O’Reilly’s Data Show recently had our CEO, Leo Meyerovich, on to talk about why and how enterprises and data teams are adopting graph technology. You can check it out here where we dive into how we are using graphs as an interface to AI tools & data.
Meanwhile, our team is on the move. Let us know if you’ll be near one of our upcoming talks and events – we love catching up with current & new users!
- San Jose: Nvidia GTC, March 26th-29th
- San Francisco: Security analytics meetup with Databricks (Spark) and Trail of Bits (OS Query), April 4th.
- Nashville: BSides Nashville, April 14th
- San Francisco: RSA, Week of April 16th
- Seattle: Microsoft’s annual Security Data Science Colloquium, June 2018
- DC/NYC: In scheduling
Ron Gula’s (ex-Tenable CEO) fireside chat at the NYC Infosec Meetup got serious when he questioned whether to optimize security team efficacy vs. efficiency. This dovetailed beautifully with our tech talk right before. When we explain visual playbooks, people quickly see how they cut MTTR, which in turn gets at both efficacy and efficiency. This has led us to think about what KPIs to focus on, so I ended up presenting a different take: focus on reliability… and an actionable KPI around that, playbook coverage.
Image: Leo sharing visual playbook best practices
A key property of a visual playbook is it enables, for the investigations in the category the playbook was defined for, starting every investigation with a computer-assisted run through of best practices. Think tasks like data gathering, correlation, and inspection. Analogous to code coverage for software, we’ve started thinking about playbook coverage for incidents: what percent of investigations were covered by visual playbooks, or some complementary technique like orchestration? Playbook coverage measures how prepared IR is in practice. Making the KPI actionable, it provides a clear target for what to cover by the next report. In contrast, MTTR requires more thinking and interpretation.
To see more on this, go to the final slides @ https://www.slideshare.net/lmeyerov/graphistry-nyc-infosec-meetup-increasing-investigation-leverage-with-graph-tech-visual-analysis-playbooks .
Amazon is investing heavily in graph technologies, which is worth paying attention to. Between launching Neptune and the likely acquisition of Sqrrl (on top of other security acquisitions!), they’ve been busy. For our users and those interested in the broader space, we thought it’d help to share our perspective. Graphistry’s mission is to power the next generation of investigation and visualization technologies, so we’ve been quite active on adjacent problems… including with Amazon.
At Reinvent, Amazon launched their first Graph-Database-as-a-Service, Neptune. This is an especially big deal because Neptune is also the first managed graph database by a top 3 cloud provider. Graph databases help power a variety of technologies, and the ones Graphistry cares about are investigative. Think cybersecurity, anti-fraud, market analysis, netops, devops, etc. The Amazon Neptune team invited Graphistry to join them on-stage at Reinvent, where we were delighted to share what we have been seeing and doing in this space:
Graphistry+Neptune teams demoing
graph-powered investigations at Amazon Reinvent
Over the coming year, we expect to see many teams to start leveraging Neptune. For security, especially so alongside existing traditional SIEM tools — think Splunk, ElasticSearch, Hadoop systems, etc. The fraud story is similar and just as compelling. We have been seeing several top uses already:
- 360 maps around key events and entities, like incidents, accounts, and devices. Graphistry has been turning best practices here into visual software that is smart, fast, and comprehensive, so stay tuned for our coming posts introducing visual analytics playbooks!
- Decrease daily alert whack-a-mole through incident grouping & prioritization. See the video segment on the emerging trend of Enterprise Correlation Services. Matt Swann, on The Microsoft Office 365 Security blog, wrote up a great example of their first steps here.
- Power smarter automated response. Graph DBs can accelerate queries like 360 neighborhoods, triangle counting, and shortest-path that feed into automated decision systems. Initially, we expect to see headless use much more in fraud, where it is already a growing norm.
As teams roll out graph data infrastructure, we’ll be excited to help with the problem of getting graph capabilities into the hands of more of their analysts.
Farewell to Sqrrl; Long Live Sqrrl!
We’ve watched Sqrrl, a suite of tools for analysts performing advanced threat hunting — including security analytics, a Hadoop cluster, and a graph-based active hunting UI — grow up from their roots as a NSA spinout. We’re already missing how David Bianco’s think pieces would easily trigger internal Slack discussions on what our easy visual playbook reinterpretation would look like, or if we could enable seeing more through our GPU visualizations. Sqrrl’s founders and employees merit a true tip of the hat for beating the drum on active hunt methodology!
For teams now needing to address a holiday surprise around the resulting platform risk in their visual tooling capabilities, Graphistry may be a shortcut: it can plug directly into wherever your data and compute already is, no matter if that is cloud or on-premise, nor whether it is Hadoop, Splunk, ELK, or anything else with an API. We would be happy to see about getting you up quickly. Our tech solves investigation visibility and workflow problems all the way down to your Tier 1, not just hunt, so at least there’ll be a silver lining.
To all the graphistas at Amazon, old and new, congrats from the Graphistry team, good luck with your future endeavors, and we look forward to the next time we’re in Seattle!