Strengthen Cyber Defense With Intelligent Graph Analytics

Using Graphs Analytics to represent entity relationships can help merge disparate cybersecurity datasets into a common conceptual space. The latter is designed to give additional insights into dependencies and relations of objects of different type, while preserving knowledge about their original properties.

This methodology will make it much easier to investigate, detect and discover hidden and obvious relationships, associations and anomalies in an otherwise seemingly disparate set of data sets. It also adds directionality and degree of importance to the relationships between assets, users, devices and threats which can be leveraged for more powerful investigation and analytics to discover hidden or anomalous patterns and behaviors which are usually indicative of cyber-attacks and threats. Using Threat Graph network security administrators can investigate alerts in a faster, more efficient way than traditional, tabular-based log analyses that are found in legacy Threat Intelligence Platforms and SIEMs.

Graph Analytics enable us to:

  • understand the relationships between network entities like users, hosts, and domains
  • understand the activities performed by entities based on those relationships

Graph-based User and Entity Behavior Analytics that leverage machine learning and graph algorithms

Graph-based User and Entity Behavior Analytics (UEBA) is the use of advanced Machine Learning and Graph Analytics to baseline event progression and activity of network entities, where the latter may be users, devices, servers, applications, threats etc. It will unveil deviations from the learned behavior in order to identify anomalies against those baselines. These anomalies in themselves are not always indicative to a security incident or breach. However, if they show a significant deviation from the user’s normal behavioral pattern, they will prove necessity to a further investigation using forensic and graph analytics tools. UEBA is designed to complement rule or signature-based approaches (such as NG-FW/IPS, SIEMs and traditional Threat Intelligence Platforms) as they are able to identify hidden patterns, relationships and anomalies that the former miss or are unable to detect due to their novelty or nondeterministic character. Graph-based UEBA is most effective when used in conjunction with streaming data from network logs such as IPFIX or Syslog, as it constantly creates new graphs of activities and relationships and baselines of the network traffic of all the users. That way, it can detect any deviation in a user’s behavior, but also adapts to changes in it.

cognitix Threat Graph collects IPFix logs from Threat Defender as well as external cyberthreat threat feeds and other contextual data. It uses machine learning graph analytics algorithms to display graphs of  hidden structures and relationships in the network.

Threat Graph enables an administrator to discover hidden patterns, behavior, relationships and anomalies using an interactive graph visualization front-end.

Threat Graph detects hidden relationships and behavior patterns using machine learning.

See What Others Don't See

Graph Visualization provides deep insights into a network’s activities and behavior. The powerful graph visualization not only makes it possible to understand the structure of the network, but also allows to navigate through the data and to gain all relevant insights on historical or ongoing activities and relationships. It will help network security administrators to enhance awareness and understanding of the network activities, relationship’s, hidden patterns and behaviors.

Successful detection of IoC hits brings protection to the network and at the same time raises many questions related to the nature of the threat, its causes and its relationships to other network entities. With an ever increasing number of threats aimed to compromise the network, the number of IoCs in the network will increase dramatically. However, not every IoC detection can be assessed with the same degree of severity; for example, ransomware is usually more dangerous than spam.
It is up to the network security administrator to investigate IoC detections and their potential risks to the network. However, conducting such investigation is resource and time consuming, but using cognitix’ Threat Graph, which is a machine learning based Intelligent Threat Contextualizer and Graph Analytics tool, the network administrator can more easily and more accurately assess the relevance of the IoC threat detection.
Threat Graph has access to historical, enriched and normalized data which can subsequently be graph-mined, graph-analyzed and graph-visualized.

A network security administrator will be able to understand the type of threat reported by the IoC detection and how this threat has evolved over time, therefore the IoC Graph follows a time-driven approach to visualize and contextualize threat detections which will greatly enhance the possibility of detecting hidden patterns and behaviors of threats over time.

Sometimes less is more

The core idea of Threat Graph’s temporal graph analytics is to empower the network security administrator, starting from the detected IoC, to move forward or backward in time and inspect views of the network that are related to the incident.
Hereby, Threat Graph utilizes machine-learning based methods to unveil these hidden relations and reduce visual complexity of these views, which simultaneously raises situational awareness.
This will assist the network security administrator to assess the risk of the IoC event as he/she can get insights about future and past behavior of the network that is related to the observed IoC. Furthermore, all relevant network relationships and connections are available at one glimpse, while irrelevant noise is omitted at the same time.
Concretely, Threat Graphs shows data that might have contributed to the incident by going back in time (pre-incident graphs), and consequences of the incident to the network by stepping forward (post-incident graph).

 

The following gives an overview of the time-driven approach:

This picture illustrates how a network security administrator can go forward in time to assess the spread potential of the threat reported through the IoC event along with possible changes in the behavior of the user SS who caused the IoC event. For example, after the said user SS starts to have communication with the Redmine server, then user N starts to communicate to Redmine which in turn is communicating with Git. Likewise, it would be possible to go back in time to observe the behavior of the user SS before the IoC event. This might give some insights about what originated the IoC event in the first place.
Notice that it just provides a snapshot of the network around a window of some period of time. For additional value, scores that describe the importance of the network assets influence the appearance of the graph.

Specific Use-cases for Threat Graphs temporal analytics

  1. Identify behavioral changes after an IoC threat detection. The network security administrator can easily identify a device that has changed its behavior after the IoC event – for example, communicating with servers it has not accessed before.
  2. Find the potential origin of the IoC threat detection. The network administrator can identify the events that could have produced the IoC hit. This is intended mostly for a case when the IoC results in a block of the IP’s traffic by Threat Defender.