respurces_bg.png

Blog

What is Cyber Ontology? Deliver Context for Orchestration

Garry FatakhovDecember 7, 2016

The modern Security Operations Center (SOC) is a highly complex system of point tools, all designed to keep sensitive corporate data secure. Each of these tools creates disparate data points and incidents. Security analysts investigate the barrage of incidents and alerts, looking for clues while asking themselves: is this alert stemming from an actual event? What is the source of this alert? Has this been through our system before?

Out of context, these cyber security events are all just data points living in their own silos. The signs are easily misinterpreted, potentially leading to security disasters. But when viewed in context, these individual clues can tell a lot about the organization’s security. With context, analysts can understand relationships, see the entire story, and keep their organizations secure.   

How can organizations create that context?

 Legacy Approach

Each cyber security event involves several entities, such as IPs, hosts, users, processes, etc. When creating Siemplify, we asked ourselves, how should analysts see cyber security events? Legacy methods are failing them.  

Traditional security solutions are built atop a tabular data structure, which creates an inherently flawed approach to cyber investigation and response. The challenges with this approach are well documented: analysts must be reliant on slow and cumbersome queries; there is an inability to see all relevant relationships; challenges adding data sources and manipulating relationships greatly affect efficiency. Most importantly, as data sources feeding the security environment continue to expand, the constraints are more pronounced and detrimental. In between the layers and silos of traditional approaches, events fall through the gaping cracks.

Creating Context with Siemplify Cyber Ontology

Cyber security ontology defines a common vocabulary for security analysts who need to analyze and share information.  It includes human-interpretable definitions of basic concepts in the cyber security domain and relationships among them.

Siemplify Cybersecurity Ontology (SCO)  is intended to support information integration and cyber situational awareness across the security ecosystem.  This ontology helps to incorporate, integrate and fuse large amounts of heterogeneous security data from disparate cybersecurity systems and organizational data silos into a unified language.

Cyber ontology is used to show cyber security data (events, incidents/cases, STIX, correlations, etc. ) into the representation of entities (IP,  user, removable device, etc.) and their relationships (event names, properties of event, internal relations, etc.).   

Different entities and relationships are shown as different icons, creating an easier and more meaningful understanding of these entities and relationships. The following 2 examples show how we present events, using Siemplify Cyber Ontology, in our system:

1) Cisco Ironport events representation:

Cisco-Ironport-events.jpg

2) Microsoft Windows event: “An operation was attempted on a privileged object.”

 Microsoft-Windows-event.jpg

The typical enterprise security footprint includes an ever-expanding set of hosts, users, IP addresses, etc. With even a small organization having thousands of unique entities and an exponential set of relationships, it’s easy to understand the complexity of security investigation and response.  

Cyber Ontology Enables Next Generation Security Orchestration, Operations and Incident Response

Once the relationships are defined and the data language is unified, an intuitive graph serves as the canvas to understand the threat story line.

cyber-ontology.jpg

Applying cyber ontology to events in real time allows their true source and significance to be understood in moments, rather than hours or days. Analysts gain clear insight into the questions that need to be asked and data trails are converted into meaningful assets. Cyber ontology helps organizations:

Create relationshipsThe visual graph database discovers and exposes relationships between events spanning time, location and source. Using proprietary algorithms above the graph we map connections between alerts across the SOC. Analysts can remediate issues faster and with more accuracy. It also means that analysts can easily discern if an alert is a new event that requires thorough investigation or it’s a duplicate event, requiring less investigation.

Create relationshipsThe visual graph database discovers and exposes relationships between events spanning time, location and source. Using proprietary algorithms above the graph we map connections between alerts across the SOC. Analysts can remediate issues faster and with more accuracy. It also means that analysts can easily discern if an alert is a new event that requires thorough investigation or it’s a duplicate event, requiring less investigation.

Evolve to incorporate dataFlexibility is paramount to the workings of the graph database. It’s able to ingest and index vast amounts of data from varied sources so the story it presents is one that’s alive and continuously evolving. The structure is inherently built to understand network relationships and enable analysts to ask the questions they need answers to. As new data sources are added, existing relationships are maintained and expanded where appropriate.

Evolve to incorporate dataFlexibility is paramount to the workings of the graph database. It’s able to ingest and index vast amounts of data from varied sources so the story it presents is one that’s alive and continuously evolving. The structure is inherently built to understand network relationships and enable analysts to ask the questions they need answers to. As new data sources are added, existing relationships are maintained and expanded where appropriate.

Scale with corporate needsWith so much data being ingested, staying agile and fast is critical. Siemplify’s ThreatNexus platform scales up or down with corporate needs to create a tailored solution, rapidly mapping and modeling threats.

Final Thoughts

Whether a small security team with a patchwork of tools or an advanced SOC, when using cyber ontology within your security footprint through a visual framework your true security story emerges. Confusion is replaced with clarity, guesswork is replaced with certainty, and misinterpreted information is a thing of the past.

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Top Stories