Graph Technology Powers Cybersecurity Situational Awareness That’s More Scalable, Flexible & Comprehensive

Challenge

Network environments constantly change, impacting the security posture of U.S. government
agencies. Intrusion alerts, anti-virus warnings and even outwardly benign events like logins,
service connections and file share access are all potentially associated with adversary activity.

Cybersecurity researchers at MITRE needed to go beyond rudimentary assessments of security
posture and attack response. Doing so required merging isolated data into higher-level
knowledge of network-wide attack vulnerabilities and mission readiness.

This involved not only looking at incidents themselves, but also at the relationships between
them.

“The problem is not lack of information, but rather the ability to assemble disparate pieces of
information into an overall analytic picture for situational awareness, optimal courses of action
and maintaining mission readiness,” said Steven Noel, Principal Cybersecurity Engineer at MITRE.

Noel and his team also struggled with fully comprehending a given security environment and
mapping all known vulnerabilities. Specifically, these goals demanded a flexible architecture that
accommodated advanced analytics, ad hoc queries and graph visualization, all of which they
then lacked.

To overcome these challenges, the MITRE team started by constructing a preliminary graph
model tool called Cauldron. However, Cauldron wasn’t built on a database. So, as connected data
queries became increasingly extensive, Cauldron wasn’t performant, and the MITRE team
didn’t have time to code every possible query.

Solution

When Noel and his team discovered the Neo4j graph database, they used their lessons learned
from Cauldron to develop CyGraph, a tool that transforms cybersecurity information into
knowledge.

CyGraph – which is based on the property graph model implemented in Neo4j – brings together
isolated data and events into an ongoing big picture for decision support and situational
awareness. “In the CyGraph architecture, the model schema is free to evolve with the available
data sources and desired analytics, rather than being fixed at design time,” Noel said.

In this way, the dynamically evolving CyGraph provides context for reacting appropriately
to attacks and protecting mission-critical network assets. It also incorporates mission
dependencies, showing how objectives, tasks and information all depend on other cyber assets.

Particularly, its knowledge base provides a rich framework for exploring the full stack of entities
and relationships relevant to an agency’s mission readiness.

With graph technology, CyGraph is able to prioritize exposed vulnerabilities in mission-critical
assets. In the face of attacks, it correlates intrusion alerts to known vulnerability paths and
suggests courses of action. For post-attack forensics, it shows vulnerable paths that warrant
deeper inspection.