Graph-based Cyberattack Defense: A Centralized View of Your Security Landscape
Today’s organizations are swimming in massive amounts of data spread among multiple data sources—and that doesn’t even factor in multi-cloud systems or interconnected data structures and architectures such as services and microservices. When you add in things like IoT systems, IP-based cameras or door locks, HVAC systems and remote devices that have exploded due to the global pandemic, graph’s deep link analytics, multi-dimensional entity and pattern matching, centrality identification, as well as hub and community detection, can help companies take preventative, defensive and corrective action against potential threats and threat actors.
When combined with your security stack, graph database technology boosts your level of visibility into user patterns, data mining, lateral movement of users and data, privileged user permissions escalation, malware attacks, payload disbursement and deployment, ransomware data encryption and more. With the flexibility and in-depth strength of graph algorithms, the use of an existing IoC embedded into these easy-to-create algorithms allows for extended search and analytics across all of your data from all of your systems in one place at one time. A real-time graph model of your network allows you to set up monitoring and defenses at certain points, making early identification of active cyberthreats possible. Graph can detect if one service receives a larger number of different requests from the same IP than usual. Graph can also identify if a user who happens to be moving data with newly escalated permissions happens to be on vacation. It can also uncover the number of hops between a specific user and a blacklisted IP, system, application or account, highlighting the potential for fraud, money laundering, a potential breach or other malicious activity.
Cybersecurity Defense-in-Depth + Graph Analytics: A One-Two Punch
The combination of a defense-in-depth cybersecurity strategy and graph analytics provides multiple and duplicative defenses for your organization. Defense-in-depth layers in the necessary controls to protect the technical, administrative and physical aspects of your business network. Meanwhile, graph allows you to use the connected data from your security stack, IOT systems, administrative systems and more to correlate activity across multiple environments and systems ensuring you can proactively respond to threats as they are identified. Together, especially with the implementation of ML and AI, the use of these tools together can anticipate cyberattacks and disrupt them when they happen versus before your organization becomes a statistic. A combined, multi-layered approach incorporates the following:
Administrative Controls: Defense-in-depth encompasses the administrative aspects of your business, including policies and procedures directed at the organization’s employees as well as the labeling of sensitive information as “confidential.” The use of privileged access management (PAM) solutions, along with graph analytics, controls who gets into what systems and flags any anomalous privilege escalations for user accounts.
Technical Controls: This refers to the hardware you put in place to protect network systems and resources. Software such as an network detection and response (NDR) system and network firewall appliances, intrusion detection and prevention system (IDP/IDS) or an antivirus program work hand in hand with the hardware controls. Deploying an endpoint protection and endpoint detection and response system (EPP/EDR) to control unwanted activities on your endpoint devices is also part of the technical controls. The connected data analytics as well as algorithms used to automate threat hunting, threat analysis and attack vector tracing and analysis will bolster the security team’s efforts while providing the needed level of automation.