Toward Autonomous Detection & Response

Niloy Mukherjee
Co-founder and Chief Architect

At Confleura, we thought of infrastructure security not just as a sum of parts of endpoint + network, but a complete re-architecture that makes the whole greater than the sum of the parts.

On July 30. 2019, we launched Confluera as the industry’s first autonomous detection and response platform. Coincidentally, the news of Capital One data breach came out the same day. Although it might seem like a one-off event, statistics say otherwise. The number of significant data breaches at U.S. businesses, government agencies, and other organizations topped 1,300 last year (i.e. average of 4 data breaches per day). Besides imposing financial impact in terms of time and resources for post breach responses, such breaches perpetually damage the reputation of the affected organizations. 

Figure 1: Increasing number of data breaches

It is clearly evident that today’s security offenders are after critical enterprise infrastructure. What does an attack in an enterprise infrastructure actually mean? Let’s visualize this through the lens of MITRE ATT&CK framework, which is quickly becoming the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks. Modern attacks do not comprise of single ATT&CK technique utilized to breach individual endpoint/server or network. Rather, they can be defined as cyber kill chain of permutations and combinations of malicious techniques interleaved with legitimate activities exhibited over multiple hosts spanning across the entire infrastructure, often with varying degrees of temporal distance between the malicious techniques executed; campaigns can be as fast as minutes or hours or they can be  slow and stealthy taking place over days, weeks or months. For example, figure 2 demonstrates Cozy Bear (APT 29) as permutations of the highlighted techniques.



Figure 2: Malicious techniques involved in APT 29

As lifecycle attack patterns have evolved over the years, so have the plethora of point solutions in the areas of endpoint and network. Endpoint solutions first evolved from traditional anti virus solutions to EPPs or endpoint protection solutions. Endpoint Protection Platforms (EPP) have focussed on preventing well-known attack techniques based on existing signatures. However, EPPs have turned out ineffective for zero-day attacks, and they provide no network visibility. This led to a new category of endpoint detection and response (EDR) solutions. EDRs sit on server or consumer endpoints to detect unknown threats through forensics tools that detect anomalous behavior. However EDRs are also limited by their lack of network visibility. For example, threats that sneak through can move laterally across the network, and clandestinely talk to a remote Command and Control server, uninhibited. The complement to EDR’s functionality has led to the category of continuous network detection (NDR) solutions that show what is actually happening on an enterprise network. However, such solutions are limited by their lack of visibility within servers.

It is therefore evident why point solutions acting in isolation have proved ineffective in handling infrastructure security. Limitations of these systems have led to the emergence of a third category of security analytics based SIEM systems. These systems aggregates flow logs from EDR and network systems (endpoint + network) together into a single management platform. These systems are supported by ‘search analytics’ based data processing and require construction of explicit search queries to correlate results from endpoint and network solutions. Such solutions do allow SOC teams to perform threat hunting, but in a reactive post facto manner. The SOC has to follow each individual result, depend on human written correlation queries or execute queries themselves, and try to connect the dots across multiple results.  However, such correlations based analytics become inconclusive as soon as 1) attacks comprise of malicious behaviors getting interleaved with larger set of non-malicious behaviors, 2) span across dozens of hosts, and 3) dwell over non-trivial periods of time. Any data management professional with experience in search and log analytics can vouch on the exorbitant amount of analytics infrastructure needed to store and crunch through infrastructure wide telemetry that span across months. An interesting TCO analysis presented by Sumologic highlights such limitations.

At Confluera, we thought of infrastructure security not just as a sum of parts of endpoint + network, but a complete re-architecture that makes the whole greater than the sum of the parts. We identified that mere extension of a data platform primarily built for offline log search analytics cannot help achieve autonomous detection and response at scale. We therefore went ahead to create a live platform that is continuously online and literally real-time.

Our autonomous detection and response solution is built on top of a massively scalable distributed ledger based continuous transactional platform (patent-pending) that distinctly models each and every execution sequence within the infrastructure. The platform tracks every execution right from its initiation within a server, and ‘CAUSALLYstitches execution continuation within the same host, continuation of execution to other hosts through east-west movement, and execution continuation thereon, as unique (Distributed) Execution Trails. These execution trails span any number of hosts as well as varying amounts of temporal distance, be it minutes, hours, days, weeks or months. This allows us to model an infrastructure as a set of active/inactive (Distributed) Execution Trails.

Figure 3. a) (Distributed) Execution trails ledgers
Figure 3. b) Security results mapped in tandem to surface attack lifecycles

The Confluera platform works in tandem with actual activity progressions thereby providing 24/7 continuous infrastructure wide visibility. Such a platform enables endpoint and network security detection results (be it our own native behavioral and machine comprehended anomaly detections or signals from external security sources) to be directly attributed to the underlying trails to rank them based on the aggregation of malicious behaviors demonstrated. This enables our solution to autonomously surface and intercept attack lifecycles in real-time.

We will follow up on this precursor with a blog that details the platform. Stay tuned!

To learn more about Confluera, contact us, or visit our product page to discover all the advantages of our platform.

STOP BREACHES. IN THEIR TRACKS.