An Eye For Patterns
Detecting patterns is an important part of how humans learn and make decisions.
Here at Confluera, we believe that
“The whole is greater than the sum of its parts”.
When attempting to identify an object, we first seek to identify its outline. Emergence is the process of forming complex patterns from simple rules.
Some of the methods used to study how we perceive the world are fascinating!
This article aims to share an interesting framework and apply it to the work we do as cybersecurity engineers.
Gestalt Principles are a way to describe how we view the world.
It was founded by the works of Max Wertheimer, Wolfgang Köhler, and Kurt Koffka in the early twentieth century in Austria and Germany as a theory of perception.
This framework is a useful way to explain the various strategies Confluera uses to make network activity human-interpretable and actionable.
So let’s begin our journey.
1. Continuity
Our brains have evolved to appreciate connected movements, continuity provides context.
Contextualization smooths the edges between observations and helps us understand how a set of activities are related.
A concept we use in a motion picture where a series of still frames that are stitched together by our brains based on context
We believe that modern security has failed to provide context.
While most tools address similarity and provide the dots, there is a noticeable lack of “Connecting the Dots”.
Without a connected view, Security Analysts are drowned in signals and false positives. Confluera creates Continuity using the attack graph.
Can you spot the flow of the attack coupled with the signals?
2. Similarity
Our perception of reality starts with trying to group objects together. Having a set of something allows us to see possible distinctions in function.
For example, putting circles and squares in separate buckets allows us to distinguish the relevance of one group from another while giving each entity in the group a functional relationship with one another.
From a security signal perspective, it is important to leverage this tendency of our brains to create these buckets for “circles” and “squares” to allow the analyst to make better decisions.
The Mitre Matrix is a good example of an elegant set of categories applied to a chaotic and often confusing discipline.
At Confluera we leverage this in a few different ways. Below is a section of our dashboard. We not only aggregate the Hosts with their exposure to risk but also summarize similar patterns we see across attack progressions.
3. Proximity
Proximity provides spatial relation to seemingly disparate events. But what is considered proximal and what is considered distant?
In a modern network, applications no longer run on the same asset/server. The entire fabric of workloads that are running applications to serve clients and enterprise can and should be considered proximal.
A modern notion of network proximity is another gap in industry offerings that Confluera aims at closing.
Confluera’s causal graph that you see below gets rid of the spatial distance and creates a single proximal threat fabric that humans can traverse and investigate.
4. Symmetry
Symmetry in everyday language refers to a sense of harmonious and beautiful proportion and balance. This means that our brains are tuned to find distortions and disruptions in patterns both in time and space.
If we break the day into two parts: [Sunrise:Sunset] and [Moonrise:Moonset], any anomaly to this symmetry shall create an active response in our brain.
The activity dial on the Confluera dashboard is intentionally a symmetric 24-hour clock. It allows the human reading it to observe at a quick glance a sudden deviation in behavior at any instance in time.
How quickly can you spot the anomalous hours of activity above?
5. Simplicity (Prägnanz)
The word Prägnanz is a German term and for our context means simplicity.
This law states that objects in the environment are seen in a way that makes them appear as simple as possible.
Our brains see a holistic picture of the entity, instead of the sum of its parts.
At Confluera we took inspiration from this simplification.
We take the dots [Events] add Proximity [Trails] then layer Continuity [Detections] and finally simplify it into a single entity[Progression].
The user now has only one cohesive object that needs investigation.
6. Closure & Common Fate
Closure and Common Fate are used by our brains to fill in the gaps and complete the picture we are viewing.
The filling of the gaps is a method of stitching seemingly unrelated entities and watching them move through space and time with a common fate.
In security, we’re demonstrating closure when we see seemingly disjoint detections as one cohesive activity tied together by intent.
Viewing these detections as anything else, would mean losing context. These activities are a single Trail that will result in a single Fate.
Confluera strives to bring this Closure and Common Fate through the realtime stitching and motion as shown below.
I hope this snippet of what I learned has ignited your curiosity and given you a peek into the world of Confluerians.
As they say, when you are curious you find a lot of interesting things to do.
Stay curious...
References