Introducing Confluera 1.0: Autonomous Detection & Response

Gautam Agrawal
VP Of Products
No matter how much automation is applied to identify attacks via data lake strategies, the fact remains that such analyses result in providing visibility into what an attacker has done, and not what he/she is doing, thereby eliminating any possibility of intercepting the attack.

Today we are excited to announce the general availability of Confluera 1.0, the industry's first Autonomous Detection & Response platform to deterministically detect and stop attackers navigating your infrastructure. Since our company launch at Black Hat 2019, we have seen significant traction from security professionals wanting to stop breaches in their tracks as opposed to the traditional security approach of remediating data breaches post-damage. The Confluera platform ushers cyber defenders into the new era of attack interception by allowing:

  • Complete Cyber Kill Chain Tracking, and not just individual detections that lead to alert fatigue plaguing almost every enterprise security operations center;
  • Deterministic and Continuous Storyboarding of cyber attacks as they progress through the enterprise infrastructure, as opposed to manual investigations based on correlational analysis of security events; and
  • Immediate Response capabilities to stop attackers before they infiltrate the critical enterprise assets as opposed to post-facto analysis of a data breach.

These new capabilities redefine the enterprise security posture by enabling an even broader range of features that provide the full context of an ongoing attack leveraging native behavioral detections, machine learned anomalies, as well as signals available from other security tools that may be deployed in the enterprise environment.

Bringing Autonomous Detection & Response to Enterprise Security

In spite of deploying 70+ security tools on average, 77% of enterprises today are anticipating a critical infrastructure breach in the near future. We are not only seeing a 400%+ increase in data breaches year over year, but the meantime to detect, respond, and remediate still remains over 100 days. Not surprisingly, 85%+ breaches are a compromise of enterprise server infrastructure, since attackers are always after the most critical data assets. 

We are proud to bring Autonomous Detection & Response to the enterprise security and are excited to be the first platform that delivers real-time attack interception capabilities by leveraging our patent-pending ‘Continuous Attack Graph’ technology to identify an attack progression in real-time. The technology allows for causal sequencing of attacker’s activities in real-time and eliminates the correlational guesswork that is typical of solutions based on searching through event data lakes.

Figure 1: dashboard showing attack sequences progressing through the infrastructure

Modern attacks, especially those leading to data breaches, are seldom individual events. They are a sequence of malicious operations by an attacker trying to navigate the enterprise infrastructure while looking for critical enterprise data. The autonomous sequencing of events across the infrastructure as the underlying framework of the Confluera platform is the missing piece that allows for real-time security, without which events from endpoints and network devices are thrown into a data lake for post-facto analysis. No matter how much automation is applied to identify attacks via data lake strategies, the fact remains that such analyses result in providing visibility into what an attacker has done, and not what he/she is doing, thereby eliminating any possibility of intercepting the attack. To learn more, I encourage you to read our blog: ‘Toward Autonomous Detection & Response’.

Deterministic Framework for Signal Aggregation that Contextualizes Security Alerts

Enterprise security operators today are inundated with thousands of alerts every day, with over 50% being false positives. It is obvious that 90% of the security teams are unable to triage all the relevant alerts because of the sheer volume they have to deal with.

Confluera’s autonomous event sequencing framework changes the paradigm. Every enterprise security alert that must be contextually connected by an analyst or some automation script is already connected by virtue of the underlying cross-host activity sequencing framework. What it means is that false positives matter less and that the sequence is of the highest importance. Example: From a set of alerts A, B, C, D, E, and F, if C and E are false positives, it matters less, since the overall sequence (autonomously stitched together by Confluera platform) of A > B > C > D > E > F clearly describe an ongoing attack campaign.

Figure 2: a real-time attack progression view of deterministically connected security signals

This deterministic and continuous storyboarding of security alerts is not only restricted to the native behavioral detections (based on MITRE ATT&CK) built into the Confluera platform, but since the underlying framework continuously stitches every activity throughout the infrastructure, any other security alert, such as a firewall policy violation, or any result from a vulnerability scanner, etc. can be easily mapped to the attack context, as long as it’s a part of the same sequence. Such security alert aggregation and contextualization are only possible due to the underlying framework, especially when an attack campaign spans large infrastructure over large periods.

Simplified Security Workflow for Surgical Response & Complete Remediation

Today, 45% CIOs/CISOs say their SOC is understaffed. The obvious reason is the amount of repetitive and tedious investigations security teams have to perform in order to protect their organizations. Today’s security teams are drowning in alerts coming from endpoints, networks, SIEMs, and more. It is estimated that 90% of security alerts go uninvestigated.

Given the autonomous detection and sequencing capabilities of the Confluera platform across infrastructure and over large periods, the focus of security teams shifts towards interception and defense, as they no longer need to manually investigate each and every alert to piece together the attack story before deploying the response.

Figure 3: suggested actions for surgical response and remediation

The Confluera platform delivers easy to understand attack campaign stories in the form of attack progressions that are prioritized automatically based on associated risk scores, along with suggestions for response and remediation, which are fully actionable. The stories themselves contain the sequence of tactics and techniques (refer to MITRE ATT&CK) used by the adversaries in order to gain deeper and wider access to the enterprise infrastructure. 

It has been an exciting journey with our early customers that are deploying Confluera at a scale that we did not believe we could get to at this early stage. We are even more excited about future possibilities as we engage with our customers and learn about use cases that we did not even think about when we started.

Our Momentum Continues

The General Availability of Confluera 1.0, our current customers, our partner and reseller community, and several ongoing pilots are not only the proof of our momentum in 2019 but also validates that we are changing the current post-facto security paradigm to a truly real-time security strategy as cyberattacks grow both in complexity and frequency.

We look forward to seeing everyone at The RSA Conference 2020 in San Francisco, California. Come to our booth and talk to us or get a personalized demo by signing up on our website.


Intercept Threats. Before Damage.