FloCon 2018

Because of complex interdependencies among networked systems, risks associated with individual hosts, vulnerabilities, and events should not be considered in isolation. Moreover, complex mission systems and systems-of-systems are deployed across a multitude of networked cyber assets. In such contexts, both the likelihood and impact aspects of cyber risk are not determined by individual hosts, threats, vulnerabilities, or alerts. Rather, they are emergent properties of the patterns of relationships among such entities.

MITRE’s CyGraph is a methodology and tool for improving network security posture, maintaining situational awareness in the face of cyberattacks, and focusing on protection of mission-critical assets. Employing a multi-relational property graph formalism, CyGraph combines data from numerous sources to build a unified graph representation for network infrastructure, security posture, cyber threats, and mission dependencies. This forms an enterprise resilience knowledge base for remediating attack vulnerability paths and responding to intrusion events, focused on protecting mission-essential cyber assets. We leverage our previous work in topological vulnerability analysis for mapping known vulnerability paths through a network, along with capabilities for mapping enterprise mission dependencies on cyber assets. We then extend this by discovering and prioritizing risky multi-step patterns among traffic flows, alerts, and vulnerabilities.

CyGraph leverages big-data NoSQL graph database technology to capture the complex and large-scale relationships among entities in the cybersecurity domain. It employs graph queries for identifying risky patterns with prioritization of the matched subgraph clusters. Domain-specific CyGraph Query Language (CyQL) is compiled to the query language native to the backend graph database. CyGraph provides interactive graph visualization in the browser for navigating the results of CyQL queries. In this way, CyGraph discovers and prioritizes risky patterns among multi-step relationships in network data, and guides proactive remediation and reactive mitigation. CyGraph analytic queries support use cases such as prioritizing vulnerability paths for remediation and responding to intrusion incidents, while focusing on the protection of key cyber assets.

Attendees will learn:
Combining data from disparate sources into a unified graph knowledge base provides powerful capabilities for cyber risk assessment and analysis of system, mission, and enterprise resilience. For example, security professionals can apply such a knowledge base for mapping vulnerability paths, understanding mission dependencies on cyber assets, and detecting multi-step patterns of risk among traffic flows, alerts, and vulnerabilities. The combination of NoSQL graph database technology with domain-specific query language and interactive graph visualization provides a flexible and scalable solution for graph-centric cyber analytics.