How Chicken Eyes Taught Us to Detect Cloud Security Breaches

A fascinating scientific discovery

There was a fascinating discovery last month on a new state of matter never before seen in biology in, of all places, the eyes of chicken – a state of “disordered hyperuniformity”. This arrangement of particles in the chicken’s eyes appears disorganized over small distances but has a hidden order that allows material to behave like both a crystal and a liquid. Eyes of other animals have cones arranged in a discernable pattern; insects for example, have cones in a hexagonal scheme.

The fundamental characteristic of this state of matter is that they exhibit order over long distances but disorder over short distances.

This is what disordered hyperuniformity looks like

Take a look at the diagram below. This diagram depicts the spatial distribution of the five types of light-sensitive cells known as cones in the chicken retina (Image courtesy of Joseph Corbo and Timothy Lau, Washington University in St. Louis). Each type of cone is has an “exclusion region” that excludes other similar cones, and due to different sizes of cones these exclusion regions seem random but, in reality, cones have a hyper-uniform structure. For example, cones of a particular type arrange in a triangular formation with each other due to their exclusion regions.

Pic 1

Reading this, inspired me to draw a parallel to the analytics work we do at Skyhigh Networks in the field of Cloud Security where we analyze enterprise access events to discern patterns that indicate insider threats and security breaches by determining what normal access patterns look like and weeding those out. Finally….I think we have a single term to describe what we are looking for in terabytes of daily cloud access data we analyze – we are looking for deviations from “disordered hyperuniformity”.

Dare I say, security is in the [chicken] eyes of the beholder!

There is no dearth of headlines on enterprise data breaches, usually via advanced persistent threats that exfiltrate data over extended periods of time – including at technology companies like Adobe, and more recently at many retailers including Target and Neiman Marcus. In all these cases signals of anomalous activity existed but was lost in a sea of otherwise harmless access log data. Security analysts in enterprises are faced with a problem that big data has compounded even further – that of a deluge of data. The signals of nefarious activities are invariably lost in the tera- and peta- bytes of daily logs that are routinely collected.

Check out disordered hyperuniformaity applied to cloud analytics

Security analysts tasked with weeding out good actors (the majority of who fall into this pattern of disordered hyperuniformity) from the bad actors look for anomalies using behavioral and statistical anomaly detection techniques. For example, the below snapshots of a few minutes of access patterns (each dot representing a user access to a high/medium/low risk service) from a large enterprise repeats itself over very large time scales.. Techniques including both behavioral and statistical approaches are used to analyze this time series data for strong correlations indicating expected behavioral patterns.

Pic 2These techniques are meant to efficiently bubble-up actors whose traffic patterns deviate from the norm. Codifying what is the “norm” is challenging due to variations in real time access patterns that invariably appear disordered. Hence, a macro-view that, for example, looks at logical Service chaining, category & risk of Services, user groups, etc. lends itself to more natural clustering of access patterns that make it easier to discern behavioral outliers. Using these techniques we at Skyhigh have found data exfiltration attempts using twitter, scans of cloud storage services for use as drop zones, command & control interactions from popular Infrastructure-as-a-Service providers, watering hole attacks from tracking services, and backdoor attacks from code hosting Services, to name a few.

Want to see the usage anomalies in your data?

At Skyhigh we have analyzed access patterns of almost 10 millions employees over extended periods of time to create baseline disordered hyperuniformity usage models and are constantly pushing the boundaries of new techniques (even if it means looking at it through chicken eyes) to help enterprises manage their threats and risks, both from outside and inside. To see the anomalies in your own enterprise’s cloud usage, sign up for Skyhigh’s free Cloud Audit.

Next In Trending

Gartner’s Latest CASB Report: How to Evaluate Vendors

As sensitive data moves to the cloud, enterprises need new ways to meet their security, compliance, and governance requirements. According to Gartner Research, “through 2020, ...

By Cameron Coles | December 1, 2015