Throughout the last decade – possibly beginning with the creation of Cisco’s pxGrid framework in 2013 – security researchers have been developing tools and concepts to enhance traditional capabilities through a practice known as context-aware security. In context-aware security, analysts try to incorporate a wider field of information types, such as device locations, device types, time of the event, and IP matches from low reputation lists. The intended purpose of including this data in security investigations is to contextualize events for analysts and aid them in identifying false positives. But, does it work?
Does More Information Equal More Context?
Following nearly a decade of development in the context-aware security arena – which now includes many enterprise vendors – contemporary studies show that approximately 45% of alerts in security applications are false positives. As a result, nearly 75% of organizations report spending as much time – or even more – dealing with false positives as they do responding to real attacks, making false positives responsible for as much system downtime as genuine malicious activity.
As this alert fatigue continues to spread throughout the industry, it poses a twofold threat to organizations. Firstly, more time spent on false positives means less time spent on real attacks, diminishing overall security effectiveness. Secondly, fatigue creates job dissatisfaction, driving down retention rates for experienced IT personnel.
With global cybercrime rates riding a three-year spike that shows no sign of relenting, it’s time for security experts to reevaluate what a contextualized view is in security investigations and ask whether the addition of more information from more sources always translates into better awareness. The fastest way to distinguish real attacks from harmless anomalies is to detect intent. Actions signal intent as one event leads to another, revealing conscious purpose.
But can analysts see intent and causal connections in the likely half dozen security feeds they’re monitoring? The trends for false positives and dwell times suggest that the answer is typically no and that even context-aware data may only add to the clutter of data overload at that moment.
Sequence-Oriented Context with Spyderbat
Spyderbat’s comprehensive runtime monitoring platform takes a radically different approach to contextualizing security events. Instead of piling on more data to be weighed in an investigation, Spyderbat displays all system activities – as extracted from Linux kernel space – in a visual interface called the Universal Causal Graph (UCG).
In the UCG, analysts see events in a live process stream. Each node in this stream connects to previous events. When security applications flag a potential threat, Spyderbat creates a Spydertrace for that event. As causally related flagged events accumulate, Spyderbat aggregates the separate Spydertraces and raises the trace’s threat score.
Additionally, with the UCG Spyderbat can fingerprint the workload behavior of individual microservices to identify new workload behaviors. Within a microservice, there is a graspable number of processes and network connections. A key difference between a whitelist approach and Spyderbat is the UCG, which adds the sequence-oriented context of parent/grand-parent processes and effective user rights to the workload, enabling accurate workload behavior fingerprinting. The result is a capability that empowers developers to capture new workload behaviors between builds and arms SREs/Platform Engineers to identify new workload behaviors across environments to prevent misconfigurations or supply chain compromises.
With the ability to monitor events in a causally related sequence, analysts can rapidly detect conscious intent or dismiss clear dead ends. Additionally, Spyderbat uses eBPF technology to create visibility in the UCG throughout the entirety of your environment, no matter how delocalized or containerized it may be.
To learn more about stopping live attacks on your cloud-native workloads and see Spydertracing in action, visit Spyderbat and book a demo.