Note: This blog post is an extract from the Graphs for Cybersecurity white paper by Dave Voutila, Gal Bello, Tara Jana, and Deb Cameron.
Cyberattacks had been on the rise for years, with nation state threat actors and foreign hacking collectives joining in, devoting more time and resources to attacks. To effectively mitigate cybersecurity risks, we need advanced data solutions that empower us to correlate and analyze connections at a real-world scale.
In the earlier parts of the series, we discussed how attackers and defenders think in graphs and provided an overview of cyberthreats.
This week, we’ll go over cybersecurity policies and strategies to consider, with some simple graph queries to show you how you might implement them.
Effective Security Posture
Security posture refers to your awareness of your assets, your processes to monitor and maintain their security, and your ability to detect, handle, and recover from any attacks.
The process of monitoring your assets should operate continuously and, where possible, automatically. Creating a graph of your infrastructure and setting up automated alerts is a solid approach. Automated reports can be run regularly to flag, for example:
- Any new security perimeter nodes (connected to the public internet)
- Any nodes connected directly to the perimeter without any security infrastructure in between
- New attack paths to the most important resources (crown jewels)
- Nodes in the infrastructure that may be impacted by newly discovered security vulnerabilities, prioritized by their centrality in the network
This part of the paper includes some sample queries in Cypher Query Language that show how easy it is to analyze your security posture. In addition to serving as practical examples, these queries may inspire you to create a knowledge graph of your IT infrastructure, as described in Part 3.
A cybersecurity audit is a broad review of the organization, its IT infrastructure, and its processes to identify the threats, vulnerabilities, and risks it is subject to. An independent third party typically performs the review.
Generally, an audit should start with a review of the organization’s policies around mitigating cyber risk, data storage and management, and incident handling and response. Next, the audit should consider staff training and awareness of policies, technical controls that monitor for breaches, and the organization’s physical security practices.
An effective cybersecurity audit requires identification of the organization’s crown jewels, possible attack vectors, and appropriate security posture and processes. Even if audits are done well, if they are infrequent, vulnerabilities may be exploited.
With your security infrastructure in a graph, you can verify that you have addressed issues raised in an audit and automatically monitor and alert to protect your systems between audits.
Defense in Depth
Defense in depth means not relying on a thin security perimeter such as a VPN to maintain security but instead having multiple layers of security.
Visualizing infrastructure as a graph is a natural way to discover the weakest points in your perimeter so that you can better protect them.
A zero-trust approach takes this to another level by abandoning the concept of trusting resources inside the corporate network and mistrusting those outside it. Instead, treat all systems as inherently untrusted, requiring them to authenticate. A graph of your infrastructure can enable you to check that all the systems in your architecture follow the zero trust principle. For example, suppose there is a connection between two resources without a node representing a security check between them (such as a key-pair). A query that finds this pattern shows you which elements in your network need additional security to follow the principle of zero trust.
Budget and Investment in Cybersecurity
Many security teams struggle to get the funding they need to secure their systems properly. If the likelihood and the potential cost of a breach are well understood, you can present proposals with a projected return on investment. Security staff need the tools and training to do their job effectively. Having a graph of your infrastructure gives you visibility to find vulnerable systems, enabling you to estimate what it will take to remediate the risks, as well as the potential cost and impact if those resources are compromised.
IBM reported in 2014 that 95% of cybersecurity breaches are a result of human error. Training employees is, therefore, a critical part of reducing the risks and costs associated with those errors.
A large share of this 95% is social engineering attacks where people are tricked into exposing data or giving access to unauthorized people. While technical measures can help in some instances, training is the only way to reduce the risk of these types of attacks. Employees need to understand the risks of providing information over the phone, being tailgated as they walk through doors, using public wifi with company devices, and being overheard in public spaces.
Cybersecurity staff need to be trained to analyze events that security systems flag. In addition, the constant change in the cybersecurity world means that these staff will likely need ongoing training and time dedicated to keeping their knowledge up to date.
Policies and Procedures
Having written policies and procedures is essential. Here we highlight a few policy areas, including query samples where applicable.
Companies should implement the principle of least privilege, which means giving employees only the permissions they need to do their jobs and no more. If an account is compromised or a user leaks data, enforcing this principle minimizes the scale of the loss.
A common way to manage the principle of least privilege is to create groups with permissions and assign users to those groups. The difficulty with such a policy is ensuring it is applied consistently, as users join, change roles, or leave the organization.
Creating a graph of your users along with their security group memberships enables you to run queries to flag users who are not assigned to a security group.
In the Cypher query language, this statement finds users who are not in a security group:
MATCH (user:User) WHERE NOT (user)-[:IN_GROUP]->(group:SecurityGroup) RETURN user
Keeping systems patched is a constant challenge. Companies should set up automatic updates for systems and users’ devices to minimize the risk of compromise from unpatched vulnerabilities. In addition, devices’ storage can be encrypted so that if a device is stolen, attackers are less able to access the data on it.
Software Installation Policy
A software installation policy can minimize the chance of users installing software with vulnerabilities, backdoors, or viruses.
If you create a graph of that specifies software that is allowed by policy, you can use a Cypher query to find software that is not in compliance with your policy:
MATCH (sw:InstalledSoftware) WHERE NOT (sw)<-[:ALLOWED_BY_POLICY] -(p:Policy) RETURN sw
A password strength policy can be enforced to ensure that passwords are reasonable in length or complexity, that they are not reused, and so on.
Users should use multi-factor authentication (MFA). MFA typically requires entering a code sent to one of the user’s devices as an additional step to verify their identity.
The following query finds users who do not have MFA enabled:
MATCH (u:User) WHERE NOT (u)<-[:HAS_POLICY_ENABLED]-(policy:MfaPolicy) RETURN u
Automated processes should back up all data regularly or store it in the cloud by default to reduce the risk of data loss if data is accidentally deleted. This query finds data stores that do not have a backup:
MATCH (d:DataStore) WHERE NOT (d)-[:HAS]->(b:Backup) RETURN d
Vendor Security Evaluations
Policies must also apply to vendors. Suppose a third party suffers a data breach involving your data. From your customers’ perspective, that may be indistinguishable from your own company suffering a breach, and you may be liable for losses and fines. In a Ponemon report from 2021 on third-party security, 63% of respondents said that they rely entirely on the reputation of third parties when choosing a supplier and don’t perform their own evaluations of suppliers’ security practices. You need a vendor management policy that includes initial and periodic security evaluations.