The Polygraph journey
Taking anomaly detection to the next level
19 janvier 2023
In 1987, one of the world’s most popular puzzle book characters made his literary debut in England.
Dressed in a red and white striped shirt and hat, the bespectacled Wally would appear, or more accurately disappear, into large crowds of people. The goal was to find the elusive Wally, who was later renamed Waldo in the United States.
Over the years, the “Where’s Waldo?” books became increasingly popular as the authors made the character more and more difficult to find by shrinking him or adding more people and complexity to the illustrations.
The books were challenging because human brains are naturally hardwired to spot patterns, not anomalies. Instead of detecting Waldo, we see a mass of undistinguishable people blur into each other.
In many ways, Waldo represents an apt metaphor for one of the most promising advances in cybersecurity today: anomaly detection.
Companies today have largely focused on protecting their systems from specific threats. But that strategy depends on companies knowing what to look for. Criminals and bad actors are consistently developing creative ways to steal or corrupt data. By the time companies learn enough about a new attack to do something about it, the damage has already been done.
What if a company could spot signs of the attack before it happens?
Polygraph can do exactly that. The technology zeroes in on suspicious behavior amid the massive amounts of activity and data swirling in the cloud and determines if such anomalies indicate a possible attack.
In other words, Polygraph can find Waldo.
Data is the key
Anomaly detection dates back to 1987 (ironically, the same year Waldo debuted). Dr. Dorothy Denning, an early pioneer in cybersecurity, developed the first intrusion detection systems for the U.S. Navy while working at the Stanford Research Institute.
In the 1990s, the Defense Advanced Research Projects Agency (DARPA) started to work on how machine learning could improve the technology. But the effort stalled. Human programmers needed to write rules to identify each normal/abnormal behavior, a long and arduous process. In addition, the technology couldn’t effectively tell you if an abnormal behavior indicated an attack, resulting in researchers chasing a lot of false positives.
But things gained steam after 2010 as increased computing power allowed companies to capture and crunch more and more data from their operations.
Algorithms behind machine learning programs are only as good as the data companies feed them. Therefore, data is the key to helping machine learning programs better detect suspicious behavior.
In other words, more data means more security.
“Quality data makes or breaks the model,” according to a study by the Center for Security and Emerging Technology at Georgetown University. “Because of the critical importance of data for training classification algorithms, the benefits of improved detection systems will be most easily leveraged by companies with the ability to collect the most cyber data.”
“This is one area where defenders have an asymmetric advantage relative to attackers: defenders can collect and store far more data about their own networks than attackers can, which makes it possible for defenders to continually improve their defenses.”
Polygraph is born
Vikram Kapoor co-founded Lacework in 2015 to focus on helping companies secure their cloud networks through machine learning, Big Data, and anomaly detection.
“Before I started Lacework, I was looking at industries where they have a lot of data and they have interesting problems to solve,” Kapoor said. “Data is the new oil. If you collect enough data, you can process it to figure out what your anomalies are. How to secure something in the cloud in an entirely different way, which was not obvious. It can be done.
The company developed the Polygraph Data Platform, which took anomaly detection to a new level.
The technology operates on this simple premise: the more data you put into it; the better Polygraph performs. The platform continuously captures hundreds of terabytes of data on things like processes, applications, APIs, files, users, and networks.
Using sophisticated algorithms, Polygraph takes that data and creates a detailed model on how the company’s cloud systems uniquely operate. These models are created specifically for every organization’s unique environment, which makes them incredibly accurate for detecting anomalies. Once Polygraph establishes “normal,” it can spot deviations from those expected behaviors.
Here’s where Polygraph represents a significant advance in anomaly detection. The technology can sift through those deviations and calculate with varying degrees of confidence whether the unexpected behaviors represent genuine threats to the network.
Whereas past efforts at anomaly detection could only say whether something was normal/not normal, Polygraph can establish the proper context to those deviations by connecting the dots.
For example, a person logging into the cloud at 3 a.m. might not in itself suggest something is amiss. Perhaps the person was restless and decided to get some work late at night. But if Polygraph learns that a person tries to access data not normally related to his job at 3 a.m. from London, that’s a red flag.
Big returns on investment
The platform also helps the company more quickly investigate potential intrusions by providing a dashboard visualization of related suspect behaviors along with information like who, what, when, where, and why. As a result of the Polygraph technology, Lacework helps companies eliminate false positives, allowing security professionals to focus only on anomalies that represent true threats.
A report by Forrester Consulting found companies that use Lacework to secure data spread over multiclouds services like Amazon’s AWS, Google, and Microsoft’s Azure can generate a 342% return on investment over three years. The companies also enjoy $1.8 million increase in total productivity and $2.31 million in total benefits.
Companies that use Lacework and the Polygraph technology are already noticing significant improvements. When the Log4j vulnerability emerged in December 2021, Nylas, a developer of API platforms, quickly turned to Polygraph to spot any anomalies in its systems.
“With the help of Lacework, we rapidly identified instances of the Log4J vulnerability and continuously monitored our environments for any exploitation activity,” said David Ting, chief information security officer for Nylas.
“In less than one hour, we were able to scan our entire cloud infrastructure, including thousands of servers, to assess our exposure to Log4j,” Ting said. “We quickly determined that our codebase and our customers were not affected and were able to maintain transparency and open communication with our customers in real-time.”
Anomaly detection has evolved over the years. But thanks to advances in machine learning and Big Data, Lacework is leading the way towards safeguarding cloud networks from threats, both known and unknown, with Polygraph.
Waldo can’t hide anymore.