Security Operations, Engineering, and Intelligence Integration Through the Power of Graph(DB)!Return to TOC presented at FIRST 2014

by Christopher Clark,

Summary : Prior to joining iDefense, Chris worked with the Verisign CSO to architect a full scope intelligence-driven computer network defense program. Chris has extensive experience in both offensive and defensive cyber warfare in roles ranging from pure security research and content creation, to commercial and open source tool architecture and deployment. He has held technical leadership positions with industry leaders such as BAE Systems, General Dynamics, and ManTech International in which he was directly responsible for mission critical cyber operations. Chris is extremely active in the security community through open source development, public and private speaking engagements, and information sharing organizations. He is a decorated veteran of the US Marine Corps, prior US Department of Defense instructor, and holds a wide array computer and security certifications (DCITA, GIAC, Cisco, Stanford University).
The ability to properly categorize and visualize attacks, security tool efficacy, and targeting trends has previously been cumbersome at best and impossible at worst.
Through proper schema design a graph database can be used to represent all assets and entities involved in business operations and security both internal and external to your organization. This data can then be used to accurately track and attribute attacks, measure tool and team efficacy/ROI and isolate high risk targets and gaps present in your security posture down to a granular level impossible by other means.
The graph database model also allows for incredibly complex queries to be returned in milliseconds to include unknown distance questions, such as "Which Exploits have actors from China used against our Development team in the last twelve months?" or "Which IDS rules are in place to defend from malware used by XXXX group?" or "Display all C2 domains beaconed to over port 80 by malware delivered by Watering Hole attack"
By treating things as entities which they are in real life, and forming contextful relationships between them we can begin to make sense of the piles of data and gain insight into our weaknesses.