Security Graphs Go Mainstream
In the late 2000’s Facebook launched its Social Graph. In the early 2010’s Linkedin popularized the concept of an Economic Graph. In both cases, these companies saw the power of connecting data into a “linked-entity” model. Sqrrl has been doing the same type of work in cybersecurity since 2014 via its Security Behavior Graph, which powers the Sqrrl Threat Hunting Platform (THP).
Fig 1. Facebook’s Social Graph
Over the last month, we have been closely following some interesting developments in “Security Graphs”. Two major players, Microsoft and Oracle, began rolling out their own Security Graph products.
Last week Oracle’s Larry Ellison picked a fight with Splunk during his keynote at Oracle OpenWorld 2017 in front of a cheering 60,000 crowd. He said, “Oracle Management Cloud (OMC) is a complete data architecture through a unified entity model that spans topology, telemetry, associations, and threats. Splunk has no real entity model and leaves data in many disparate vendor models.”
This “unified entity model” that Ellison refers to appears to be Oracle’s first foray into Security Graphs. It doesn’t yet appear that Oracle is using any graph visualizations, but it sounds like they are leveraging a graph data model.
Microsoft has a bit more experience with graph concepts with its acquisition of Linkedin in 2016, the publishing of the Microsoft Graph in 2015, and more recently promoting its Intelligent Security Graph, which fuses together threat intelligence and detections from across its global network.
Fig 2. Microsoft/LinkedIn’s Economic Graph
For Sqrrl, these moves by Microsoft and Oracle are strong validation that our Security Behavior Graph approach is the right one. Further, Sqrrl’s approach is complementary to what both Microsoft and Oracle are doing. Similar to Sqrrl’s integration with Splunk, analysts within Security Operations Centers can leverage Oracle or Microsoft for alerting, and then fuse those alerts into Sqrrl’s Security Behavior Graph and leverage Sqrrl’s interactive link analysis capabilities to easily pivot through these alerts and hunt for attack narratives. Sqrrl’s new Risk Triggers capability enables those analysts to create a comprehensive view of risk across an organization by aggregating risk across Sqrrl analytics, external alerts, threat intelligence, and vulnerability scans.
Fig 3. Sqrrl’s Security Behavior Graph
Sqrrl’s graph capabilities offer analysts a bunch of new ways to uncover hidden threats by observing behavior patterns and pivoting through different types of data. To learn more about Sqrrl’s Security Behavior Graph, take Sqrrl’s Threat Hunting Platform for a Test Drive.