This document discusses how security teams are overwhelmed by large volumes of data from security alerts and indicators. It proposes that graph algorithms can help identify related alerts and events that should be investigated together, such as those targeting the same users or part of the same attack. The document provides examples of how community detection, centrality analysis, and other graph algorithms run on preprocessed security data can help prioritize work and generate new threat indicators.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
A Picture is Worth 1,000 Rows
1. A Picture is Worth 1,000 Rows
Elisabeth Maida, Founder & CEO, Uplevel
2. 40 Security Vendors 1,000 Alerts Per Week 3.5 million Indicators Per Month
Security teams are overwhelmed with data
3.
4. “You need to know what to look for in order to find it”
• Can create searches to generate high
priority events
• Need to know what searches to write
• Rules require on-going support and
maintenance
• Complex queries can be difficult to
decode and interpret - “what exactly is
this searching for?”
• Interactions between overlapping rules
can be difficult to untangle
5.
6. Graphs can provide a visual indication of activity requiring investigation
7. Graph algorithms can help identify events that should be investigated and
remediated as a unit
- Alerts about the same underlying event generated by different security devices
- Sequential events about an ongoing attack
- Multiple users targeted using the same tactic or by the same threat actor
- Alerts constituting a progressing attack or attack vectors
8. Alert
Event triggered by a security product identifying
potentially malicious behavior
Attribute
Technical characteristic such as “file hash”
Indicator
Threat intelligence indicating that a specific
attribute (or group of attributes) identifies malicious
behavior
Terminology
9. Community detection algorithms can help identify related alerts
Mark Needham and Amy E. Hodler, Graph Algorithms: Practical Examples in Apache Spark and Neo4j
12. Centrality algorithms can help prioritize alert clusters
Mark Needham and Amy E. Hodler, Graph Algorithms: Practical Examples in Apache Spark and Neo4j
13. FireEye, Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation
Output of our pre-processing can also be used to generate new indicators
14. Other opportunities for graph algorithms in cybersecurity
• Creating attack pattern fingerprints and using graph pattern
matching and subgraph isomorphism
• Applying label propagation to cascade maliciousness
through the graph
• Using centrality and betweenness to assess commonality of
tactics, techniques, and procedures across attackers