Graph databases help security analysts get instant answers to questions that might take hours or even days with solutions that rely on traditional relational database structures. In a graph database, the answers to these and hundreds of other questions are built directly into the structure of the database itself. Investigations typically start with an alert of some kind and a pile of questions: Who did this? What led up to it? What happened after? Have similar things been observed anywhere else? Finding answers to questions like these in a relational database requires sophisticated indexing and resource-intensive table searches. Graph databases also make human analysts much more efficient when performing security investigations and proactive threat hunting. Graph databases make it possible to apply many different types of analysis simultaneously, in real time, and at very large scale. ![]() Analytics may also reflect specific chains of behavior learned via real-world adversary encounters. These analytics may come in the form of machine learning models, trained from massive historical data sets and relationships. Today’s best techniques for detecting modern threats depend on collecting massive amounts of telemetry from endpoints, enriching it with context, and mining this data for signs of attack with a variety of analytic techniques. Connecting the dots with context enables good decisions. However, if you also saw movie cameras and a crew capturing the scene, you’d likely come to the conclusion that you were watching the production of a summer blockbuster. To use an example from the real world, if you witnessed someone stealing a purse from someone on the street, you might quickly call the police to report a crime in progress. Stopping today’s threats requires continuous visibility into what is happening, and enough context to understand why. Attackers are adept at hiding their activity in the noise and using native tools that are difficult to separate from normal user activity. Graph is a natural technology for security. Graph database technology is at the core of Facebook’s Social Graph, Google’s Knowledge Graph, Twitter and many other “big data” platforms. If you’re travelling to Texas and want to know your friends’ most highly recommended barbecue restaurant in Austin, a query via a properly constructed graph database uncovers the answer effortlessly. It might have nodes that describe you, your friends, your favorite restaurants and each of your hometowns. A graph database captures individual records (or “nodes,” in graph terminology) that have freeform properties -as well as potentially complex relationships between them - and connects them via “vertices.” Graph databases excel at executing queries that require understanding patterns and connections between different types of data.Īs an example, imagine a restaurant recommendation engine built on a graph database. Graph technology represents a shift in how data is stored and retrieved from databases. This blog explores how graph technology is being applied to cybersecurity problems and how CrowdStrike has taken advantage of it to help our customers stop breaches. Today, Threat Graph remains the largest and most sophisticated solution of its kind. More than five years ago, CrowdStrike® Threat Graph™ became the industry’s first purpose-built graph database for cybersecurity, leveraging the power of the cloud to deliver on the promise of graph technology. ![]() ![]() However, using a hot technology doesn’t deliver value by itself it’s what you do with it that matters. With recent releases from industry juggernauts such as Microsoft and Google/VirusTotal, it seems “graph” could be poised to take center stage as a security industry buzzword and the next must-have cybersecurity technology. Graph databases are having a bit of a moment in cybersecurity. An edited version of this blog was published as an article in Teiss on December 12, 2018.
0 Comments
Leave a Reply. |