Why do defenders think in lists not graphs?

Last week I had the pleasure of participating in a panel session at CIISec Live, the annual conference delivered by the Chartered Institute of Information Security. This virtual event featured a fantastic range of speakers from across industry and academia, as well as many distinguished security practitioners.

The session was part of a stream on technology innovation, how industry is responding to new cybersecurity challenges, and I was joined on the panel by Dave Atkinson from Senseon with Simon Goldsmith from OVO Energy as our moderator. We were speaking about how we could do more to leverage the enormous quantities of data produced by security tools, big data analytics and the day-to-day work of the SOC, and what is the role that data science can play in unlocking hidden insights and value. The session was entitled ‘Attackers think in graphs, why do defenders still think in lists?’ a nod to John Lambert’s famous blog on the subject back in 2015 (for which he should really be on royalties).

The session covered a lot of ground, and I won’t try and cover it all here, the full talk is also available to CIIS members on the event website. I did think it was worth trying to summarize some of the challenges, and the potential benefits innovation can deliver.

So why do defenders think in lists?

I think a large part of it is that’s how we’ve been trained. We’re used to receiving and interpreting information in lists from an early age, and cybersecurity is no exception. Many of the frameworks we follow, and the tools we use, present information in a prioritized list for us to work through our processes and playbooks. We are used to seeing lists of vulnerabilities to work on, security alerts generated by a SIEM, tickets in ServiceNow, and many other examples. We should also factor in the way we bring people into the industry. Given the well-documented cyber skills shortage, we’re often asking inexperienced analysts to run complex investigations on their own. It’s common, therefore, for them to follow a prescriptive playbook, documented by a senior colleague.

The problem with lists

Firstly, it’s not true that all defenders think it lists. If we go back to the John Lambert quote mentioned earlier, it was based on a paper he wrote 6 years ago where he interviewed better resourced, more advanced security teams on how they handled attacks. What he was able to determine was that the more advanced defenders had already moved away from lists and shifted their ‘defenders’ mindset’ to visualize their networks by turning lists into graphs. It’s not that we haven’t been aware of the limitations of lists, more that we’ve lacked a simple way for security teams to reduce their reliance on them.

The fundamental problem with lists is that they lack any relevant context. They present too many findings without an ability to prioritize the data based on meaningful insights. It’s important that we know how many machines we need to protect, but we also need to understand which networks they have access to, what users have access to those machines, what security policies and controls should be implemented on them and what critical vulnerabilities are present, amongst other things. The problem we face as an industry is not a lack of information, but a lack of business and security context to drive this prioritization.

We need to shift from a list-based approach, to one that helps us to understand the multi-dimensional relationships between assets. Security teams need a different operational view. They need to make sense of information from disparate tools, and this is where a graph approach makes sense.

The evolving strategic landscape

We find ourselves part of an industry that is changing rapidly. There’s a lot been said about digital transformation and the acceleration caused by the pandemic, but it’s certainly true that we have all moved to the cloud. Figures from Gartner suggest that by 2023, 70% of enterprise workloads will run in the public cloud, up from 40% last year. This creates its own risk and visibility challenges and introduces another set of cloud workload protection (CWP) and cloud security posture management (CSPM) tooling for us to manage.

The cybersecurity industry continues to grow to address these challenges. According to a recent report from Momentum Cyber, more than $11.5bn has been invested in 430+ companies in the first half of this year, making 2021 another record year for cybersecurity investment. This highlights the ongoing need for better integration between different tools, something that’s driving the growing standardization of APIs, including the work being done by the OpenAPI Initiative.

The role of technology innovation

Looking at these trends, we need to better understand cyber risk, and provide prioritized insights for defenders to action. 2 specific areas for innovation are front of mind:

  • The Adoption of Graph – already widely used in other sectors, including retail, social media and financial services. By 2025 Gartner estimates that graph databases will be used in 80% of data and analytics innovation. Available in open source and commercial models, graph databases map complex relationships in a way that traditional databases cannot. They allow us to unlock data context to provide more insights to make better decisions. This is the path to a more intelligence-driven defense.
  • Broader Security Automation – Security teams make limited use of automation today, as we need higher confidence to automate complex security processes, particularly more intrusive remediation. If we build these workflows on the high-fidelity data provided by graph, we can automate based on greater certainty, expanding the range of potential use cases, and giving us the necessary speed and scale to defend against modern attacks.

These are some of my quick thoughts based on last week’s session. The full quote from John Lambert’s famous blog is ‘Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.’ So, for defenders to gain the advantage, we need to a think differently and embrace technology innovation. I’d like to thank Simon Goldsmith and the CIIS for the opportunity to participate in their fantastic event, plus my co-speaker Dave Atkinson for a thoroughly enjoyable panel session.

You can watch a replay of the panel via the event website (free for CIIS members), or find out more about how Noetic is approaching this problem here.