Cloud Native Threat Storyboarding

Threat storyboarding is often considered a post-breach exercise to piece together a series of events to make sense of how a breach was executed and what assets were compromised. With Confluera, threat storyboarding is made real-time enabling organizations to monitor the attacker’s every move.They now have sufficient forewarning to stop the attack before it can lead to a breach.
THE MOTIVATION
Increasing attacker dwell time
The average attacker dwell time is 279 days. Defenders simply cannot keep up with increasingly sophisticated attackers with legacy point solutions and manual investigation efforts.
Cloud has a large and dynamic attack surface
The cloud has a larger attack surface, a more complex environment, and visibility is a challenge.
Modern cyberthreats are multi-staged
Every attacker knows that, as an outsider, they must look like an insider. Tracking these low and slow attacks is all about making sense of weak signals.
Point solutions create siloed visibility
Isolated observations from siloed products created a deluge of false positives and important weak signals get lost in the noise.
Post-facto manual analysis can’t keep up
Analysts spend their time manually piecing together a jigsaw puzzle that is rearranged daily and miss 44% of alerts generated.

The Power of a Causal Story.

What is Real-time Threat Storyboarding?

Real-time Threat Storyboarding delivers real-time causal execution narratives as they take place and autonomously surface the ones that exhibit suspicious behaviors on their trails. You'll see the entire activity narrative precisely-number of hosts and containers trailed by the adversary, suspicious activities within them, the amount of time spent in each workload, across any number of workloads, and any amount of time.

Powered by Continuous Attack Graph

Real-time Threat Storyboarding is powered by Confluera’s patented Continuous Attack Graph fabric based on T-DAG (Transactional Directed Acyclic Graph) concepts. The technology models each and every execution trailed within the infrastructure as an activity graph and then ranks each graph by the degree of suspicious behavior exhibited along the way.

How does it work?

1. Stitch Events

Workload and Cloud infrastructure telemetry are causally connected into infrastructure-wide activity sequences.

2. Combine Signals

Security signals from native Confluera detections and third-party security results are then applied to activity sequences.

3. Rank Threats

Attack chains are automatically prioritized based on the cumulative risk of signals on activity sequences.

4. Intercept Attacks

Context sensitive response actions evict the attacker and removes any backdoors

What makes it unique?

Track adversary trail across the infrastructure

At the heart of Confluera’s Continuous Attack Graph technology is its ability to accurately track the adversary's trail in real-time. It uses an array of proprietary instrumentation techniques and algorithms that stitch underlying container and host activities along with east-west lateral movements between containers and hosts to track every step of the adversary, right from where it entered the infrastructure to where it has currently moved to.

Optimized to sniff out slow moving attacks

Most undetected attacks have large dwell times where the attackers patiently wait several months on each jump point before initiating the next move. Confluera’s causal event chaining technology inherently stitches a new event to its underlying causal graph instantly, even if the underlying graph has been dormant for minutes, hours, days, weeks, or months. Confluera has complete context to purge inactive entities in these graphs that make them highly space efficient compared to other EDR + SIEM or XDR solutions.

Fusion of diverse security signals from existing security tools

Attacker activities, both malicious and benign, manifest themselves from different vantage points. To spot an attack, security teams must have a wide-angle view of the infrastructure. The more you can see, the better equipped you are to intercept bad actors.

Confluera’s XDR engine integrates detections and telemetry from threat intelligence feeds and other security tools into its threat storyboards, enabling high confidence threat detection and speeds up investigations.

Amplify even the weak signals

Even seemingly benign detections matter when detecting attackers using living off the land techniques to perform discovery, reconnaissance, and lateral movements. But most of these weak but critical detections get lost in the haystack. Confluera’s Continuous Attack Graph technology constantly stitches every signal from different tools and escalates the threat storyboard when a combination of weak signals indicates a malicious pattern.

Self-updating and context-sensitive recommendations

Confluera automatically generates remediation recommendations at the storyboard level based on the hosts, applications, processes, users, and network connections involved in each storyboard. Furthermore, Confluera’s Continuous Attack Graph technology keeps the attack graph continuously updated such that the list of recommendations only applies to entities that are live and active at that time.

By the way, it is all real-time

The true test of an XDR is not the number of sources it can integrate with. It is the ability to process telemetry from those sources fast enough to detect an attack in real-time and give your team the opportunity to intercept it while it is unfolding.

Confluera’s purpose-built architecture is designed to handle very high stream-rates of telemetry from a wide variety of sources, and still deliver real-time event stitching and IOC detection for environments with tens of thousands of workloads.

How it matters?

10x reduction in alerts

Confluera uses a fundamentally different approach to threat monitoring -- which drastically reduces the need to chase individual detections or alerts. Through a refined set of risk-prioritized storyboards curated at run-time, SecOps teams achieve near-zero time to conclude whether detections are benign or whether they are part of a larger attack narrative brewing underneath.

Force multiply your SOC team

Analysts spend most of their investigation efforts identifying related events across multiple tools and constructing the timeline. Confluera speeds up this investigation process by connecting the events across various tools and automatically surfacing storyboards worth investigating further.

Dramatically reduce detection time

Significantly reduce MTTD of multi-stage attacks with real-time storyboards, rather than chasing down isolated events and manually correlating them after the fact.

Consolidate your security tools

Protect yourself from sophisticated attacks by leveraging a novel ability to unify holistic security visibility to accurately track threats in real-time. Fully leverage your existing security investments, detect threats early and stop them before ultimate damage.

Intercept Threats. Before Damage.

Ready to experience the benefit of Confluera?
Start your 30-day trial and see for yourself how the latest innovation in detection and response can fend off the most advanced modern cyber attacks.
Like to learn more about Confluera?
Schedule a 30-min demo with one of our cybersecurity experts to learn how Confluera can help you identify and intercept cyber threats before it becomes a breach.