Correlation Without Causation

Security analysts are tasked with manually retracing the steps of an attack to determine a threat's root cause and scope.  The effort is time-consuming involving sifting through mountains of log data attempting to identify related threat activities. 


The challenge stems from the data available to security analysts.  Log and event data only enable analysts to review correlations (Activity A and Activity B both occur), when what security analysts need are the causal connections of threat activity (Activity A led to Activity B).   

Screen Shot 2020-11-10 at 3.10.29 PM.png

Step 5 of the SANS Critical Log Review Checklist, suggests focusing on recent changes.  Step 6 suggests working backwards in time to reconstruct the actions before and after the event

  • There could be hundreds if not thousands of exception-based logs (errors, failures, status changes). 

  • Just because the exception-based activity occurred prior to the incident, does not mean it caused the incident.

  • The manual practice, relying on inference and individual expertise, is time consuming and prone to mistakes.

Activity A + Activity B    Activity A → Activity B

Spyderbat provides an effective, alternate approach by eliminating the ambiguity and guesswork in security analysis.


By automating the process for establishing causal connections, Spyderbat provides a security analysts with an understanding of the relationship, progression and scope of threat activities.


Without inference or guesswork, Spyderbat, delivers a complete story of connected alerts, Spyderbat Flags, and supporting evidence. 


With Spyderbat, security analysts dramatically compress their investigation time while avoiding the pitfalls that lead to inconclusive results.