https://www.meetup.com/NY-Enterprise-Information-Security-Meetup/events/245763153/ Chasing incidents means making trade-offs between speed, depth, and breadth... but it doesn't have to be this way. We will demo several examples of how Graphistry is being used by enterprise and federal teams to automatically add speed, reliability, & visibility to how their analysts work across their data sources. If your team depends on systems like Splunk, ELK, SQL/NoSQL databases, and threat APIs, or is curious about what is happening with playbooks and graph tech, these demos should resonate.

1. Graphistry Inc. 2017 info@graphistry.com
G R A P H I S T R Y
Increasing Investigation Leverage
with Graph Tech & Visual Analysis Playbooks
Leo Meyerovich, CEO
@LMeyerov

2. Graphistry Inc. 2017 info@graphistry.com
G R A P H I S T R Y
Who • Berkeley, Netflix, RedSeal, Fortinet: GPUs, security, ...
• Strategic investments from In-Q-Tel, Bloomberg, & Nvidia
• Early customers in US Gov + F2000: security, AML, sigint, …
What • Ease data-driven investigation tasks with visual playbooks
• Answer currently tricky questions with visual graph insights
• See any data source like CSVs, SIEMs, and APIs as
interactive visual graphs, even at enterprise-scale (GPUs)

3. Graphistry Inc. 2017 info@graphistry.com
Graphistry is the Visual Tier for Your Investigations
Logs  Rich Visual Graphs
Queries  Point/Click
Hours  Seconds
Connect: Automatically query across
all your data types and sources
Graph + Viz: Answers to
story, connections, scope,
& outliers
Visual Analysis Playbooks:
Reduce good investigations
to seconds and easily
share in & across teams
Click to drill-down and
pivot in context
HDFS Splunk SQL GraphDB
VendorsApp logs AlertsDevice logs
queries

4. Graphistry Inc. 2017 info@graphistry.com
Today
Investigation
… A weird yet common problem
Graphs are amazing
… Understand your SIEM/DB w/ Graph Tech – hypergraphs, GPUs, …
Visual playbooks are the future
… Turning best practices into software – automation for analysts
4

5. Graphistry Inc. 2017 info@graphistry.com
IP=10.16.0.8; msg=Malware.Object;
time=2 Nov 2017 19:32:00 UTC;
vendor=FireEye; Product=Web MPS NX
5

6. Graphistry Inc. 2017 info@graphistry.com
6

7. Graphistry Inc. 2017 info@graphistry.com
7

8. Graphistry Inc. 2017 info@graphistry.com
8

9. Graphistry Inc. 2017 info@graphistry.com
9

10. Graphistry Inc. 2017 info@graphistry.com
10

11. Graphistry Inc. 2017 info@graphistry.com
11

12. Graphistry Inc. 2017 info@graphistry.com
12

13. Graphistry Inc. 2017 info@graphistry.com
1
3
13

14. Graphistry Inc. 2017 info@graphistry.com
1
4
14
… start over!

15. Graphistry Inc. 2017 info@graphistry.com
15

16. Graphistry Inc. 2017 info@graphistry.com
16

17. Graphistry Inc. 2017 info@graphistry.com
Graphs are amazing
17

18. Graphistry Inc. 2017 info@graphistry.com
18
MALWARE INCIDENT MAP – UNIFIED VIEW
assets host events network events attackers
DEMO – Scope, progression, root cause, patterns, outliers

19. Graphistry Inc. 2017 info@graphistry.com
Let’s find the truth in the bitcoin blockchain:
analyze 200MM transactions (100K/day).
Graph – Supercharge many investigations, even financial!

20. Graphistry Inc. 2017 info@graphistry.com
Silk Road’s
Wallet
Rogue DEA
Agent
Money
Laundering?
Follow the tainted coins

21. Graphistry Inc. 2017 info@graphistry.com
Add 1 Step of Context (Untainted): 50X More Data
Rogue DEA
Agent
Extra $300,000

22. Graphistry Inc. 2017 info@graphistry.com
Silk Road’s
Wallet
Start here.Start here.
2 exchanges
Who to Subpoena First: Exchanges

23. Graphistry Inc. 2017 info@graphistry.com
Graphs Answer Tricky Questions That Tables Don’t
Progression & behavior
Patterns, correlations,
& outliers
Entities & scope
23
EMERGING BASIS FOR AI/ML METHODS OVER EVENT DATA

24. Graphistry Inc. 2017 info@graphistry.com
Visual Playbooks
Turning Best Practices into Executable Visual Workflows
24
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------
---------

25. Graphistry Inc. 2017 info@graphistry.com
Can we turn 30min – 1 week into < 10min?
• Query for the right data
• Find the connections
• Make the right conclusions
• … repeat
 Appropriate actions
Amdahl’s Law:
Game over if any
step sucks up time
25

26. Graphistry Inc. 2017 info@graphistry.com
26
MALWARE INCIDENT MAP
1. Input incident id
2. Hit run all
3. There is no step 3
DEMO – Automate best practices for data gathering & presentation

27. Graphistry Inc. 2017 info@graphistry.com
Why Visual Playbook Methodology Matters
• ROI: Exponentially boost SIEM data source/query utilization
• Speed: Cut MTTR by skipping to step 12+ of a thorough workflow
• Reliability: Automate best practices + T1<>T2 feedback loop
• + Graph: Visually answer scope, progression, patterns, outliers, …
(hard with search, tables, dashboards, …)
27

28. Graphistry Inc. 2017 info@graphistry.com
Piloting with security & fraud teams. (And we’re hiring!)
info@graphistry.com
G R A P H I S T R Y