Real Life Story
A security analyst wants to automate the correlation of their threat intelligence feeds with all of their security telemetry. They currently purchase 3 different threat feeds, and correlate the data with 4 other log sources: Firewall logs, Email logs, Endpoint logs, and Syslog. They use Tines to create an automation, where they configure the querying and transformation of the data from each of the 3 threat feeds, and identify matches in any of their 4 log sources by identifying specific fields to match on. Across all 7 datasources (3 threat feeds, 4 log sources), the data is in different formats, with different fields names, and different access methods. The effective configuration of this automation took the analysts weeks to complete, and requires constant care and feeding as the underlying log sources change, and new threat feeds are added. Additionally, after analysis with Cybermonic, it was discovered that there was a large amount of activity involving entities associated with threat intelligence that were not being properly identified by the SOC.
Cybermonic is different
With Cybermonic, all threat feeds populate ThreatIntel entities in the Cyber Knowledge Graph, regardless of source or data feed. Similarly, all other security telemetry is ingested to this same common Cyber Knowledge Graph. By converting the cybersecurity data into this common representation, the process of performing threat intelligence analysis becomes much easier. The cybermonic threat intelligence workflow finds all ThreatIntel entities in the graph, and highlights any related activity. This activity could span any number of log sources and relationships. When new log sources are added, or new threat feeds are integrated, the underlying workflow does not change. As soon as any additional data is added to the graph, the threat intelligence workflow is able to make use of that information, and perform robust and accurate threat intelligence analysis.
Generally, there is a problem with existing solutions
Security automation playbooks are heavily dependent on the underlying security tooling, which varies widely from organization to organization. Automation rules for correlating threat-intelligence feeds with security events will be different depending on what threat-intelligence sources an organization has, what security products they have, and how both are configured. This complexity results in analysts spending unnecessary time building and tuning their security automations, and their automations being inherently inaccurate.
However, with Cybermonic
With Cybermonic, the analyst can create custom automations based on intuitive and simple workflows leveraging the Cyber Knowledge Graph and the entities found inside of it. Rather than having to build custom playbooks for each security vendor and threat intelligence feed in your environment, analysts can write simple workflows that reference cyber primitives like Alerts, Threat Intel, IPs, Vulnerabilities, etc. This makes building and maintaining these automation playbooks much easier, saving your analyst time, and organizations money.
About Cybermonic
Cybermonic was founded by researchers with PhDs in graph systems, graph analytics, graph AI/ML, and a track record of DARPA funded research on cybersecurity challenge problems. They have perfected their graph systems and graph algorithms in order to supercharge cybersecurity analysts.