Welcoming Weak Signals

Eun-Gyu Kim
Confluera Engineering
3 min readDec 4, 2020

--

Context Seekers

As the curious case of Utah Monolith demonstrates, an object that is void of any background information can spark an instant debate among millions. What make us obsess over such things?

Utah Monolith appeared in the desert without any explanation; source: latimes.com

To state the obvious, our brains have a natural tendency to seek for larger contexts surrounding an input. At the end, we look for a story or a coherent pattern that describe how something came into existence.

This is a fun reminder for all of us — that a piece of information is never complete without its context. In other words, a signal is only valuable as its context.

Missed Opportunities

For a typical cyber security operations team, the volume of alerts/signals that SOC analysts need to process could range in hundreds — if not in thousands — on a daily basis. During the triage process, they are constantly faced with a single question.

Should I investigate deeper into this signal, or dismiss it?

Unfortunately, no matter how much scrutiny is spent on looking into a particular signal, it is really difficult to tell. This is because the individual signals themselves are very neutral (or weak) in nature. Consider the following signals:

  • A new user foo is created.
  • A script connected to an external IP address 38.124.2.1.
  • Session privilege is elevated.
  • A shell session created a file under /tmp directory.

They can turn out to be genuine building blocks of a malware, but also be a part of the daily operations carried out by an admin or monitoring utility.

Each of these signals do not carry much value in isolation. In the absence of tooling that contextualize them, most of the weak signals get quickly triaged or dismissed by the analysts.

Welcoming Weak Signals

At Confluera, we welcome and transform weak signals (as well as the strong ones).

A signal that is observed in isolation may not carry much value. But we believe that the context of multiple connected signals can be harnessed to conclude something larger.

Let’s suppose there is a user session that is issuing a lot of silly commands

  • ps
  • followed by netstat
  • followed by who, history, id, lsof, uname in a succession.
  • Jump to 2 different hosts and perform the same.

Does each of the commands alone tell us anything? It is very hard to tell. However, the fact that these commands are occurring under the same interactive context does point to a potential discovery behavior (i.e. it seems that the user is collecting information about the system).

At Confluera, we built a real-time processor that overlays security signals on top of powerful infrastructure-wide graphs. Confluera Graph identifies which entities are partitioned under the same context, and which ones belong to different boundaries.

This is a powerful construct. Every time a signal is added to the same context, the conclusion only gets stronger. Weak signals slowly turn into a group of force multipliers.

Conclusion and Reminder

Triaging over weak signals is a daily task for many cyber security professionals. It is easy to discard signals if we simply view them in isolation. Only when we start to observe them with contextual lens, do different patterns start to emerge.

The engineering team at Confluera feels passionate about realizing this mission — there are definitely more stories to tell!

In the next blog post, we will spend more time talking about the issues and challenges in constructing the graph, and how we have resolved them. Stay tuned.

Check out the previous posts on Confluera Graph series:

--

--

Eun-Gyu Kim
Confluera Engineering

Head of Engineering at Confluera. LinkedIn Alumni. Creates for loops and while loops that scale.