Embed Size (px)
Citation preview
WWW.CROWDSTRIKE.COM
CROWDSTRIKE // WHITE PAPER
STOPPING BREACHES
WITH THREAT GRAPH
The Cutting-Edge Use of Graph Data Models and Analytics in Cybersecurity
"Siloed"”is a word often used to describe the current state of cybersecurity solutions. It has also been
blamed as the No. 1 reason why attackers manage to bypass defenses. The usual response to the
challenge has been to integrate and centrally collect events data generated by those solutions. However,
the growing number of successful data breaches demonstrates that this approach is insufficient. That’s
because collecting the data is not the biggest challenge. The difficulty lies in determining how the data
is used once it’s collected.
Harnessing the data to effectively stop breaches presents significant challenges. The first to overcome
is the sheer volume of data. As computer systems generate billions of events daily, the amount of
data to analyze over time can reach petabytes. Secondly, that data is often unstructured, discrete and
disconnected. Without adequate structure, determining how individual events may be connected to an
impending attack becomes a tedious and time-consuming manual process. In such an environment,
detecting attacks is often difficult, and sometimes impossible.
CrowdStrike sought to solve this challenge by employing a graph data model to collect and analyze
extremely large volumes of security-related data. Since no commercial graph database solutions were
capable of meeting the unique requirements of cybersecurity, CrowdStrike designed and built its own --
the CrowdStrike Threat GraphTM” -- to store, query and analyze relevant security events.
Graph theory is far from new. In fact, it has been used to solve mathematical problems for centuries.
The sheer power and scalability of the graph data model has led to its adoption by some of the largest
technology companies on earth, including Facebook, Microsoft and Google. CrowdStrike is the first to
purposefully use a graph database for cybersecurity.
This white paper explains why graph data models are uniquely suited to solving current cybersecurity
challenges, and details how CrowdStrike uses its own graph database to stop breaches.
Why Graph Databases Are So Powerful Unlike most existing data models, such as relational
databases, graph databases offer a simple,
flexible and scalable way to store and model highly
interconnected datasets. Those qualities are critical
for the analysis of security data.
Detecting attacks requires the ability to track and
store the interaction of users, machines, applications,
network communications, system events, processes,
disk access, and more -- as these interactions
occur in the highly complex, rapid and dynamic
environment that constitutes an endpoint.
Traditional databases were designed to fit data into
predefined structures called schemas, presenting
a major limitation for security analysis. If new data
types or new relationships appear that were not
accounted for in the original design, the information
will not be stored. Put simply, with a traditional
database schema, data that does not fit is lost. This
presents an insurmountable obstacle to effective
security analysis because lost data creates "blind
spots" that attackers can exploit to avoid detection.
Conversely, graph databases can easily store and
keep track of security events, despite the frequently
unstructured and unanticipated nature of security
data. It has been said, "If you can whiteboard it, you
can graph it."
“ The sheer power and
scalability of the graph data model has led to
its adoption by some of the largest technology
companies on earth.
”
In a graph database, each object -- called a vertex or node -- can have many relationships. Those relationships are called "edges." For example, the graph model above represents the social
interactions and gustatory preferences among a group of coworkers. In this case, Lisa and Marie represent vertices and their various relationships are considered an edge.
E xample of Graph Database Structure
That’s because the graph model closely matches reality.
In a graph database, each piece of data is stored as its
own separate object with its own unique attributes.
The data with its attributes is then attached to the
graph. This gives graph databases the ability to grow
and accept new types of data infinitely. As a result, they
can be easily populated with properties and values,
without adhering to a predetermined schema, and
then immediately searched. That also makes graph
databases very good at mapping relationships and
uncovering the "interconnectedness" between entities
in a network.
Adapting Graph Data Models to Cybersecurity The powerful concept of graph data modeling is at the
heart of the CrowdStrike Threat Graph, a powerful and
massively scalable graph database that resides in the
Cloud. Custom-built by CrowdStrike, Threat Graph’s
capability for storing, visualizing, correlating and
analyzing the vast quantity of event data generated by
endpoints provides the CrowdStrike Falcon Platform”
with its unique ability to identify attacks in progress
and actually stop breaches.
Feeding the Graph Threat Graph is "fed" by a variety of sources. In addition
to endpoint telemetry transmitted directly from Falcon
Host sensors, it receives threat intelligence from
“ As a graph database built to fully utilize a highly elastic cloud
infrastructure, Threat Graph can scale to meet any volume
requirements.
”
CrowdStrike’s Falcon Intelligence team and from a variety
of third-party sources. Its graph data model allows Threat
Graph to process billions of events daily, streaming from
millions of sensors, and to support more than 500,000
event writes per second. It also provides the ability to grow
by orders of magnitude to accommodate petabytes of
additional data. As a graph database built to fully utilize a
highly elastic cloud infrastructure, Threat Graph can scale
to meet any volume requirements.
This ever-growing, enriched data set creates a
perfect environment for analyzing security data at an
unprecedented scale, forming one of the primary pillars
supporting CrowdStrike’s breach prevention capabilities.
Full Visibility, Instantly The data stored in Threat Graph becomes immediately
available for viewing, visualization and for retrospective
searches. Some key use cases for taking advantage of this
capability include the following:
Real-Time Attack Visibility and Drill-Down
Threat Graph’s instant access to data allows users
to see and trace process execution on any endpoint
in their environment, includ ing rich contextual
information such as the process name, arguments
and exact time of execution, as well as the sequence of
events following that execution (see Figures 1 and 2).
“ The powerful concept
of graph data modeling is at the heart of the CrowdStrike Threat
GraphTM, a powerful and massively scalable graph database that resides in
the Cloud."
”
This is key to better understanding the context of
code and other executables in an environment.
Being able to observe the process, command-line
arguments and timing allows security teams to
observe suspicious and anomalous activity that
could warrant action, and to trace potentially
malicious activities in the full context of the
affected machine.
Figure 1: The full context of code execution on an endpoint, displayed in a process tree.
Figure 2: The same chain of events, instantly displayed in the CrowdStrike Falcon user interface.
Visualization
Another advantage of Threat Graph lies in its
ability to map dependencies and present the
information visually. By visualizing data in this
form (see Figure 3), analysts can spot outliers,
inconsistencies and variances at a glance, and
identify potential security issues in seconds.
Figure 3 represents a map of remote desktop
connections per user account, as it is displayed
in the Falcon Host management interface. The
unusually high number of connections established
by that account is a potential indication that the
account may have been compromised. Threat
Graph’s data visualization capability allows for
instant identification of this suspicious behavior
which would otherwise be very difficult to detect --
and could possibly go completely unnoticed.
Figure 3: Visualization of remote desktop connections per user and per system.
Potential indication of compromised credentials
Historical and Retrospective Searches
Since the state of the endpoints and the
environment is kept over time, Threat Graph offers
the powerful ability to look back and retrace events
as they occurred on any endpoint. This provides
analysts with the ability to trigger detections
retrospectively. For example, if something is
discovered today, its roots can be traced back
to perform in-depth forensic analysis -- whether
the event took place yesterday, last week, or last
month. In this way, Threat Graph takes discovery
and insight not only forward, but also backward,
providing real-time and historical visibility
into individual events across all the endpoints
comprising a customer’s environment.
Automated Analysis Eliminates Slow, Tedious Manual Processes The type of real-time visibility and visualization
described above is possible because automated
analysis is performed on the data as soon as it is
written to the database. The graph nature of the
Threat Graph allows multiple detection methods and
algorithms to run against the data simultaneously,
leading to near-instant results. These methods include,
but are not limited to, checking against known malware
and using machine learning algorithms for detection of
unknown malware and Indicators of Attack (IOAs).
“ Threat Graph continually
looks for malicious activity by applying a combination
of graph analytics and machine learning
algorithms across its data.
”
IOAs are a means of detection pioneered by CrowdStrike. These
indicators reflect a series of actions an adversary must perform to be
successful in their attack. IOAs rely on the relationships, context and
sequence of events to determine if an attack is in progress. Effective
and efficient IOA creation and analysis have been enabled largely by the
Threat Graph.
Prior to the Threat Graph, an analyst would have had to gather endpoint
telemetry, sometimes from multiple sources, then add intelligence
feeds, write their own correlation rules, and finally, pivot the data
endlessly to determine how events might be related. This required slow,
labor-intensive processes. In contrast, the Threat Graph offers one
unified view of all events and intelligence known to CrowdStrike and
its customer base spread across more than 175 countries. The analysis
can be automated since all the data -- including intelligence, events
and most importantly, their relationships -- are all kept in one place.
It is interesting to note that the endpoints themselves are not
impacted by the analysis, since Threat Graph runs in the Cloud. This
allows CrowdStrike to run concurrent tests, analysis and validation as
required, leading to faster answers and response times.
Finding the "Unknown Unknowns" We’ve seen that Threat Graph tremendously enhances and speeds
the detection of attacks and patterns of attacks by providing
unprecedented visibility, which in turn enables full automation of the
analysis. But Threat Graph also excels in facilitating the discovery of
How the Threat Graph Works
new behaviors that have never been observed before: the so-called
"unknown unknowns."
Threat Graph continually looks for malicious activity by applying a
combination of graph analytics and machine learning algorithms
across its data. The algorithms not only look at file features, but also
track the behaviors and sequence of code execution in the customer’s
environment. More importantly, the graph data model allows those
algorithms to discover relationships between events that are not
directly related, but which could constitute an attack that would
otherwise remain undetected.
Another striking aspect of the Threat Graph is that it allows multiple
algorithms to be run simultaneously. This concurrent analysis
ultimately allows triggers, or potential threats, to be discovered much
faster. In addition, the discovery of new triggers can automatically
spawn additional analysis. This allows the whole system to learn
and build its own intelligence over time. As more data is fed into
the Threat Graph, more attack patterns are discovered. Those new
detections are tested and added to the analysis process, increasing
Threat Graph’s ability to quickly and automatically detect similar
attacks. This potent combination of automation and intelligent
analysis allows CrowdStrike to find these "unknown unknowns" that
elude conventional security measures.
Enabling Managed Threat Hunting Threat Graph enables unprecedented levels of automation to eliminate
many of the manual processes that response teams typically endure
to detect attacks. However, the threat landscape has changed. Security
professionals increasingly must face-off with human adversaries, who
may have the skill and ingenuity to defeat even the most sophisticated
automation. That’s why CrowdStrike has always advised that human
security assets must be part of the defense chain. Once again, Threat
Graph provides unique and exceptional help to achieve that.
A shining example of this is the way Falcon Overwatch, CrowdStrike’s
proactive threat-hunting team, uses Threat Graph. As noted earlier,
Threat Graph first automates the process of discovering triggers,
eliminating a very lengthy and tedious process that overtaxes and
underutilizes most in-house security teams. Once these triggers are
presented to a managed hunting team such as Overwatch, the hunters
can turn back to the Threat Graph for further investigation. At that
point, they may need to run ad hoc queries, something at which Threat
Graph excels. Unlike traditional databases, which are only really suited
to providing answers to predetermined questions on a "big data" scale,
graph databases can answer these off-the-cuff questions without
delay or difficulty. In addition, since analysts often don’t know ahead of
time what they will be asking, the ability to answer ad hoc queries is a
"must-have" feature for successful and timely detections. In this way,
Threat Graph enables the Falcon Overwatch team to hunt much more
quickly and efficiently.
How CrowdStrike Customers Benefit from Threat Graph Upon deployment of CrowdStrike Falcon solutions, the Threat Graph
provides you with immediate benefits, such as:
• FASTER INVESTIGATIONS FOR FASTER RESPONSE TIME
Threat Graph stores the timeline of activity needed to detect and
prevent attacks, and to provide advanced forensic capabilities. It
then automates the manual processes required to triage events
and discover triggers. Finally, it enables the Falcon Overwatch team
to hunt down and validate each trigger. This type of investigation
would normally take hours and even days, tying up precious security
talent and resources, but with Threat Graph, the process can take
place in minutes. The ability to conclude investigations faster
allows CrowdStrike customers to respond to incidents as they are
uncovered, gaining precious hours and days over your adversaries.
• THREAT GRAPH DOES THE JOB FOR YOU
Because new attack patterns are identified, created and validated in
the Threat Graph, customers don’t have to worry about creating and
updating their own detection patterns.
• THE POWER OF THE CROWD: COLLECTIVE INTELLIGENCE
One new artifact, technique, tool, process or tactic found at a single
customer site can be immediately tested and validated across all
customers. The scale and speed of Threat Graph enables CrowdStrike
to do this in real time and historically, significantly increasing both
the speed and precision of detection and prevention. If Threat Graph
detects something in one customer environment, all customers
benefit from it automatically.
Conclusion CrowdStrike Threat Graph is the brain behind the Falcon Host
prevention platform. It provides complete real-time visibility and
insight into everything happening on your endpoints throughout
your environment. Using powerful graph analytics to scour
billions of events in real time, Threat Graph draws links between
security events across the global Falcon Host sensor community
to immediately detect and prevent adversary activity, at scale and
with unprecedented speed. In this way, Threat Graph empowers
CrowdStrike customers with an extraordinary level of protection
against breaches.
A B O U T C R O W D S T R I K ECrowdStrike is the leader in next-generation endpoint
protection, threat intelligence and response services.
CrowdStrike’s core technology, the CrowdStrike FalconTM
platform, stops breaches by preventing and responding to
all attack types – both malware and malware-free.
CrowdStrike has revolutionized endpoint protection by being
the first and only company to unify three crucial elements:
next-generation AV, endpoint detection and response (EDR),
and a 24/7 managed hunting service — all powered by
intelligence and uniquely delivered via the cloud in a single
integrated solution.
Falcon uses the patent-pending CrowdStrike Threat GraphTM
to analyze and correlate billions of events in real time,
providing complete protection and five-second visibility across
all endpoints. Many of the world’s largest organizations already
put their trust in CrowdStrike, including three of the 10 largest
global companies by revenue, five of the 10 largest financial
institutions, three of the top 10 health care providers, and three
of the top 10 energy companies. CrowdStrike Falcon is currently
deployed in more than 176 countries.
We Stop Breaches. Learn more: www.crowdstrike.com
crowdstrike.com15440 Laguna Canyon Road, Suite 250, Irvine, CA 92618
VER. 10 .03.16
