What is a Lacework Polygraph?

In real life, a Polygraph is used to detect if people are lying. Polygraph tests use multiple sensors attached to your body and look for changes like a racing heartbeat or elevated blood pressure to detect if someone is not being honest. Lacework uses a similar approach for DC/Cloud entities (users, workloads, and applications) and their behaviors looking for deviations from their normal behavior to detect breaches.

The Lacework approach is unique as Polygraph first aggregates entities into analysis groups based on their behavior creating a temporal baseline. The baseline is then updated hourly for every entity. Lacework Polygraph looks for changes in entity types or new behavior from the base line.  

What kinds of Polygraph are available?

Lacework Polygraph solution analyzes an array of cloud factors to detect breaches. There are currently six Lacework Polygraph analysis groups:

  • Application/Process communications

  • Application launches

  • Machine communications

  • Machine Servers

  • Privilege changes

  • Insider behaviors

Each Polygraph class is responsible for monitoring a set of behaviors and/or communications activities specific to its class. The Insider class, for example, monitors the interactive behavior of human users as they move about within the cloud solution.

How is Lacework Polygraph different from the network level breach detection tools?

Data points that are critical for breach detection are not available when data is extracted only from the network. Lack of these data points can cause lot of false alerts. Here are some of the data points, which cannot be analyzed by network breach detection tools.

  • Around 25% of data traffic never leaves the VM. Any breach at this level will not be visible with network only breach detection tools.

  • In a container environment, multiple micro-services can run within a single host. It is not possible to get container properties at the network level, as that data is only visible from within host.

  • Network DPI is not helpful to identify applications for east-west traffic since majority of the applications are custom.

  • Network communication is just one of the indicators of compromise but there are a lot of other critical parts of a cyber kill chain like privilege changes and launch, which are not available at the network level.

  • There is a trend to encrypt the data when it is leaving the host, which makes any network level breach detection tool ineffective.

  • There are two kinds of traffic in the data center, interactive and app-app. Attribution of network sessions to user or application is not possible with just network level monitoring. 

Lacework Polygraph analyzes all these data points for breach detection making it more precise and generating accurate alerts.

How is Lacework Polygraph different from Host Based Intrusion Systems?

Host based intrusion systems detects breaches by analyzing individual servers and not based on peer analysis groups. Lacework collects the data from individual server but analyzes the data at the datacenter level. This allows breach detection to be more precise, as the comparison is done with similar entity peers and entity itself over time irrespective of the server.

How is Lacework Polygraph different from other machine learning based breach detection systems?

The current approach for majority of new machine learning based breach detection tools is to identify a type of attack and then look for similar patterns to detect similar attacks.

The problem with this approach is that it is heuristic based which results in lot of false positives.  You can only catch well-known type of zero day attacks with this approach. Lacework Polygraph uses deviation from temporal baseline to detect breaches, which can detect all kinds of breaches.

How is Lacework Polygraph different from other Cloud Workload Protection Platforms?

Existing Cloud Workload Protection Platforms rely on rules engines to detect anomalies, which require constant tuning. Customers spend hours on a daily basis to update mammoth black and white lists, which are usually outdated even before they go into production. Lacework Polygraph is the first and only Zero Touch Cloud Workload Protection Platform, which requires no rules, no policies, and no logs for breach detection.

What makes Lacework Polygraph a robust breach detection system?

In a typical data breach instance the behavior of the user, application, or workload deviates from baseline marginally or significantly. The Lacework Polygraph detects these behavior anomalies, no matter how subtle they are, to detect breaches. 

How does Lacework Polygraph reduce false positives and number of alerts?

Lacework Polygraph uses deviation from temporal baseline to detect deviations or change in the behavior resulting in meaningful alerts. The alert are either due to a desired change, misconfiguration or malicious activity. The Lacework Polygraph then scores the alerts based on severity and threat.

The breach detection by Lacework Polygraph is more precise and accurate due to some key technology innovations:

  • Behavior at Process/Container Level: Lacework Polygraph observes the behavior of entities at the process level, which is the smallest unit for an application, thus monitoring more precise behavior.  A single server typically runs multiple applications and containers with different behaviors. Lacework Polygraph does not co-mingle these different behaviors when creating the temporal base line making anomaly detection very precise.

  • Separation of Interactive and Non interactive Traffic: In a DC/Cloud most are either, started by applications or initiated by humans(interactive). The new cloud applications can scale up and down easily as App-App behavior is very predictable and does not change as applications auto-scale. User behavior on the other hand can be really unpredictable. Lacework solution takes these differences into account when it builds the temporal baseline. It creates separate polygraphs for different entity behaviors, which ensures more precise alert.

  • Alert at analysis group level: In new elastic environments in data centers the number of workload instances and applications oscillate wildly. This creates challenge for existing security tools as alerts on individual workloads or applications will generate multiple alerts for every behavior change. Lacework Polygraph aggregates workloads, applications and processes into analysis groups and then generates alert per group instead of creating alerts per workload or application instance. This reduces the number of alerts being generated significantly.

  • No heuristic alerts: The current approach for majority of machine learning based breach detection tools is to identify a type of attack and then look for similar patterns to detect similar attacks.  The major drawback of this approach is that it can only catch threat types which are already known.

The other approach is to look for anomalies in traffic pattern for example if traffic volume is high it might mean exfiltration. The challenge with this type of analysis is that it can get confused with normal seasonal traffic variations.  Lacework Polygraph change based approach implies that even if there are millions of processes and one of them deviates it will be detected. 

What kinds of events does Lacework Polygraph detect?

        Lacework Polygraph can detect event changes for applications, users and workloads. Here is a sample list of events detected by the Lacework Polygraph:

  • New User

  • User Launched new Binary: This event is generated if an interactive user launches a new application for first time.

  • New Privilege Escalation: Escalating user privileges and running new application.

  • New Application or Container seen for first time

  • New External Connection:  Connection to an external IP/DNS was made from new application. 

  • New External Host or IP

  • New Internal Connection: New connection between internal only applications. 

  • New External Client: New external connection with an applications which typically does not have external connections. 

  • New Parent: Application launched by a different parent.

  • Connection to known bad IP: Lacework Polygraph checks with about 40 reputation feeds. If your environment makes a connection to a known bad IP or domain, an alert will be generated.

  • Login from a known bad IP: Lacework Polygraph alerts when it sees a successful connection to your network from  a known bad IP.

What if hacker is hiding in public cloud?

Network level policies are very coarse grained and typically allow access to all public cloud services, which are used by your environment for example S3 at AWS. If a hacker compromises your infrastructure, he will be able to communicate to the S3 and transfer data without detection. Lacework Polygraph tracks individual applications from your environment that are communicating with S3, generating alert if a new compromised application starts communicating with S3.

Does Lacework Polygraph use any external threat feeds?

Lacework Polygraph integrates with external threat feeds and matches incoming and outgoing connections with these reputation feeds. Any connection to bad site or a successful login from a bad site generates an alert.

What applications are supported with Lacework Polygraph?

Lacework Polygraph is not a signature or rule based system and has no prior knowledge about custom applications running in customer environments.  Lacework Polygraph creates analysis groups based on behavior and then automatically labels them using machine learning. If a new application is added, Lacework Polygraph will label and classify this application automatically. This ensures that Lacework Polygraph works in any application environment and no new signatures or tuning needed when new applications are added.