In this webinar, graph visualization expert Corey Lanum looks at some of the advanced graph technologies you can use to analyze cyber attacks and protect your assets.
He explains how graph and timeline visualization is an incredibly powerful tool for cyber threat analysis, and looks at:
- techniques for working with huge data sets
- how timeline visualization opens up an investigation
- bringing the story to life with animation
Explore our cybersecurity use case
Transcript
Corey Lanum: Hello. In this video, we’re going to look at how to take advantage of graph data and graph data visualization to help analysts uncover insights in a cybersecurity application. My name is Corey Lanum, and I’ve been working with graph data for twenty-two years. I think that cybersecurity is the fastest-growing domain in which graph concepts are useful.
So what we’re going to do today is we’re going to dive in and see exactly how you can use this in your application. But first, we’re going to have to take a stab at defining what cybersecurity actually is, because it’s not really just one domain anymore. It concerns unauthorized access to computer systems, but that can take multiple forms.
Securing systems to prevent unauthorized access in the first place, building systems that detect when a breach occurs, because in many cases, these breaches aren’t even detected until it’s too late. Hardening systems to prevent the spread, so if the hooded sweatshirt fellow on the right here gains access to one system, how can we ensure that that access doesn’t allow him to infect additional business-critical systems?
And then investigation. Once we know that some sort of event has occurred, how do we determine the scope of it, and hopefully figure out who was responsible? Whoever it was, they were probably wearing a hooded sweatshirt. The key is that all of these involve some sort of connected data aspect of it. You have to look at data, and you have to understand how those data points connect to one another or are relevant to one another in order to be able to determine what’s going on.
That concept, looking at the data as a series of connected elements, is the definition of a graph. A graph is a model of data where we care about the relationships between the data points as much as the points themselves. The terminology here is that we call the data elements—systems, applications, devices, user accounts, that kind of stuff—as nodes, and the relationships between them, such as an application uses this database, as a link.
And once we’re thinking about the data in this model, analysts can visualize it in an interactive diagram, and that’s where the insights can come from. So over here on the right, I have a graph where we have multiple virtual hosts being hosted on the same physical server, and multiple applications being hosted on each of those hosts.
And the diagram shows us that pretty well. Okay, so problem solved, right? We can just go get all of the cyber-related data we have, model it as a graph, and throw it into a visualization, right? Well, unfortunately, it’s not quite so simple, because typically, cyber data is huge. This sort of approach may be fine when we’re talking about physical things like servers, but often we’re talking about virtual events, logging, for example, that captures every user interaction with an application like mouse clicks, or even worse, every single IP packet that flows across a network.
It’s simply not realistic to put each individual event on a chart at the same time. But thankfully, there are some techniques that we can use to help with this big data problem. Let me show you a few in action. This is a concept I like to call expand and explore. I have a data set which represents packets flowing between IP addresses.
The nodes are the IPs, and the links show the packets flowing between them. Instead of drawing the entire thing as a graph, which potentially could be in the billions of items, I’m searching for a specific IP address and showing it and the others that are directly connected to it. So here, for example, I’ll do a search for the IP address that starts with two one nine.
And now I’ve brought that onto the chart. From here, I can double-click on a node and add that node and its direct connections to the chart as well. And we got to see the other nodes get added to the chart. I can continue clicking my way through or exploring my way through the dataset to add additional items based on what I find.
This ability, this exploratory interface, is a way to allow the user to guide what it is they’re looking for, and it dramatically improves the user experience and pushes them toward an insight, maybe in this case, something like understanding how malware spreads throughout this network. I have another technique here that I call combinations or grouping.
Basically, even though we may be collecting and storing our data at a very granular level, that doesn’t have to be the level at which you display it in the visualization. In this example, we have a graph representing an IP network with potentially thousands of devices spread across geographically. Each device is a node, but as an initial view, we don’t need to or even want to show all of them as discrete nodes in the visualization.
That would be too overwhelming. Instead, we show them as groups. In this case, a node representing the entire domain and its connections to other domains. Because we have access to the underlying source data, these groups can be drilled into with a double-click, allowing the user to see the detail only when it’s relevant to them.
So I can expand on the London node and see the detail inside of those. I’m going to expand on all of the domains here. There’s no reason that you don’t want to go multiple levels deep with this too, so each of those sub-nodes is actually a sub-domain on that network, and I can drill into it as well.
The third level gives me the detail of the actual devices contained within that sub-domain. So what we’ve done is we’ve taken a graph that could have thousands of nodes on it and simplified or summarized it for the end user into something much more manageable while still maintaining the detail when needed. Another example is filtering.
In contrast to the expand-explore scenario I showed earlier, another technique might be to show all the data, or at least a larger subset of it, to the end user, but then give them the tools necessary to filter that down to the bit that’s relevant for them. This allows them to see the larger structure of the data, maybe identify some highly connected nodes that deserve additional scrutiny, something like accounts that have a broader degree of access than you were expecting, and then filter down the chart to show just the detail of those items.
If I click on a node, in this case, I’ll select Server C, I’m filtering out all of the nodes that aren’t directly upstream or downstream from Server C, which means that the remaining nodes are structured hierarchically, and we can investigate the detail and gain insight into the pattern that results. So far, what I’ve shown you are examples of that first category of cybersecurity: protection.
In order to know how to protect your network or your data, you first need to have a comprehensive picture of what assets you have and how they’re connected to one another. So next, we’re going to take a look at how we can use visualization to go beyond just protection and detect that an attack has happened, and then also to investigate the scope of that attack.
Detection can often involve looking at log files. For decades, the traditional way of auditing activity on a system is to generate an entry in a file and then just keep adding to that file. It’s a little clumsy, but it works. The challenge comes when both the number of logs and the number of entries in each log become so large that it’s impossible for a human to read them.
The example over here on the right is just one screenful of a log, and even then, it’s too unwieldy to learn anything from. Graphs and graph visualization can help here too. Log entries often represent a connection between items—a user logging into a system or data being accessed, for example—but they almost always have a timestamp too.
The event happened at a very precise time. The graphs that I’ve been showing you so far don’t take that timing into account, so we lose a critical dimension to the data. We’re unable to see clusters of activity, stuff that happens one right after another, and we also lose sequences. A certain event happened before or after another one, and both of those are really important.
Let me show you an example. In this example, we ran a packet capture on our local network as we ran a Google search and clicked one of the resulting links. That simple action, which took less than thirty seconds, generated thousands of packets flowing across the network. A traditional graph representation of this data is helpful.
We can see the source and the destination of those packets linked, which gives us a sense of the structure of the network over there on the right. But the timing element is really important here, too. If you’re looking through logs for something like traffic creating a denial-of-service attack, you need to gain an understanding of not just where the traffic is coming from, but when.
So we’ve created a timeline visualization here on the left showing the packets flowing across the network organized by time from left to right. There are two things I want to point out here that can be helpful. One is that the sheer number of source and destination IP addresses makes it unrealistic to expect to draw all of them in the timeline at once.
So we’re grouping them, much as I did with nodes in the example I showed you earlier, but allowing a similar drill down into the detail, as you can see here. This is what we call the lens view, which allows you to focus on specific individual IP addresses or groups of IP addresses. The other is that we’ve made the graph view and the timeline view interactive.
So finding some traffic of note in the timeline will highlight that specific bit over on the graph side, and similarly in reverse, finding an individual IP address on the graph will highlight that IP address’s traffic on the left-hand side in the timeline. Now let’s zoom into a specific window of time and see if we can see what’s going on.
First, I’m going to focus on the laptop that we used to do the Google search. And we can see that the initial traffic is going to the DNS server to find the IP address to send the query to, and then it’s using that IP address and submitting the query, and then it’s getting the results back, and then it’s also getting some results back from an advertising server.
And as we scroll through time, we can see all of that activity organized by time from left to right. Imagine trying to understand this brief story just from looking at raw logs. The final bit of cybersecurity that I want to talk about is investigations. Once an attack has occurred, it’s important to be able to understand exactly what happened so that you can hopefully identify the offenders but also prevent that sort of attack from being successful in the future.
I have a couple of examples to show you here as well. In the example I want to show you here, we’ve created a network of data breaches, publicly known data breaches over the course of two years. Now, we’ve modeled this as a graph because we’ve taken the companies that experienced the breach—those are the white nodes here—and we’ve linked them to the vector or the people who were responsible for the breach.
And we can see that that creates an interesting graph. We can zoom in here on the middle, and we can see those companies or those organizations who were unfortunate enough to experience multiple breaches over the period via multiple different vectors. Down here at the bottom, we can see a time bar, a timeline which is showing us when the spikes of activity were.
So we can see distinctly that a lot happened in February of twenty thirteen and then again in August and September of twenty thirteen. But there were relatively fewer breaches occurring during February, March, April of twenty fourteen, for example. Now we’ve got a couple of different things we can do here.
We can select an individual node, and we can see them linked to the organizations responsible or the people responsible for those data breaches. We can zoom in to a specific window of time and filter the chart to show me just those that occurred during the window of time that I’ve selected. And then we also have some additional filtering tools over here on the right.
Those are showing us how we can filter based on that type of access that was used to affect the breach. For example, if I were to select physical access here, we’re graying out everything that wasn’t done via physically accessing a computer or a server that held the data that was then released.
And if I look at the detail that’s left, we can see, for example, that while a minority of the number of breaches overall, those done by a cashier, a teller, or a waiter were primarily done via physical access, which makes sense given the network that we’re looking at. In my final example, I want to talk about animation.
A lot of people think that animation can be just eye candy, but it can be really helpful as you watch how things change in the structure of your network over time. In this case, we’re looking at an example of connections between various IP addresses in our network. And if we want to see the path between, say, for example, this one here and this one here, actually animating that path as we watch data flow across the network, potentially in real time, can be a really powerful way of looking at this data and of understanding what’s going on.
I hope that you’ve learned something about graphs and graph visualization and how they can be used in cybersecurity applications. I want to wrap things up by talking a little bit about the toolkits that I used to create these visualizations. I use tools from the Cambridge Intelligence Suite—KeyLines and ReGraph—for creating and customizing the node-link visualizations.
KeyLines is a toolkit for building graph visualizations in JavaScript. ReGraph is a component for the React framework. For the timeline visualizations, I used KronoGraph, which allowed me to create those rich interactive timeline visualizations that you saw in the demos. All three tools are available to be white-labeled and put into your application, and all three allow for free, fully featured evaluations with access to many example projects and the source code used to build them.
In addition to cybersecurity, the subject of this video, our products are used in a wide variety of other domains as well, from things like supply chain analysis to identifying financial or insurance fraud, but we cover those topics in other videos. Over three hundred organizations worldwide have relied on our twelve years of experience to be the visualization engine for their cybersecurity and other applications.
So please do feel free to reach out via email with any questions. I’m personally on the list that receives mail at the address listed here, and visit our site to request a trial of our tools. Thank you for watching, and do watch out for those guys in the hooded sweatshirts.
Share:
