Graph Technology Powers Cybersecurity Situational Awareness That’s More Scalable, Flexible & Comprehensive
Network environments constantly change, impacting the security posture of U.S. government agencies. Intrusion alerts, anti-virus warnings and even outwardly benign events like logins, service connections and file share access are all potentially associated with adversary activity.
Cybersecurity researchers at MITRE needed to go beyond rudimentary assessments of security posture and attack response. Doing so required merging isolated data into higher-level knowledge of network-wide attack vulnerabilities and mission readiness.
This involved not only looking at incidents themselves, but also at the relationships between them.
“The problem is not lack of information, but rather the ability to assemble disparate pieces of information into an overall analytic picture for situational awareness, optimal courses of action and maintaining mission readiness,” said Steven Noel, Principal Cybersecurity Engineer at MITRE.
Noel and his team also struggled with fully comprehending a given security environment and mapping all known vulnerabilities. Specifically, these goals demanded a flexible architecture that accommodated advanced analytics, ad hoc queries and graph visualization, all of which they then lacked.
To overcome these challenges, the MITRE team started by constructing a preliminary graph model tool called Cauldron. However, Cauldron wasn’t built on a database. So, as connected data queries became increasingly extensive, Cauldron wasn’t performant, and the MITRE team didn’t have time to code every possible query.
When Noel and his team discovered the Neo4j graph database, they used their lessons learned from Cauldron to develop CyGraph, a tool that transforms cybersecurity information into knowledge.
CyGraph – which is based on the property graph model implemented in Neo4j – brings together isolated data and events into an ongoing big picture for decision support and situational awareness. “In the CyGraph architecture, the model schema is free to evolve with the available data sources and desired analytics, rather than being fixed at design time,” Noel said.
In this way, the dynamically evolving CyGraph provides context for reacting appropriately to attacks and protecting mission-critical network assets. It also incorporates mission dependencies, showing how objectives, tasks and information all depend on other cyber assets.
Particularly, its knowledge base provides a rich framework for exploring the full stack of entities and relationships relevant to an agency’s mission readiness.
With graph technology, CyGraph is able to prioritize exposed vulnerabilities in mission-critical assets. In the face of attacks, it correlates intrusion alerts to known vulnerability paths and suggests courses of action. For post-attack forensics, it shows vulnerable paths that warrant deeper inspection.