Lacework Polygraph FAQ
What is a Lacework polygraph?
In the world of criminal investigation, a polygraph is used to detect if people are lying. Polygraph tests use multiple sensors attached to a person and look for changes like a racing heartbeat or elevated blood pressure to detect if that person is not being honest. Lacework uses a similar approach for DC/cloud entities (users, workloads, and applications) and their behaviors by looking for deviations from their normal behavior to detect breaches.
The Lacework approach is unique because the polygraph first aggregates entities into analysis groups based on their behavior creating a temporal baseline. The baseline is then updated hourly for every entity. The Lacework polygraph looks for changes in entity types or behavior anomalies.
What kinds of polygraphs are available?
The Lacework polygraph analyzes an array of cloud factors to detect breaches. There are currently 13 Lacework polygraph analysis groups (see table below for details). Each polygraph class is responsible for monitoring a set of behaviors and/or communication activities specific to its class. The insider class, for example, monitors the interactive behavior of human users as they move about within the datacenter.
Why are there different Lacework polygraphs?
Because each polygraph captures different entities and behaviors, having different polygraphs allows Lacework to analyze multiple types and behaviors in the environment effectively.
The following table shows you what entities and behaviors each polygraph captures.
Polygraph | Nodes | Edges | Detected Threats |
---|---|---|---|
Application Communication | Process IP Domain name | Network connections | Suspicious applications Anomalous network connections such as C2, malware download |
Machine Communication | Process IP Domain name | Network connections | Anomalous network connections/destinations such as C2, malware download |
Application Launch | Process | Process parent-child relationship | Anomalous process launches such as malicious processes or hijacked processes |
Privilege Change | Username | Privilege change | Anomalous privilege escalation |
Insider Behavior | User Process IP Domain name | Network connections User-process relationship | User-initiated anomalous network connections and process launches |
User Login | User Machine IP | SSH login | N/A (Visibility only) |
Machine DNS Lookup | Machine IP Location Errored DNS Error Code | DNS requests | N/A (Visibility only) |
Machine Servers | Process Machine | Server process on Machine | N/A (Visibility only) |
Kubernetes Launch | Process NameSpace Cluster PodType | Kubernetes operations | Anomalous Kubernetes resource usage |
AWS CloudTrail | AWS UserIdentity CallType ErrorCode Service IP-Geo Api Region Account Resource | AWS API calls | Potentially compromised accounts Misconfigurations |
GCP Audit Log | GCP Organization Project IP-Geo ErrorCode Api User Region Service | GCP API calls | Potentially compromised accounts Misconfigurations |
Azure Activity Log | Subscription name Principal ID IP Result type Event category Resource type Operation | Azure API calls | Potentially compromised accounts Misconfigurations |
K8s Audit Log | Resource type Command User Impersonated User User group Event name Response Location | Kubernetes API calls | Anomalous accesses Misconfigurations |
How is the Lacework polygraph different from network-level breach detection tools?
Data points that are critical for breach detection are not available when data is sourced only from the network. Lack of these data points can cause many false alerts.
Around 25% of data traffic never leaves the VM. Any breach at this level won't be visible with network-only breach detection tools.
In a container environment, multiple micro-services can run within a single host. It is not possible to understand container properties at the network-level as the data is visible only from within the host.
Network DPI is often helpful when identifying east-west traffic generating applications as the majority of the applications are custom.
Network communication is just one indicator of compromise, but there are many other critical parts of a cyber kill chain like privilege changes and launch, which are not available at the network-level.
There is a trend to encrypt the data when it is leaving the host, which makes any network-level breach detection tool ineffective.
There are two kinds of traffic in the datacenter, interactive and app-app. Attribution of network sessions to user or application is not possible with just network-level monitoring.
The Lacework polygraph analyzes all these data points for breach detection making it more precise and generating accurate alerts.
How is the Lacework polygraph different from host-based intrusion systems?
Host-based intrusion systems detect breaches by analyzing individual servers and are not based on peer analysis groups. Lacework collects data from individual servers but analyzes the data at the datacenter-level. This method allows breach detection to be more precise as the comparison is done with similar entity peers and the entity itself over time irrespective of the server.
How is the Lacework polygraph different from other machine learning-based breach detection systems?
The current approach for the majority of new machine learning-based breach detection tools is to identify a type of attack and then look for similar patterns to detect similar attacks.
The problem with this approach is that it is heuristic-based, which results in a lot of false positives. You can catch only the well-known type of zero-day attacks with this approach. The Lacework polygraph uses deviation from a temporal baseline to detect breaches, which allows it to detect all kinds of breaches.
How is the Lacework polygraph different from other cloud workload protection platforms?
Existing cloud workload protection platforms rely on rules engines to detect anomalies, which require constant tuning. Enterprises spend hours on a daily basis to update mammoth black and white lists, which are usually outdated even before they go into production. The Lacework polygraph is the first and only zero touch cloud workload protection platform, which requires no rules, no policies, and no logs for breach detection.
What makes the Lacework polygraph a robust breach detection system?
In a typical data breach, the behavior of the user, application, and/or workload deviates from a baseline marginally or significantly. The Lacework polygraph detects these behavior anomalies, no matter how subtle they are, to detect breaches.
How does the Lacework polygraph reduce false positives and number of alerts?
The Lacework polygraph uses deviation from a temporal baseline to detect deviations or changes in the behavior resulting in meaningful alerts. Alerts are either due to a desired change, misconfiguration, or malicious activity. The Lacework polygraph then scores the alerts based on severity and threat.
Lacework polygraph breach detection is more precise and accurate because of key technology innovations:
Behavior at process/container-level: The Lacework polygraph observes entity behavior at the process-level, which is the smallest unit for an application, thus monitoring more precise behavior. A single server typically runs multiple applications and containers with different behaviors. The Lacework polygraph does not co-mingle these different behaviors when creating the temporal baseline making anomaly detection very precise.
Separation of interactive and non-interactive traffic: In a DC/cloud most traffic is either started by applications or initiated by humans (interactive). New cloud applications can scale up and down easily as app-app behavior is very predictable and does not change as applications auto-scale. User behavior on the other hand can be really unpredictable. Lacework takes these differences into account when it builds the temporal baseline. It creates separate polygraphs for different entity behaviors, which ensures more precise alerts.
Alert at analysis group-level: In new, elastic datacenter environments, the number of workload instances and applications oscillates wildly. This variability creates challenges for existing security tools as alerts on individual workloads or applications generate multiple alerts for every behavior change. The Lacework polygraph aggregates workloads, applications, and processes into analysis groups and then generates alerts per group instead of creating alerts per workload or application, which reduces the number of alerts being generated significantly.
No heuristic alerts: The current approach for the majority of machine learning-based breach detection tools is to identify a type of attack and then look for similar patterns to detect similar attacks. The major drawback of this approach is that it can catch only threat types that are already known.
The other approach is to look for traffic pattern anomalies; for example, high traffic volume may indicate exfiltration. The challenge with this type of analysis is that it can be confused by normal seasonal traffic variations. The Lacework polygraph change-based approach implies that even if there are millions of processes and one of them deviates, it will be detected.
What kinds of events does the Lacework polygraph detect?
The Lacework polygraph can detect event changes for applications, users, and workloads such as a:
- new user
- user launching a new binary - this event is generated if an interactive user launches a new application for first time
- new privilege escalation - escalating user privileges and running new applications
- new application or container seen for first time
- new external connection - connection to an external IP/DNS was made from a new application
- new external host or IP
- new internal connection - new connection between internal only applications
- new external client - new external connection with an application that typically does not have external connections
- new parent - application launched by a different parent
- new connection to known bad IP - The Lacework polygraph checks with about 40 reputation feeds. If your environment makes a connection to a known bad IP or domain, an alert is generated.
- login from a known bad IP - The Lacework polygraph alerts when it sees a successful connection to your network from a known bad IP.
What if a hacker is hiding in a public cloud?
Network-level policies are very coarse-grained and typically allow access to all public cloud services, which are used by your environment; for example, S3 at AWS. If a hacker compromises your infrastructure, she will be able to connect to the S3 bucket and transfer data without detection. The Lacework polygraph tracks individual applications in your environment that are communicating with S3, generating an alert if a new, compromised application starts communicating with S3.
Does the Lacework polygraph use any external threat feeds?
The Lacework polygraph integrates with external threat feeds and matches incoming and outgoing connections to these reputation feeds. Any connection to a bad site or a successful login from a bad site generates an alert.
What applications are supported with the Lacework polygraph?
The Lacework polygraph is not a signature or policy-based system and has no prior knowledge about custom applications running in datacenters. The Lacework polygraph creates analysis groups based on behavior and then automatically labels the groups using machine learning. If a new application is added, the Lacework polygraph labels and classifies this application automatically. This approach ensures that the Lacework polygraph works with any application, requiring no new signatures or tuning when new applications are added.