Graph databases are not new. They have been around since the 1960s and work on the basis of storing independent objects and adding dependencies between them. They are not rigid and can adapt as dependencies emerge and change.
The modus operandi of cyber attacks never stands still. Cybercriminals and even the code they use adapt in near real time, changing appearance and approach at a rapid pace.
Attempting to track this in a traditional relational database would never work. Databases are great for things like static signature files with characteristics that never change, but the modern-day threat metamorphosises by the second, and a traditional RDMS simply can’t be adapted quickly enough to have any chance of coping.
Cybersecurity technology firm, CrowdStrike, realised this dilemma some time ago and understood that the fundamentals of database graph theory (essentially if you can whiteboard it, you can graph it) is a perfect model for continually mapping evolving cyber threats and their behaviours. With this realisation came the birth of CrowdStrike’s Threat Graph.
In simple terms, this “threat graph” is capturing hundreds of thousands of events per second and mapping the dependencies in a graph database. The information comes from telemetry sent from their massive installed base. It is supplemented with 3rd party threat intelligence and enriched with data provided from their expert overwatch team. By doing this, it becomes a living, breathing tool that can identify threats on a massive scale in real time, it can speed up root cause analysis, and it can highlight suspicious actions and user behaviour anomalies that may point to cyber threat activity.
So how are some of the ways that CrowdStrike’s users benefit from this massive and growing threat graph?
Faster breach investigations and response times – The threat graph automates the process of investigation and analysis. Breach triage which traditionally can take many man hours is automated and accelerated. Breach triggers are stored as dependencies in the database, enabling CrowdStrike’s Falcon Overwatch team to automatically find triggers in minutes as opposed to days or even longer.
No more need to develop customised attack patterns – CrowdStrike’s threat graph will automatically build attack detection patterns tailored to your environment. They will enrich these patterns with other insights you don’t have access to in your own environment. It is automated and removes the worry and overhead of keeping your own patterns updated.
You harness the power of the “crowd” – Every new insight, artefact or detection from every customer is shared and validated across every customer. If the threat graph detects an issue in any single customers, all other customers will automatically benefit from that knowledge.
CrowdStrike’s Threat Graph is an example of how they have approached the new and increasing threats that every business face. You can read more about the threat graph and how it could benefit your business here.