Having a wealth of data at your security team’s fingertips is a good thing. But when so much security data is being generated by various point solutions in the enterprise security stack, it becomes impossible to sift through, especially when each event or incident is analyzed in isolation. So how can disparate security data be brought together and better analyzed so enterprises have the ongoing context needed to reduce vulnerability? Graph theory, which is a mathematical theory of the properties and applications of graphs, offers an approach you might want to consider.
An Avalanche of Data
On average, security analysts see more than 1,000 alerts per week from more than 40 security vendor solutions deployed throughout their environment. The introduction of threat intelligence compounds this problem, as a single feed can generate more than 3.5 million indicators per month. Given the volume of data that must be evaluated and investigated, the average enterprise is ultimately throwing away more than 90% of its security data.
Since alerts are investigated and retained as independent, isolated occurrences, incident responders can struggle to discover associations and patterns needed to truly understand the source and implications of a threat. In most cases, security incident data is not stored or structured in a way that allows for automated correlations and is often missing the organization-specific context.
For example, even when enterprises are collecting their own incident intelligence, they are likely manually maintaining lists of “bad” IPs or domains in spreadsheets or text files. For a large enterprise, think about how many of these bad IPs must be updated in spreadsheets every month. Further, without any description of the circumstances in which the indicators were observed, the intelligence is overly broad or outdated.
Learn how to write a cybersecurity RFP, choose cybersecurity partners, and implement cybersecurity technology. Download this free report for all the details.The Technology Manager’s Guide: Tips for Buying Cybersecurity Technology
Instead, enterprises need to preserve the surrounding context and especially the relationships across the data elements, since the discrete values change so rapidly to circumvent prevention and detection devices. Threat intelligence cannot be constrained to the scope of a single attack or a single organization’s perspective. Events viewed in isolation often appear to be benign, but when considered within a larger context, security analysts recognize relationships and patterns, which enables them to determine whether an event is indeed malicious.
Incident response has been mostly process-driven, providing analysts with detailed checklists or playbooks of what steps to take throughout the response lifecycle. Incident response technology has evolved in a similar manner: translating workflows into flow-charts and then generating the appropriate API integrations to execute those processes more efficiently.
But security operations is fundamentally a data problem — how do you leverage security data in conjunction with human intelligence to allow your organization to dynamically evolve its security infrastructure over time?
This is where graph theory can help.
Graph Theory: A Mathematical Approach to Data Analysis and Visualization
In mathematics, graph theory is the study of graphs, which are mathematical structures used to model relationships between objects. A graph in this context is made up of vertices, nodes, or points which are connected by edges, arcs, or lines. In cybersecurity, a graph-based approach centers on preserving the context of security events by breaking down components of observable data into a graph representation of all cyber artifacts, from all data streams, accounting for all past and present data.
By structuring an organization’s historical incident data as a graph, security operations teams can preserve and visualize relationships across all of the data elements, and then apply various machine learning algorithms to surface informative relationships.
Using graph theory to visually render security data helps transform the mentality of cyber incident response from process-driven help desks to advanced data analysis intelligence centers. Graph theory can help security operations teams improve efficiency and efficacy by establishing a system of record and intelligence used to inform future threats. A system of record adds more context to each identified threat, and gives security analysts a more informed picture of how today’s threat may relate to last month’s – or one in the future.
It’s common for enterprises to rely heavily on established processes to maintain business standards, but there is nothing standard about cyber threats and security data. Maybe it’s time to re-evaluate your security operations and replace out of date processes with advanced analytics.
Liz Maida is the founder, CEO and CTO of Uplevel Security, the industry’s first adaptive system of intelligence that uses graph theory and machine learning to modernize security operations. Liz holds a Bachelor of Science in Engineering degree from Princeton University and dual Masters degrees in Computer Science and Engineering Systems from the Massachusetts Institute of Technology.