Stereograms and Intrusion Detection: Finding the Hidden Entity

Our stereogram contest demonstrates how our threat detection technology works.

Do you see what We See

You may be familiar with stereograms, hidden 3D pictures inside of a field of noise. To find the hidden image, you first focus hard on the center of the image. Then, you realize that you can’t see anything as you have focused in a bit too far. As you relax your eyes and pull back from the noise field, an image slowly appears until it becomes crystal clear.

Intrusion detection is similar to finding an image hidden within a stereogram. As threat hunters, we want to focus in and pinpoint where the threat is, but this approach frequently delivers no results. We are only seeing part of the picture; more importantly, we are letting noise get in the way of what is really happening. So how do we find what matters in a cyber attack? Unlike a stereogram, we can’t pull our faces back from the data to see it more clearly, so we have to use other methods to remove the noise.

Most commonly, threat hunters will create rules and threshold within their SIEMs to help reduce the noise. Unfortunately, these rules and thresholds come with their own issues. A rule is static and can only look for a known pattern beforehand. Rules do not work for every person and every variant of the attack. The threshold is similar. It is a constant value and is often chosen not to detect all the threats, but rather to minimize false positives. When set this way, many security threats are missed since the value is too high or too low. Using the traditional methods of rules and thresholds, the hidden image remains hidden, or only parts of the image are visible. This is where security analytics provides the “pull back” that is needed to see what is really taking place. Powered by artificial intelligence, security analytics has the ability to learn what is normal and then looks for things that deviate from that baseline.

Take a look at the stereogram again. The noise we see in the image is really the normal state of our security data. The hidden image is the change in signal that represents a potential threat taking place. As security analytics remove the noise and the threat becomes clear, the threat hunter is given a much better idea of where the threat is. And once we know where the threat is, it can be contained and corrected. Without security analytics, threat hunters will spend their days staring at the noise trying to find the threat.

Ready to see how this works? Take a look at this Interest stereogram and tell us what you see. You can share your answer with us via on LinkedIn, Twitter, Facebook, or our submission form before 12 p.m. PST on Friday, February 16. Correct entries will be entered into a draw to win a $100 Amazon e-gift card. The winner’s first name and last initial will be announced on Interset’s social pages on Wednesday, February 21.

Paul Reid is a technology strategist at Interset.