat hunting that delivers the entire context.

Together, all of these features create the only detection and response solution purpose-built for cloud workloads to defend against the modern day cyberattacks.

Detection and response for workloads

Most organizations today actually use a combination of public and private cloud infrastructure. Whether it is Windows, Linux, or containerized workloads running on virtual machines in the cloud or some on-premise infrastructure, the current practice of bolting on legacy user endpoint security solutions on server workloads puts enterprise data and applications at risk.

Confluera XDR 2.0 delivers a purpose-built workload detection and response solution with the unique ability to integrate security visibility (native and third-party) and deterministically track threats progressing across the hybrid workload environment, in real-time.

Figure 1: detection and response workflow in Confluera 2.0

With Confluera 2.0, security teams can immediately detect unwanted activities across their workloads and intercept threats as they are progressing through the environment. We have not only expanded our behavioral and anomaly detection rules, but also enhanced the workflow to include response capabilities such as remote file quarantine, process kill, network restrictions, and more from within the Confluera portal. Some of the new detection capabilities include: pass-the-hash, pass-the-ticket, AD enumerations, UAC bypass, logon scripts, powershell profiles, on Windows; brute force detections, unauthenticated shell sessions; including ML based authentication anomalies, and more. Confluera 2.0 also brings in the support for major container run-times with detection capabilities for popular container escapes and exploits.

These expanded set of capabilities, purpose-built for hybrid cloud workload environments, eliminate the coverage gaps in your infrastructure, providing a dedicated, and more importantly, an autonomous solution which lets your security teams focus on threats that matter most.

Integration of signals from the environment, and external threat intel

When we started our 2.0 planning, one of the goals we set for ourselves was to quickly identify the most important and most relevant set of security signals that we should be tapping into, to enrich the threat narrative we provide, on top of our native detections. After all, that’s what makes us unique, makes us complete, and above all, makes us an XDR for cloud workloads.

We quickly realized that given the hybrid cloud environment complexities, and the number of tools we might have to integrate with, we first need an extremely robust integration framework that can enable a broad range of third-party security signal integration with our platform. We are proud to announce that our platform now includes an integration framework that can ingest almost all security feeds that may be available from other tools deployed in the infrastructure. 

We are already ingesting alerts from firewalls, vulnerability management tools, AWS ALB/WAF, and more, including security alerts from leading EDR vendor.

Furthermore, we have partnered with a leading threat-intel vendor (to be announced soon) and baked the intel they generate into the Confluera 2.0 platform, at no additional cost to Confluera customers. This allows us to identify and highlight known malicious IPs that may be scanning our customer’s network.

 

Security insights from activities within the infrastructure

One of the most significant feedback from our existing customer deployments has been that since Confluera eliminates the need for investigations, their security teams now want to take a more proactive approach to understanding: a) what is happening in their environment when there aren't any significant threats brewing?, and b) are there activities initiated by benign users that pose risk to their organization?

This led us to invest into creating an infrastructure that can help query our event data, and generate insights that uplevel the security visibility in our customer environments. Given the volume of event data Confluera processes, the challenge was to provide a backend that can process all that data and deliver key insights to our users in real-time. We are proud to announce that Confluera 2.0 comes with a real-time OLAP backend that not only helps generate curated insights, but also enables real-time threat hunting (discussed next).

The Confluera 2.0 dashboard is a huge leap towards providing highly curated security insights alongside all the metrics related to threats in both ‘under attack’, and ‘not under attack’ scenarios. We have included widgets that focus on highlighting: 1) reduction in the noise from security signals (chevron on top) to focus security teams on threats that matter, 2) behavioral analysis of all the IOCs based on MITRE ATT&CK Tactics & Techniques, 3) an activity dial that highlights execution, network, file, and user level activities across the infrastructure through the day, 4) a widget that provides a quick summary of the infrastructure coverage provided by Confluera, identifying individual assets that are at risk, 5) a workflow widget that appears when there are threats progressing through the environment, with status of actions by the assigned analyst, and 6) several widgets highlighting execution, network, file, and user level activities such as new program executions, in/outbound connections, DNS request, and more. Each of these widgets come with a drill down capability to either execute on the associated workflow, or deep dive to learn more about the specific insights.

Figure 2: dashboard depicting threats in the infrastructure and security insights

Next-generation threat hunting

As mentioned before, the Confluera 2.0 real-time OLAP backend also enables real-time threat hunting. The important distinction being, since Confluera stitches events across the workload infrastructure, the results from our threat hunting capabilities are no longer a disconnected set of events that security researchers need to analyze over and over to get to any conclusion, rather the full view of activities (before and after) related to the artifact being searched.

 

It has been an exciting year so far, especially at a time when our entire team had to adjust to the new norm of remote collaboration, and I am proud of our team's accomplishment during these tough times. We have already been getting early feedback on Confluera 2.0 from our current customers, our partners and the reseller community. We look forward to upgrading our current customers to the Confluera 2.0 platform, and showcasing to our prospects how we are redefining the incident response efforts in the cloud workloads environments for security teams.

To learn more about Confluera XDR, and the benefits we bring towards cloud workload protection, please join our upcoming webinar on “Modernizing Detection and Response with XDR in the Cloud Computing Era”, or if you would like to get a personalized demo, signup for the demo here.

Intercept Threats. Before Damage.