Analysing security data is critical as it helps organisations have better visibility of their environment. It is important to be able to track and store the interaction of users, machines, applications, network communications, system events, processes, disk access and others. This may seem highly complex and would normally be a major limitation for security analysis with traditional databases. The sheer volume of the data itself, with billions of events generated daily, will seem like an eternity.
Adding to that, there are now more types of new data. These new data types may end up not being accounted for in the original design. Thus, they will not be stored and will eventually be lost. These data are also often unstructured, discrete and disconnected making threat detection rather challenging.
Graph databases, on the other hand, offer a simple, scalable and flexible way to store and model highly interconnected datasets. Despite the frequently unstructured and unanticipated nature of security data, graph databases can easily store and keep track of security events.
So how do graph databases analyse data?
Graph databases analyse data by looking at the structural imbalance of a graph. By determining these, potential risks are detected and can be solved. This method is most commonly used for fraud detection as well as other cybercriminal activities.
Modern graph databases will be able to do automated analysis since all the data are kept in one place. Using graph data modelling, CrowdStrike’s Threat Graph is a powerful and scalable graph database that resides in the cloud. Within its own database, it is capable of storing, visualising, correlating and analysing the vast quantity of event data generated by endpoints.
Today, with a combination of machine learning algorithms, artificial intelligence and a combination of graph analytics, the process can be done at much a faster pace. By automating the analysis, the slow and tedious manual process of analysing graph data will be a thing of the past. It will continually look for malicious activities with its machine learning algorithms, combining graph analytics across its data. Gone are the days in which analysts would have to gather all the information from multiple sources, find the problem and hope to solve it.
Threat Graph will be able to identify known and unknown threats by ensuring rapid responses. With this, the database is analysed and provides feedback instantaneously – immediately blocking and sending out alerts. Analysis is done based on known bad domains and IPs, indicators of compromise, adversaries and attribution. In other words, the data is collected from all the deployed sensors and is then enriched with threat intelligence.
Using this will tremendously shorten the time needed to detect and prevent attacks. By providing advanced forensic capabilities, it will automate the process of discovering triggers, or potential threats. Users will no longer need to worry about creating and updating their detection patterns as well. Ultimately, with everything being in the same database, once a threat is detected, it will share that vital information with all the other customers as well.
For more details on CrowdStrike’s Threat Graph, visit here.