Big data, graph, and the cloud: 3 keys to stopping today’s threats
December 12, 2018
Scott Taschler, CrowdStrike’s Director of Product Marketing, outlines the role Graph technology plays in the modern enterprise security arsenal
Graph databases are having a bit of a moment in cybersecurity. With recent releases from industry juggernauts such as Microsoft and Google/VirusTotal, it seems “graph” could be poised to take centre stage as a security industry buzzword and the next must-have cybersecurity technology.
YOU MAY ALSO LIKE:
However, using a hot technology doesn’t deliver value by itself; it’s what you do with it that matters, as experienced technology managers learn.
More than five years ago, our Threat Graph became the industry’s first purpose-built graph database for cybersecurity, leveraging the power of the cloud to deliver on the promise of graph technology. Let’s explore how graph technology is being applied to cybersecurity problems and how our learnings can be applied to stop breaches for more enterprises.
Graph technology represents a shift in how data is stored and retrieved from databases. A graph database captures individual records (or “nodes,” in graph terminology) that have freeform properties —as well as potentially complex relationships between them — and connects them via “vertices.” Graph databases excel at executing queries that require understanding patterns and connections between different types of data.
As an example, imagine a restaurant recommendation engine built on a graph database. It might have nodes that describe you, your friends, your favourite restaurants and each of your hometowns.
If you’re travelling to the north and want to know your friends’ most highly recommended fish and chips in Whitby, a query via a properly constructed graph database uncovers the answer effortlessly. Graph database technology is at the core of Facebook’s Social Graph, Google’s Knowledge Graph, Twitter and many other “big data” platforms.
Graph is a natural technology for security. Attackers are adept at hiding their activity in the noise and using native tools that are difficult to separate from normal user activity. Stopping today’s threats requires continuous visibility into what is happening, and enough context to understand why.
To use an example from the real world, if you witnessed someone stealing a purse from someone on the street, you might quickly call the police to report a crime in progress. However, if you also saw movie cameras and a crew capturing the scene, you’d likely come to the conclusion that you were watching the production of a summer blockbuster. Connecting the dots with context enables better decisions for all concerned.
Today’s best techniques for detecting modern threats depend on collecting massive amounts of telemetry from endpoints, enriching it with context, and mining this data for signs of attack with a variety of analytic techniques.
These analytics may come in the form of machine learning models, trained from massive historical datasets and relationships. Analytics may also reflect specific chains of behaviour learned via real-world adversary encounters. Graph databases make it possible to apply many different types of analysis simultaneously, in real time, and at a very large scale.
Graph databases also make human analysts much more efficient when performing security investigations and proactive threat hunting. Investigations typically start with an alert of some kind and a pile of questions: Who did this? What led up to it? What happened after?
Have similar things been observed anywhere else? Finding answers to questions like these in a relational database requires sophisticated indexing and resource-intensive table searches.
In a graph database, the answers to these and hundreds of other questions are built directly into the structure of the database itself. Graph databases help security analysts get instant answers to questions that might take hours or even days with solutions that rely on traditional relational database structures.
Of course all of this is possible only if you have sufficient quantity and quality of data in your graph, along with the right tools to extract the insights you need from that massive pile of raw data points. Historically, this has been prohibitively expensive, requiring vast computing resources and a skilled staff, which made graph technology promising but impractical.
Moving security to the cloud changes that dynamic as now, creating more storage on demand is a much simpler process than before, thus making graph technology much more accessible to the mass market.
It is incredibly important that your Threat Graph solution collects the right kind of data, for instance, capturing a broad range of data from different endpoints such as Windows, Linux and macOS. This continuous comprehensive data collection means that you will have total visibility and the context needed to identify sophisticated threats, while avoiding the critical flaw found in solutions that only record data if it appears related to an attack.
Finally, Threat Graph technology provides analysts and integrators with real-time, forensic-level visibility into all endpoint activity, no matter how large the organisation or how complex the query. This empowers incident responders and threat hunters to understand threats and take quick, decisive actions.
Rich, open APIs ensure that organisations have a clear path to cyber maturity, by integrating Threat Graph data and workflows across the entire security operations centre.
Graph technology has a clear role in the modern enterprise security arsenal. It processes mountains of data and quickly distils actionable insights, and it will likely to drive the way we identify and respond to threats for the foreseeable future. We all want to make faster, smarter decisions, and a Threat Graph provider a massive boost for enterprise security to make these decisions.