Graph visualization use cases: cyber security

by , 25th September 2017

Our graph visualization use cases blog post was the first of three exploring real-world applications for graph visualization.

Looking for the rest of the series?

Use cases for graph visualization: Cyber Security

Last time we reviewed two of the older commercial uses for graph visualization: law enforcement and fraud detection.

We saw how, as data volumes grew, the connection-led approach evolved from police investigation room walls to the ‘link analysis’ process. The financial services sector adopted this process as an effective way to detect and manage fraud.

In both scenarios, technology has led to bigger datasets. The police now routinely capture and analyze massive volumes of open-source intelligence (OSINT), and modern banking involves vast global networks of instant transactions and fast decisions.

Investigation walls - low-tech graph visualization
Investigation walls – low-tech graph visualization

You’ll know that cyber security is about understanding network vulnerabilities and protecting them from malicious attacks.

Data is measured in terabytes, and it’s not unusual for enterprises to handle billions of alerts each day. Analysts cannot hope to review every alert, but without the visualization tools to understand the big picture, they cannot perform effective triage either. The result: alerts get missed, vulnerabilities are exploited and post-attack forensics are inefficiently managed.

Cyber security white paper
FREE: Visualizing cyber security threats

The ultimate guide to keeping networks, systems and IT infrastructure safe using data visualization

GET YOUR FREE GUIDE


It’s no surprise that cyber security is the fastest-growing use case for graph visualization, which is becoming the go-to tool for cyber analysts. Enhancing their existing SIEM dashboards with a KeyLines-powered component gives them access to the joined-up intelligence they need, in the right place at the right time.

Let’s look at three key aspects of cyber security to see how our toolkit technology can help.

1. Spotting anomalies

To uncover threats, analysts almost always look for anomalies.

The human brain is good at recognizing patterns. Combined with a machine’s data processing capability, and it’s possible to find anomalies that machines alone would miss. This anomaly detection approach helps prevent data breaches, find malware entry points, predict externals attacks and find vulnerabilities in an organization’s perimeter.

Finding anomalies in user login logs
Finding anomalies in user login logs.

In this cyber security webinar with KeyLines customer CyberFlow Analytics (now part of Webroot), their team combined graph visualization and advanced machine learning. The result was an anomaly detection tool capable of scaling to the largest IT networks.

2. Performing forensics

Even if an analyst cannot prevent an attack, graph visualization can still help them understand it and prevent a reoccurrence. Tracking the propagation of malware through a network reveals susceptible and potentially compromised machines.

The spread of infected traffic in an IT network
The spread of infected traffic in an IT network

This graph demonstrates how the malware attack on one machine infected four others.

In another example, we explored the VERIS database of data breaches, looking for patterns in how the breaches happen and who is responsible. That chart used the time bar to offer a dynamic view of what happened when:

visualizing data breaches
Basic methods seem to be less popular towards the end of the time period – perhaps a consequence of companies being more aware of simple document theft. See more examples of visualizing cyber security data breaches.

Complex malware data can be visualized as a graph. The combos and time bar features in our toolkits can reveal network structures that can pinpoint trends and entry points.

visualizing data breaches
Our graph visualization tools simplify complex information and make post-attack forensics interactive, intuitive and insightful.

3. Sharing intelligence

Graph visualization doesn’t just analyze past events and identify possible future problems: it’s also key to sharing cyber intelligence. Our graph visualization applications are interactive and intuitive, making them an ideal tool for communicating complex data quickly and simply.

In our interview with EclecticIQ’s co-founder Raymon van der Velde, we learned how their award-winning cyber threat intelligence platform harnesses graph visualization. Using KeyLines, the EclecticIQ team empower cyber threat analysts with a clear view of STIX/TAXII intelligence, and an easy way to analyze and communicate its insight.

eclecticiq platform
The EclecticIQ threat intelligence platform

Powering graphs at scale

In all three of these scenarios, performance is crucial.

Analysts rely on graph visualization to provide both a global (overview) and local (zoomed-in) view of their connected data. Performant layouts, filtering and social network analysis is key, but it must be combined with a powerful rendering engine. For a reliable and robust graph visualization at scale, only KeyLines and ReGraph’s WebGL component is up to the job.

Try it for yourself

If you have a connected data challenge that you think could be solved by visualization, we’re here to help. Start a trial or get in touch to learn more.

A screen showing a hybrid graph and timeline visualization created using ReGraph and KronoGraph
FREE: Start your trial today

Visualize your data! Request full access to our SDKs, demos and live-coding playgrounds.

TRY OUR TOOLKITS

How can we help you?

Request trial

Ready to start?

Request a free trial

Learn more

Want to learn more?

Read our white papers

“case

Looking for success stories?

Read our case studies

Company
Careers
Products
Register for news & updates

Registered in England and Wales with Company Number 07625370 | VAT Number 113 1740 61
6-8 Hills Road, Cambridge, CB2 1JP. All material © Cambridge Intelligence 2022.
Read our Privacy Policy.