Knowledge graphs: The secret of Google Search and now XDR

Wading through waves of alert noise to find real threats and manually connecting the dots to find context in real-time attacks are essential capabilities in today’s cyberthreat detection and response battleground.

While it sounds impossible, the same technological approach that helped index the entire Web can come in handy: a knowledge graph – similar to what powers Google Search – is an ideal technology foundation to make a generational leap in threat detection and response. Other organizations using a knowledge graph include Netflix (for their recommendation system) and AstraZeneca (to “unlock the secrets of disease”).

Google’s seminal article, “Introducing the Knowledge Graph: things, not strings,” can be likened to “signals and entities, not log lines” in a cybersecurity context. Today, cybersecurity analysts in the security operation center (SOC) must sift through the cacophony of telemetry and warning signals generated by disparate, siloed tools (SIEM, EDR/EPP, NGFW, cloud workload protections, etc.). Most analysts lack critical automation to interpret and cross correlate signals from different applications to generate context or to discover how attackers behave in cloud environments like AWS.

New solutions are needed

CISOs and security organizations recognize their current practices do not scale to address either the sophistication of today’s threats or the volume of security data and false alarms being generated. In a recent ESG study, 58% of respondents highlighted the need to enhance, aggregate and improve security analytics capabilities, and 95% indicated that SOC tool integration was a top priority.

To address these challenges, organizations are starting to use knowledge graphs and other advances including ML-led threat analysis, incorporation of threat hunting expertise, and better data management.

In the last year, the term XDR eXtended Detection and Response) was coined to describe solutions that integrate diverse telemetry and data sources, optimize SOC workflows, make SOCs more agile and significantly improve their ability to detect and respond to security threats. ESG already forecasts that 70% of enterprise organizations will invest in XDR within six months.

Making a real impact are XDR solutions that use knowledge graphs and other new technologies to offer not only an intuitive threat research, but also explainable findings.

What does knowledge graph technology offer?

The reason knowledge graph technology lies at the foundation of this transformation is that it provides a structured way to represent information on objects of different tiers, their interactions, and how these evolve over time.

Consider a metropolitan subway. A subway knowledge graph would include attributes and interaction data for tracks, cars, signals, stations, riders, employees, etc. Emphasizing interaction, a graph would detail how these objects communicate and interrelate (vs. merely generating event logs for each). Such a graph would also support access by multiple parties (transport authority, public works department, law enforcement, etc.) allowing reuse and diverse analyses.

Cyber threat detection can use knowledge graphs in a similar way. Knowledge graphs create an opportunity to represent suspicious behavior across the entire organizational attack surface, connect it through entities and relationships, and enrich it with organizational context and threat intel. This can serve as an automated context layer that can emphasize areas of attack and also help analysts understand what happened around a specific security event.

To be effective, a knowledge graph must build on what is already in place by understanding information coming from the different security and IT management products across the entire IT infrastructure, as well as external sources. It needs the right data infrastructure that can collect logs, events, telemetry and entities from dozens of data sources on premises and in the cloud, including EDRs, NDRs, cloud service providers, firewalls, identity and access management tools, SIEMs, and more.

A knowledge graph should make analysts more effective and support investigations and threat scoring.

Another key benefit is “explainability.”

Mapping findings back to knowledge in the graph provides rationale for attack classifications and conclusions. Explaining how controls are circumvented optimizes response and remediation. Moreover, a knowledge graph streamlines manual investigations and workflows. Rather than combing through log data from isolated sources, analysts mine graphs for context, observing relationships and attributes, improving efficiency of investigations and threat hunting.

Knowledge graph-based XDR is more than a hypothetical solution to the challenges of threat detection and response.