Anomaly Detection for Cloud Container Environments

Identify and Analyze Anomalies in Cloud and Container Environments

Public clouds enable enterprises to implement infrastructure-as-code and allows them to rapidly develop, test, and deploy services at scale. In this environment, network, storage and compute resources are in constant flux to adapt to business needs. While this agility and flexibility provide many business and technological benefits, the cloud is also more susceptible to new forms of threats and cyber-attacks. Unfortunately, legacy security solutions are unequipped to handle these and leave organizations vulnerable. 

Big Data and Anomaly Detection to Secure The Cloud

Traditional security solutions rely on signatures or rule-based approaches. The advantage of these solutions is that the rules are readily understandable. However, the drawbacks are that these rules are manually entered and catch known attack profiles. These rules do not catch new attack profiles and require constant manual maintenance. In addition, to reduce false-positive rates, the rules are typically written for very well defined threat scenarios, limiting their effectiveness in actual production environments.

Lacework takes a completely different approach to anomaly detection. Our approach is to collect high fidelity process, network, file, and user data to form a base model of normal infrastructure behavior. We then use sophisticated analytics and machine learning techniques to detect anomalies which are indicators of threats.

The Lacework anomaly detection system is adaptive as your environment changes. In addition, because these baselines are generated automatically (not manually created), our system can be fine-tuned to reduce false positives at the same time.

The Power of the Polygraph

Lacework’s foundation is Polygraph, a deep temporal baseline built from collecting high fidelity machine/process/users interactions over a period of time. The polygraph is used to detect anomalies, generate appropriate alerts, and provide a tool for users to investigate and triage issues.

Fundamentally, the polygraph technology dynamically develops a behavioral and communication model of your services and infrastructure. The model understands natural hierarchies (processes, containers, pods, machines, etc.) and aggregates them to develop behavioral models. A behavioral model is, in some sense, the essence of how a customer’s infrastructure operates. With this model, Polygraph monitors your infrastructure for activities that fall outside the model. In addition, the polygraph continually updates its models as your data center behavior changes.

Integrated & Comprehensive Anomaly Detection

• Pinpoint exactly how a file changed: content, metadata, and whether the file was modified or simply appended
• Extended information on executables, such as files created without a package installation, command lines used at launch, currently running processes (with users and network activity), and suspect versions
• Expanded file intelligence with integrated threat feeds from ReversingLabs’ library of 5 billion files
• One-click investigation of anomalous events and activities related to FIM signals
• Cloud-wide capabilities for search, file type summaries, and detection of new files

Cloud-Scale & Speed

• Automated configuration, file discovery, and operations
• Scalable architecture with no added complexity or performance penalties
• Anomaly detection included with all Lacework Cloud Security agents

Meet Your Compliance Mandates

• Protect log and configuration files against tampering
• Daily re-check of all monitored files
• Pre-defined directory maps monitor critical files and directories
• Easily configurable; users can add directories to the watch list

Detect and resolve anomalous changes in behavior across your workloads, containers, and IaaS accounts that represent a security risk or an IOC with Lacework’s comprehensive anomaly detection system for enterprise DevOps teams.