Whether it is advanced persistent threats, multi-stage ransomware or the actions of a malicious insider, modern cyberthreats are not singular actions but these are attack campaigns of multiple steps spanning across the infrastructure. Every attacker knows that, as an outsider, they must look like an insider.
Individual observations from siloed products such as EDR, NDR, and other security controls isolate critical information. Worse, observations become weak signals of suspicious behaviors that create a deluge of false positives.
When investigating an alert, analysts have to answer THE basic question--what happened?--to scope and attribute the attack. This requires understanding the entire attack story by holistically unifying all security signals in the context of the attacker's steps taking place at different points in time and at different parts of the infrastructure.
Although Cyber Kill Chain is well understood and there are methods to detect individual tactics and techniques (MITRE ATT&CK), there is no technology to deterministically detect the attack sequence. Instead, analysts spend their time piecing together a jigsaw puzzle that is rearranged daily, and that is the root cause of why attackers manage to dwell inside the enterprise infrastructure for days, weeks, and often months.
There is always a cause and effect relationship between all events happening across an enterprise infrastructure. Confluera is the only solution that brings the ability to track events and stitch them as deterministic sequences via cause and effect. As risky observations (behavior and anomaly based detections) are applied to these event sequences, the attack story starts to unfold itself in real-time. It is this ability that allows continuous and real-time threat interception, which otherwise would be post-facto manual investigations at best. Skill and resource intensive efforts to identify and remediate threats after-the-fact are infeasible and cannot be scaled to meet the challenges of modern cyberthreats.