Graph visualization use cases: cyber security

25th September, 2017

Our last blog post was the first of three exploring real world applications for graph visualization.

Use cases for graph visualization: Cyber Security

Last time we reviewed two of the older commercial uses for graph visualization: law enforcement and fraud detection.

We saw how, as data volumes grew, the connection-led approach evolved from police investigation room walls to the ‘link analysis’ process. The financial services sector adopted this process as an effective way to detect and manage fraud.

In both scenarios, technology has led to bigger datasets. The police now routinely capture and analyze massive volumes of open source intelligence (OSINT), and modern banking involves vast global networks of instant transactions and fast decisions.

Investigation walls - low-tech graph visualization
Investigation walls – low-tech graph visualization

You’ll know that cyber security is about understanding network vulnerabilities and protecting them from malicious attacks.

Data is measured in terabytes, and it’s not unusual for enterprises to handle billions of alerts each day. Analysts cannot hope to review every alert, but without the visualization tools to understand the big picture they cannot perform effective triage either. The result: alerts get missed, vulnerabilities are exploited and post-attack forensics are inefficiently managed.

It’s no surprise that cyber security is the fastest-growing use case for graph visualization, which is becoming the go-to tool for cyber analysts. Enhancing their existing SIEM dashboards with a KeyLines-powered component gives them access to the joined-up intelligence they need, in the right place at the right time.

Let’s look at three key aspects of cyber security to see how KeyLines can help.

1. Spotting anomalies

To uncover threats, analysts almost always look for anomalies.

The human brain is good at recognizing patterns. Combined with a machine’s data processing capability, and it’s possible to find anomalies that machines alone would miss. This anomaly detection approach helps prevent data breaches, find malware entry points, predict externals attacks and find vulnerabilities in an organization’s perimeter.

Finding anomalies in user login logs
Finding anomalies in user login logs. Read more.

In this webinar with KeyLines customer CyberFlow Analytics (now part of Webroot), their team combined graph visualization and advanced machine learning. The result was an anomaly detection tool capable of scaling to the largest IT networks.

2. Performing forensics

Even if an analyst cannot prevent an attack, graph visualization can still help them understand it and prevent a reoccurrence. Tracking the propagation of malware through a network reveals susceptible and potentially compromised machines.

The spread of infected traffic in an IT network
The spread of infected traffic in an IT network.

This KeyLines graph shows the spread of infected traffic in an IT network. The dense cluster of ten machines were infected by two machines hit by a malware attack.

In another example, we explored the VERIS database of data breaches, looking for patterns in how the breaches happen and who is responsible. That chart used the time bar to offer a dynamic view of what happened when:

visualizing data breaches
Basic methods seem to be less popular towards the end of the time period – perhaps a consequence of companies being more aware of simple document theft. Read more.

Complex malware data can be visualized as a graph. KeyLines’ combos and time bar features can reveal network structures that can pinpoint trends and entry points.

visualizing data breaches
KeyLines graph visualization tool simplifies complex information and makes post-attack forensics interactive, intuitive and insightful. Read more.

3. Sharing intelligence

Graph visualization doesn’t just analyze past events and identify possible future problems: it’s also key to sharing cyber intelligence. KeyLines applications are interactive and intuitive, making them an ideal tool for communicating complex data quickly and simply.

In this interview, with EclecticIQ’s co-founder Raymon van der Velde, we learned how their award-winning cyber threat intelligence platform harnesses graph visualization. Using KeyLines, the EclecticIQ team empower cyber threat analysts with a clear view of STIX/TAXII intelligence, and an easy way to analyze and communicate its insight.

eclecticiq platform
The EclecticIQ threat intelligence platform

Powering graphs at scale

In all three of these scenarios, performance is crucial.

Analysts rely on graph visualization to provide both a global (overview) and local (zoomed-in) view of their connected data. Performant layouts, filtering and social network analysis is key, but it must be combined with a powerful rendering engine. For a reliable and robust graph visualization at scale, only KeyLines WebGL component is up to the job.

Try it for yourself

If you have a connected data challenge that you think could be solved by visualization, we’re here to help. Start a trial or get in touch to learn more.

| |

Subscribe to our newsletter

Get occasional data visualization updates, stories and best practice tips by email