Building for the Human Half of Security Orchestration & AI

Posted by leo@graphistry.com on June 29, 2018

Learning to Whitebox the SOC-in-a-Box

operations_center_smallEven as organizations automate their security operations with orchestration and AI, some of the most important parts of security investigations continue to depend on human analysis and talent. These critical moments in the investigation remain frustratingly slow, and need categorically different technologies that are optimized for human-in-the-loop analysis.

A balanced security strategy requires us to augment and extend human skills and abilities for the many daily tasks that we cannot trust to bots. This is one of the key goals at Graphistry, and we have previously described the fuzzy data aspect of the problem in our previous article, u201cSecurity in the Age of Maybeu201d. Orchestration and AI are important parts of modern security strategies, but we have to remember that analysts need to deal with them. This article digs into our experiences around the challenges and opportunities presented when orchestration and AI meet critical human-in-the-loop phases of an investigation.

Hurry Up and Wait
Security investigation workloads have outpaced the ability of organizations to hire analysts, so it is no surprise that teams are replacing people with programs for low-level and low-risk tasks. The interesting part, as in most things, is where automation stops short.

Security-critical workflows still often end in or depend on human-in-the-loop (HITL) analysis, and for good reason. Distinguishing real threats from false positives, understanding the true scope of an infection or intrusion, or pulling the thread to expose a hidden attacker are just a few examples where human analysis remains essential. The outcome of these investigations determines the real security of an organization, so tickets and projects remain a daily reality.

Unfortunately, these investigations often remain slow and laborious, and are where efficiency and insight can go to die. As soon as tools make the handoff to the human analyst, the process regresses by 15 to 20 years. We go from automated process to an analyst squinting at dashboards and writing command-line style search queries. In order to make security operations run faster, we need to bring the same ethos of automation, orchestration, and intelligence to the messier, more complicated iterative work of human in the loop analysis. If we don’t, then much of the anticipated benefit of investing in those tools could be lost in a case of u201churry up and waitu201d. This means that the speed, visibility, and reliability we gained through automation could be lost at moment it matters the most!

Augmenting Human Analysis

If we want to improve a human outcome, it makes sense that we design for and try to extend natural human skills. That is why Graphistry has made unprecedented investments into building best-of-class visual technology. Unlike programs, people understand information visually. Humans deal with enormous amounts of data and complexity every day when it is shown visually, and this is why we convert virtually any data into visual graphs. Using graphs we literally see the connections and relationships between our events, entities, and metadata. That could be seeing the progression of an attack along the kill chain or it could be seeing the layers of obfuscation within a money laundering scheme. In either case, a picture instantly reveals what would be relatively impenetrable if analyzed in a table of data.

Analysts are also wrestling with new types of data that may not always be intuitive. Machine learning and AI have become central to all types of analysis. The problem for many analysts is that the algorithms driving these models are often a black box that the analyst simply has to take on faith. Graph visualization has the power to provide analysts with the human UI into machine learning insights. Instead of looking at a generic alert reporting anomalous behavior, an analyst can actually see clusters, outliers, and complex relationships in the data. Likewise, the graph provides a direct visual interface for easily driving these systems, such as steering machine learning towards different parts of the dataset, and triggering actions on identified regions.

Leveraging Scale Without Letting It Get in the Way

The team at Graphistry has created a variety of core GPU technologies, which lets us unlock the needed flexibility to visually interact with large amounts of data. That includes simply seeing and understanding 100X+ more of our data in context. But since the final answer that we are looking for is often small, we also need to easily remove the noise and drill down or pivot to follow the intuitive flow of the investigation.

The goal is that we never want to limit the scope of an investigation, because we can’t see all of the important data, but at the same time we need to make sure the data doesn’t get in the way of seeing what’s really important. This is frankly where most see the difference between having a pretty picture and having a truly interactive investigation. Analysts need the ability to pivot across data sources on the fly, view events in the context of a timeline, or view data in the context of the network. Being able to do this without changing screens or writing new queries is critical for making sure analysts can investigate intuitively, creatively, and actually leverage the skills that make human analysts so valuable.

Automating the Human Workflow

In the previous topic, we were focused on improving our analysts vision: enable them to see more information, see deeper into relationships, and adapt on the fly. To close the loop, we need to focus on the speed of the workflow and how we accelerate those insights. Just because a workflow involves a human doesn’t mean that we can’t speed it up by orders of magnitude. This why Graphistry has pioneered the use of investigation templates and visual playbooks as a highly interactive investigation environment rather than rigid and hard-to-edit software.

First, a template allows an investigation to automatically begin with all the data that an analyst will need. With a trigger as simple as a single SIEM alert, Graphistry can automatically connect to and query any and all data sources to pull in the relevant context. This could be logs from other tools in the SIEM, NetFlow stored in a Spark cluster, and a variety of metadata from Bro logs in Elasticsearch. Without writing a single query, the analyst can right click on an incident, and all the necessary data is queried and prepared for analysis.

Crucially, that data is delivered through a highly interactive and visual workflow. Each step or pivot can have its own unique visualization setting tied to the needs of the analyst. Instead of being rigidly predefined, the analyst can tweak settings such as to look at a wider time range or find out more about a specific entity of interest, thus remaining fully interactive and explorable.

Organizations face a similar challenge when bringing orchestration into human-in-the-loop scenarios. Scripts should not be a blackbox that only other scripts can use. The visual graph and templates solve the human side of orchestration: analysts can simply click-and-fire!

This is just the beginning of what Graphistry does, but it hopefully serves to illustrate the path forward for security organizations. Analysts are some of the most critical assets in the enterprise, and it doesn’t make sense to simply automate around them. They need to be in the process. This is what we call turning the blackbox into a whitebox. To do so, we need to give analysts tools that augment their skills, and close the loop around automated workflows around data lakes, AI, and orchestration. At Graphistry, that is our mission.

Read More

Security in the Age of Maybe

Posted by leo@graphistry.com on May 14, 2018

Security is in the midst of a transformation that is putting extreme pressure on security analysts and hunt teams. One shift that is causing teams a lot of pain in their daily work is that as threats have gotten more sophisticated, security products have gotten much less sure of themselves. Security products increasingly detect the u201canomalousu201d and report threats on a sliding scale of confidence. Not only must staff deal with advanced threats, but they must spend an increasing amount of time navigating the grey areas and ambiguities of modern threat detections to determine and deliver the right actions.

Welcome to the Age of Maybe, where it is critical that we arm analysts for dealing with the indicators that are diverse, widespread…and uncertain.

glasses_dataSecurity in the Age of Maybe

It wasn’t so long ago that most of our security solutions were signature-based, network intrusions were relatively rare, and incident response was reserved for the few truly exceptional events.

But today, persistent attacks are the norm, not the exception. That means that IR has likewise become the norm, and many organizations proactively hunt for threats based on the statistically valid assumption that they are already compromised.

The problem is that while threats have gotten smarter and more common, security products have gotten less certain. Data science, machine learning, and AI have enabled security to see threats that would avoid traditional signatures, but the results are rarely cut and dry. Modern security products are increasingly powered by black-box algorithms that generate uncertain results. Is this anomalous behavior a threat or just an anomaly?

It falls to IR teams and hunters to turn this ambiguity into action. Security products report u201clikelyu201d or u201csuspectedu201d infections, give hints at a symptom of a greater incident, and report confidence in terms of percentages: these are too fuzzy to rely solely on automated actions. Despite all the progress in data-driven algorithms for finding hidden threats, almost no organization is willing to block and walk away without an analyst reviewing the incident and making the call. The net result is that every day more and more of the enterprise security stack is assuming their fuzzy alerts will go into the SIEM and someone will successfully pick it up and connect it to other activity: a human in the loop. As threats get ever more complex and security products follow suit, this is a problem that will keep is getting worse long before it gets better.

As a result, most IR teams are chronically overwhelmed with incidents and most organizations have realized they can’t hire enough staff to keep pace. Teams have naturally sought out ways to make IR more efficient often by automating and orchestrating IR process. This makes intuitive sense – if you are facing a manual bottleneck, then figure out how to automate it.

The challenge however is that IR and threat hunting aren’t just a robotic process of connecting logs and analytics to firewalls for enforcement. The critical step is still about human understanding and making smart decisions. Whether it is the team writing and maintaining the automations, or the responders dealing with what gets flagged, automation loops still involve an analyst loop.

It’s this human-in-the-loop part of the investigation where the magic happens, and it remains the most valuable in terms of stopping initial intrusions from turning into headline news, and the most time-consuming part of the IR process. It is also where innovation is needed the most. This is where Graphistry comes in. Instead of trying to turn analysts into bots, we arm analysts to get to better answers in a fraction of the time of a normal investigation. We add tooling to the human-in-the-loop flow to restore right balance between analyst and machine.

Getting a Grip on Fuzzy Data

The idea behind Graphistry is to provide analysts with a visual environment that brings together all of your security investments in unified and streamlined investigation. Graphistry is on a mission to knock out data bottlenecks in the human-in-the-loop analyst flow, one by one. Analysts can bring in as much or as little data as they need, see it all automatically correlated and mapped out, follow connections and pivot to new data sources on the fly, and drill down into event details when they need it. Using the power of graph visualizations, analysts get one-click visibility into event progression, correlations, and outliers in your data. Data is interactively visualized in analyst-friendly terms such as in the context of a kill-chain, timelines, network boundaries, and other perspectives that go beyond low-fidelity search and dashboard views

Our platform automatically handles the backend querying so that analysts can see connections across all of their security products, logs, SIEMs, threat feeds, and data sources without the need for complex manual queries.

Once we have the right answers, then Graphistry turns to automating the process. Investigations can be saved as repeatable best practices through the use of visual playbooks. These playbooks can act as a sort of interactive map to guide an analyst through a logical investigative flow. With each step an analyst can bring in new data sources and correlate or pivot using customized views of the data. Or instead of going step-by-step, analysts can run the entire investigation at once and render it all as single interactive visual flow. For investigations this often means vastly accelerating the u201ca-hau201d moment. Over time, more and more of a team’s investigations become fast, comprehensive, and reliable by covering them with Graphistry fastpaths.

This really only scratches the surface of what we do at Graphistry, and we haven’t yet talked about the technology that makes it all work. We’ll save that for another blog, but suffice it to say when you raise the visualization bar by 100x and deliver it all through commodity browsers, there is some interesting stuff going on on the backend. But ultimately the point of all that technology is to make life easier on the analyst. The role of the analyst is growing in organizations for a reason. Let’s focus on making analysts better instead of making them into bots.

Read More

Graphistry in the Verizon DBIR

Posted by leo@graphistry.com on April 11, 2018

2018/4/11 10:00

Read More

Connecting JS to modern GPU and ML frameworks: Update from Nvidia GTC 2018

Posted by leo@graphistry.com on April 4, 2018

2018/4/4 10:00

Read More

Graphs as the User Interface for AI

Posted by leo@graphistry.com on March 6, 2018

O’Reilly’s Data Show recently had our CEO, Leo Meyerovich, on to talk about why and how enterprises and data teams are adopting graph technology. You can check it out here where we dive into how we are using graphs as an interface to AI tools & data.

Meanwhile, our team is on the move. Let us know if you’ll be near one of our upcoming talks and events – we love catching up with current & new users!

  • San Jose: Nvidia GTC, March 26th-29th
  • San Francisco: Security analytics meetup with Databricks (Spark) and Trail of Bits (OS Query), April 4th.
  • Nashville: BSides Nashville, April 14th
  • San Francisco: RSA, Week of April 16th
  • Seattle: Microsoft’s annual Security Data Science Colloquium, June 2018
  • DC/NYC: In scheduling

Read More

Playbook Coverage as a Reliability KPI: A note on our NYC InfoSec talk

Posted by leo@graphistry.com on January 10, 2018

Ron Gula’s (ex-Tenable CEO) fireside chat at the NYC Infosec Meetup got serious when he questioned whether to optimize security team efficacy vs. efficiency. This dovetailed beautifully with our tech talk right before. When we explain visual playbooks, people quickly see how they cut MTTR, which in turn gets at both efficacy and efficiency. This has led us to think about what KPIs to focus on, so I ended up presenting a different take: focus on reliability… and an actionable KPI around that, playbook coverage.

crowd.jpgImage: Leo sharing visual playbook best practices

A key property of a visual playbook is it enables, for the investigations in the category the playbook was defined for, starting every investigation with a computer-assisted run through of best practices. Think tasks like data gathering, correlation, and inspection. Analogous to code coverage for software, we’ve started thinking about playbook coverage for incidents: what percent of investigations were covered by visual playbooks, or some complementary technique like orchestration? Playbook coverage measures how prepared IR is in practice. Making the KPI actionable, it provides a clear target for what to cover by the next report. In contrast, MTTR requires more thinking and interpretation.

To see more on this, go to the final slides @ https://www.slideshare.net/lmeyerov/graphistry-nyc-infosec-meetup-increasing-investigation-leverage-with-graph-tech-visual-analysis-playbooks .

– Leo

Read More

Supercharging Visualization with Apache Arrow

Posted by leo@graphistry.com on January 5, 2018

2018/1/5 10:00

Read More

On Amazon’s Growing Graph Capabilities with Neptune’s Launch & Sqrrl Acquisition

Posted by leo@graphistry.com on December 21, 2017

Amazon is investing heavily in graph technologies, which is worth paying attention to. Between launching Neptune and the likely acquisition of Sqrrl (on top of other security acquisitions!), they’ve been busy. For our users and those interested in the broader space, we thought it’d help to share our perspective. Graphistry’s mission is to power the next generation of investigation and visualization technologies, so we’ve been quite active on adjacent problems… including with Amazon.

Neptune Launches

At Reinvent, Amazon launched their first Graph-Database-as-a-Service, Neptune. This is an especially big deal because Neptune is also the first managed graph database by a top 3 cloud provider. Graph databases help power a variety of technologies, and the ones Graphistry cares about are investigative. Think cybersecurity, anti-fraud, market analysis, netops, devops, etc. The Amazon Neptune team invited Graphistry to join them on-stage at Reinvent, where we were delighted to share what we have been seeing and doing in this space:

stage.png

Graphistry+Neptune teams demoing
graph-powered investigations at Amazon Reinvent

Over the coming year, we expect to see many teams to start leveraging Neptune. For security, especially so alongside existing traditional SIEM tools — think Splunk, ElasticSearch, Hadoop systems, etc. The fraud story is similar and just as compelling. We have been seeing several top uses already:

  • 360 maps around key events and entities, like incidents, accounts, and devices. Graphistry has been turning best practices here into visual software that is smart, fast, and comprehensive, so stay tuned for our coming posts introducing visual analytics playbooks!
  • Decrease daily alert whack-a-mole through incident grouping & prioritization. See the video segment on the emerging trend of Enterprise Correlation Services. Matt Swann, on The Microsoft Office 365 Security blog, wrote up a great example of their first steps here.
  • Power smarter automated response. Graph DBs can accelerate queries like 360 neighborhoods, triangle counting, and shortest-path that feed into automated decision systems. Initially, we expect to see headless use much more in fraud, where it is already a growing norm.

As teams roll out graph data infrastructure, we’ll be excited to help with the problem of getting graph capabilities into the hands of more of their analysts.

Farewell to Sqrrl; Long Live Sqrrl!

We’ve watched Sqrrl, a suite of tools for analysts performing advanced threat hunting — including security analytics, a Hadoop cluster, and a graph-based active hunting UI — grow up from their roots as a NSA spinout. We’re already missing how David Bianco’s think pieces would easily trigger internal Slack discussions on what our easy visual playbook reinterpretation would look like, or if we could enable seeing more through our GPU visualizations. Sqrrl’s founders and employees merit a true tip of the hat for beating the drum on active hunt methodology!

For teams now needing to address a holiday surprise around the resulting platform risk in their visual tooling capabilities, Graphistry may be a shortcut: it can plug directly into wherever your data and compute already is, no matter if that is cloud or on-premise, nor whether it is Hadoop, Splunk, ELK, or anything else with an API. We would be happy to see about getting you up quickly. Our tech solves investigation visibility and workflow problems all the way down to your Tier 1, not just hunt, so at least there’ll be a silver lining.

To all the graphistas at Amazon, old and new, congrats from the Graphistry team, good luck with your future endeavors, and we look forward to the next time we’re in Seattle!

Read More

Your Blog Post Title Here…

Posted by leo@graphistry.com on December 12, 2017

None

Read More

Arming Analysts for the Era of APIs & AIs

Posted by leo@graphistry.com on December 12, 2017

2017/12/12 10:00

Read More