Software supply chain attacks, which exploit vulnerabilities in embedded open-source libraries, increased 430% in 2020. In 2021, they got even worse, with a 650% increase.
Hardly new news to cybersecurity practitioners. After all, cyber is a field characterised by extreme, unmanageable complexity. Even something seemingly straightforward like good incident analysis requires pulling together data and logs from many platforms and tools.
To effectively deal with the rise in cybersecurity attacks, the sector needs advanced data solutions that empower the professional to correlate and analyse connections at a real-world scale. And there’s some good news here at last — the application of graph-based defences.
Traditionally, we’ve relied heavily on lists in the cyber fight, i.e. alerts and logs from software tools. The problem is such an approach can block defenders from gaining a holistic view of their systems and creates blind spots.
At the same time, attackers are opportunistic, probing for a weakness, no matter how small, then exploiting it to gain access to more of your network. And when you think about it, they do that by thinking of your network as a graph. If they get access to one node, they can build an attack graph from that node, working slowly but insidiously toward the most valuable systems and data.
A strong fit for cybersecurity
We need to get smarter and take a leaf out of their book. Why not? After all, graph technology easily captures the complexity of IT infrastructure and security tools — and it turns out that graphs are the most natural way to process data, especially at the network and cyber levels.
That’s because they provide a high-fidelity model of the real world. A graph data model represents intricate networks of entities and their relationships, and uncovers patterns that are difficult to detect using traditional representations such as tables. And while relational tables are good for collecting and processing data, they miss relationships between data points.
Graph databases are also a strong fit for cybersecurity as they integrate many data sources, are able to handle very large data volumes, and can easily reveal dependencies. This is a huge boost for security work, where data comes from many monitoring systems (it’s been reported that large organisations can have an average of 75 security tools). Many applications and services generate log files that are relevant to cybersecurity. No matter how many tools or sources you have, each one will generate a lot of alerts and logs. Add to this the relationships in and across all that data, and the dependencies and paths from one resource to another can be overwhelming.
Digital twins can be used for far more than security
Customers report that modelling their infrastructure as a graph database enables them to identify their most valuable information assets and possible security targets, as well as easily generate alerts for relevant teams about the impact of incidents across systems.
Graph-based security tracking also enables them to identify suspicious behaviour, reducing the mean time to detect and uncover insider threats. Cyber software exploiting graph technology’s power is also great at driving identity and access management so as to enforce the principle of least privileged access.
The advantage of graph databases also increases with the size and complexity of the data. With a graph database, you gain a unified understanding of the attack surface. That means being able to mount useful ongoing cyber risk assessments simply by connecting your resources and users with the activities on your system. You can also better protect systems, detect anomalies in real time, respond with confidence to any incidents, and recover quickly.
One might also take the view that a knowledge graph creates a functional digital twin of your environment, enabling you to represent all or part of your network data in a holistic view.
Such a digital twin can be very useful for cybersecurity analysts to query and take action on. It is also a representation that can be analysed by data scientists, who can build models to detect malicious activities.
In fact, creating and analysing a graph digital twin of your infrastructure is one of the most effective measures you can take for improving your cybersecurity posture. It’s also very helpful for managing the endless, dynamic complexity of cybersecurity vulnerabilities and threats.
The reality is that graphs eat complexity for breakfast, and there is no area more complex than the ever-morphing cybersecurity threat—so if you're thinking of trying to get a better handle on your cybersecurity, think about modelling it as a digital twin in the graph, and then as a full knowledge graph.
The bottom line is that with graphs, complex cybersecurity vulnerabilities and threats data, and hierarchical and recursive events that so far have been deeply hidden become far easier to expose.
Maya Natarajan is Senior Director, Product Marketing, at graph data platform leader Neo4j