Obstacles in understanding a security event
Real-life Story
A security analyst gets an alert from their email security product concerning a malicious URL that was clicked in an email. They are concerned that their account and/or system may have been compromised. They need to check the endpoint to make sure malware wasn’t downloaded, as well as authentication history, to make sure there hasn’t been unauthorized access to any internal resources from this user account. This requires logging in and accessing their EDR platform to check for any security alerts related to malware, or any unusual user activity (highly dependent on analyst skill and time allotment). They perform the same analysis for authentication history in their cloud authentication logs. They also check the email security system to see if they can identify any similar emails that may also be malicious, such that they can remediate them prior to the users clicking on the malicious link. In each case, the analyst will be required to have the knowledge and expertise to dig through the various consoles and interpret the results. In some cases, this may require writing custom queries in their SIEM platform. Through the potentially hours-long analysis, the analyst is able to identify an additional alert (unfamiliar sign-on) related to the activity, and additional phishing emails that require remediation.
Cybermonic is different
The Cybermonic system automatically correlates all the security events and stitches them together with any relevant context from any data source. In this case, Cybermonic would have automatically correlated the email alert, with the unfamiliar sign-on alert from the cloud authentication logs. This would immediately show the analyst that the account was indeed compromised. The analyst can continue to analyze the event inside the Cybermonic system, for example, to find all other emails that contain the same subject or the same sender. This would reveal that there were other emails also containing the malicious link which the analyst could remediate directly through Cybermonic. This way, the analyst can understand the full scope of the information immediately, without the need to go to various systems to aggregate information.
Cybermonic’s Cyber Knowledge Graph provides a comprehensive view of what data elements exist and how they relate to one another across all your cybersecurity tooling (IPs, Users, Files, Processes, Vulnerability, Systems, etc.).
Generally, there is a problem with existing solutions
The SOC analyst must cross-reference different security alert sources (e.g., endpoint protection, network protection, data loss prevention, email security, etc.) to get an accurate representation of the scope of each security incident. Even when a SIEM is in place, alerts and their various details are often stored in separate tables or fields and require manual correlation.
However, with Cybermonic
By nature of how the Cyber Knowledge Graph is generated, we provide out-of-the-box automatic alert correlation across all alert-generating security products. SOC engineers can set up further automation for correlating any additional data or field they want (common or custom).
About Cybermonic
Cybermonic was founded by researchers with PhDs in graph systems, graph analytics, graph AI/ML, and a track record of DARPA funded research on cybersecurity challenge problems. They have perfected their graph systems and graph algorithms in order to supercharge cybersecurity analysts.