https://www.meetup.com/NY-Enterprise-Information-Security-Meetup/events/245763153/
Chasing incidents means making trade-offs between speed, depth, and breadth... but it doesn't have to be this way. We will demo several examples of how Graphistry is being used by enterprise and federal teams to automatically add speed, reliability, & visibility to how their analysts work across their data sources. If your team depends on systems like Splunk, ELK, SQL/NoSQL databases, and threat APIs, or is curious about what is happening with playbooks and graph tech, these demos should resonate.
1. Graphistry Inc. 2017 info@graphistry.com
G R A P H I S T R Y
Increasing Investigation Leverage
with Graph Tech & Visual Analysis Playbooks
Leo Meyerovich, CEO
@LMeyerov
2. Graphistry Inc. 2017 info@graphistry.com
G R A P H I S T R Y
Who • Berkeley, Netflix, RedSeal, Fortinet: GPUs, security, ...
• Strategic investments from In-Q-Tel, Bloomberg, & Nvidia
• Early customers in US Gov + F2000: security, AML, sigint, …
What • Ease data-driven investigation tasks with visual playbooks
• Answer currently tricky questions with visual graph insights
• See any data source like CSVs, SIEMs, and APIs as
interactive visual graphs, even at enterprise-scale (GPUs)
3. Graphistry Inc. 2017 info@graphistry.com
Graphistry is the Visual Tier for Your Investigations
Logs Rich Visual Graphs
Queries Point/Click
Hours Seconds
Connect: Automatically query across
all your data types and sources
Graph + Viz: Answers to
story, connections, scope,
& outliers
Visual Analysis Playbooks:
Reduce good investigations
to seconds and easily
share in & across teams
Click to drill-down and
pivot in context
HDFS Splunk SQL GraphDB
VendorsApp logs AlertsDevice logs
queries
4. Graphistry Inc. 2017 info@graphistry.com
Today
Investigation
… A weird yet common problem
Graphs are amazing
… Understand your SIEM/DB w/ Graph Tech – hypergraphs, GPUs, …
Visual playbooks are the future
… Turning best practices into software – automation for analysts
4
5. Graphistry Inc. 2017 info@graphistry.com
IP=10.16.0.8; msg=Malware.Object;
time=2 Nov 2017 19:32:00 UTC;
vendor=FireEye; Product=Web MPS NX
5
19. Graphistry Inc. 2017 info@graphistry.com
Let’s find the truth in the bitcoin blockchain:
analyze 200MM transactions (100K/day).
Graph – Supercharge many investigations, even financial!
20. Graphistry Inc. 2017 info@graphistry.com
Silk Road’s
Wallet
Rogue DEA
Agent
Money
Laundering?
Follow the tainted coins
21. Graphistry Inc. 2017 info@graphistry.com
Add 1 Step of Context (Untainted): 50X More Data
Rogue DEA
Agent
Extra $300,000
22. Graphistry Inc. 2017 info@graphistry.com
Silk Road’s
Wallet
Start here.Start here.
2 exchanges
Who to Subpoena First: Exchanges
23. Graphistry Inc. 2017 info@graphistry.com
Graphs Answer Tricky Questions That Tables Don’t
Progression & behavior
Patterns, correlations,
& outliers
Entities & scope
23
EMERGING BASIS FOR AI/ML METHODS OVER EVENT DATA
25. Graphistry Inc. 2017 info@graphistry.com
Can we turn 30min – 1 week into < 10min?
• Query for the right data
• Find the connections
• Make the right conclusions
• … repeat
Appropriate actions
Amdahl’s Law:
Game over if any
step sucks up time
25
26. Graphistry Inc. 2017 info@graphistry.com
26
MALWARE INCIDENT MAP
1. Input incident id
2. Hit run all
3. There is no step 3
DEMO – Automate best practices for data gathering & presentation
27. Graphistry Inc. 2017 info@graphistry.com
Why Visual Playbook Methodology Matters
• ROI: Exponentially boost SIEM data source/query utilization
• Speed: Cut MTTR by skipping to step 12+ of a thorough workflow
• Reliability: Automate best practices + T1<>T2 feedback loop
• + Graph: Visually answer scope, progression, patterns, outliers, …
(hard with search, tables, dashboards, …)
27
28. Graphistry Inc. 2017 info@graphistry.com
Piloting with security & fraud teams. (And we’re hiring!)
info@graphistry.com
G R A P H I S T R Y