Real Life Story
A security bulletin is released for a ransomware product that lays dormant until triggered, including the file hashes for the malicious binaries. It is imperative that the security analyst determines an answer to a very simple question:
Has the file hash in question been observed anywhere in our network?
Unfortunately, the answer to this question is not so trivial, as file hashes can appear in many places, and as such the security analyst begins the manual process of looking for the information across all of their tools. They log into their EDR product and query for the hash across their managed employee workstations. They log into their SIEM and query syslog data from their servers. They log into their IDS and check for the hash in file download events. They log into their email tool and check for email attachments containing the relevant hashes. Any hits in any of the tools require further investigation and analysis across all of the tools. Hits in the EDR product lead to root cause analysis of where the files came from, which leads to analysis of network activity, which leads to analysis of email activity. In the time that it takes them to check and analyze all of these leads, the ransomware could detonate and encrypt countless workstations across the network, costing the organization millions in damages.
Cybermonic is different
With Cybermonic, a file hash is an entity in the Cyber Knowledge Graph, and it is populated whenever it is observed in any and all security and/or monitoring tools. A simple search for the hash in question on Cybermonic’s dashboard will identify the entity in our graph (if it exists), explain what data sources it was found in, when it was observed, and all other context related to what users downloaded it, emails it was found in, etc. The figure below shows an example of this scenario, with the FileHash node at the middle of the graph, and all other relevant context. We can immediately see the workstations where the file exists, who has logged into those workstations, the URL from where it was downloaded, and the email that contained the malicious URL- all highly relevant information when a ransomware outbreak is possible. Digging a little further, we can even see a new file hash sent from the same email sender which is highly suspect. By automatically identifying and presenting all of this information to the analyst, the Cybermonic platform can save hours of manual human-driven analysis, and ultimately the analyst is able to remediate the threat before the ransomware is detonated.
Generally, there is a problem with existing solutions
It can often be very difficult to answer simple questions about enterprise environments with the existing solutions. During many cybersecurity workflows (e.g. alert triage, incident response, vulnerability management, threat hunting, etc) analysts will have basic questions such as “Whose IP is this?”, “Have I seen this file hash before?”, or “Who has accessed this file?”. Answering these questions often requires interacting with multiple different systems and data sources, eating up valuable time that our security professionals do not have to spare.
However, with Cybermonic
A user of any proficiency level can perform exceedingly simple and intuitive bottom-up analysis across all security products. Cybermonic stores cyber data based on cyber primitives (e.g. IPs, Users, Systems, Hashes, Vulnerabilities, Directories, URLs, Domains, etc), as opposed to traditional time series log events from specific tools. This means, regardless of where the data came from, analysts can get quick answers to both simple and complex questions.
About Cybermonic
Cybermonic was founded by researchers with PhDs in graph systems, graph analytics, graph AI/ML, and a track record of DARPA funded research on cybersecurity challenge problems. They have perfected their graph systems and graph algorithms in order to supercharge cybersecurity analysts.