Our last blog post was the first of three exploring real world applications for graph visualization.
Last time we reviewed two of the older commercial uses for graph visualization: law enforcement and fraud detection.
We saw how, as data volumes grew, the connection-led approach evolved from police investigation room walls to the ‘link analysis’ process. The financial services sector adopted this process as an effective way to detect and manage fraud.
In both scenarios, technology has led to bigger datasets. The police now routinely capture and analyze massive volumes of open-source intelligence (OSINT), and modern banking involves vast global networks of instant transactions and fast decisions.
You’ll know that cyber security is about understanding network vulnerabilities and protecting them from malicious attacks.
Data is measured in terabytes, and it’s not unusual for enterprises to handle billions of alerts each day. Analysts cannot hope to review every alert, but without the visualization tools to understand the big picture, they cannot perform effective triage either. The result: alerts get missed, vulnerabilities are exploited and post-attack forensics are inefficiently managed.
It’s no surprise that cyber security is the fastest-growing use case for graph visualization, which is becoming the go-to tool for cyber analysts. Enhancing their existing SIEM dashboards with a KeyLines-powered component gives them access to the joined-up intelligence they need, in the right place at the right time.
Let’s look at three key aspects of cyber security to see how KeyLines can help.
To uncover threats, analysts almost always look for anomalies.
The human brain is good at recognizing patterns. Combined with a machine’s data processing capability, and it’s possible to find anomalies that machines alone would miss. This anomaly detection approach helps prevent data breaches, find malware entry points, predict externals attacks and find vulnerabilities in an organization’s perimeter.
In this webinar with KeyLines customer CyberFlow Analytics (now part of Webroot), their team combined graph visualization and advanced machine learning. The result was an anomaly detection tool capable of scaling to the largest IT networks.
Even if an analyst cannot prevent an attack, graph visualization can still help them understand it and prevent a reoccurrence. Tracking the propagation of malware through a network reveals susceptible and potentially compromised machines.
This KeyLines graph shows the spread of infected traffic in an IT network. The dense cluster of ten machines was infected by two machines hit by a malware attack.
In another example, we explored the VERIS database of data breaches, looking for patterns in how the breaches happen and who is responsible. That chart used the time bar to offer a dynamic view of what happened when:
Complex malware data can be visualized as a graph. KeyLines’ combos and time bar features can reveal network structures that can pinpoint trends and entry points.
Graph visualization doesn’t just analyze past events and identify possible future problems: it’s also key to sharing cyber intelligence. KeyLines applications are interactive and intuitive, making them an ideal tool for communicating complex data quickly and simply.
In this interview, with EclecticIQ’s co-founder Raymon van der Velde, we learned how their award-winning cyber threat intelligence platform harnesses graph visualization. Using KeyLines, the EclecticIQ team empower cyber threat analysts with a clear view of STIX/TAXII intelligence, and an easy way to analyze and communicate its insight.
In all three of these scenarios, performance is crucial.
Analysts rely on graph visualization to provide both a global (overview) and local (zoomed-in) view of their connected data. Performant layouts, filtering and social network analysis is key, but it must be combined with a powerful rendering engine. For a reliable and robust graph visualization at scale, only KeyLines WebGL component is up to the job.