How companies are fighting cybercrime with graph data technology

black barbwire in close up photography during daytime
black barbwire in close up photography during daytime
Photo by Антон Дмитриев

Fraud costs ASEAN businesses millions of dollars every year. Cybercrime is a particular issue for the South East Asian region, with 25% of respondents surveyed by PWC reporting an increased risk in cybercrime as a result of COVID-19. In The State of Financial Crime 2022: Key Takeaways for Asia Pacific Firms, the UN Office on Drugs and Crime (UNODC) identified a 600% rise in cybercrimes in the region.

A report by AppsFlyer found that Southeast Asia’s losses accounted for 40 percent of the total estimated fraud losses in the wider region, totalling USD$650 million. The leading method of fraud was bot attacks, with Vietnam experiencing the highest number of attacks, followed by Singapore.

Only recently, Singtel’s Optus subsidiary, which operates Australia’s second-largest mobile network, suffered a significant cyberattack that resulted in a major data breach of customer information among its 10 million subscribers. As well as reputational loss, the telco faces costly compensation claims and has also received million-dollar ransom demands. Singtel also just confirmed that the personal data of 129,000 customers and 23 businesses were obtained in a cyber-attack two years ago in 2020.

Conventional enterprise-grade security and methods for preventing cybercrime are clearly no longer working. Part of the problem is the imbalance between defenders and attackers. Security teams have a much bigger job, protecting against every possible attack and patching every possible vulnerability. They have many different responsibilities. Attackers have just one focus: finding and exploiting a single weak link.

Lists vs graphs

Cybersecurity teams rely on data from a wide range of sources. Large enterprises have an average of 75 security tools deployed, all of them generating constant alerts and logs. Additionally, many other apps and services also generate relevant log files. Large enterprises generate an estimated 10 to 100 billion events per day. This volume of data is nearly impossible to manage through traditional database analysis.

While defenders are working through a list, attackers think in graphs. Modern systems are complexly interlinked webs where only one node needs to be infected to spread across an entire network quickly and easily. Lists and tables may be good for collecting and processing data, but they miss critical relationships between data points. John Lambert, from Microsoft Threat Intelligence Centre, has observed that: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

By taking a graph-based approach to security, organisations can map their complex and interlinked infrastructure and enrich it over time. The power of a graph is that it captures different entities but also the relationships and dependencies between them. This creates a digital twin that can be used to test and run different scenarios.

Proactive cyber defences

The nature of many cyberattacks is that they start at one small point and spread. Containing the infection – corralling off infected devices and disconnecting them – becomes a race against time. With a clear model of all infrastructure, it’s much easier to identify the most important assets and better target security investments.

Suspicious behaviour shows up as patterns, reducing the mean time to detection and enabling infected systems to be isolated. Over time, historic patterns of abnormality can be recognised, potentially heading off threats before they break through.

MITRE, a not-for-profit IT firm that works with US government agencies, needed to find more sophisticated ways to assess security posture and attack response. The problem wasn’t a lack of information, but an inability to bring all the data together into an overall analytic picture.

By building a graph database, MITRE has been able to transform cybersecurity information into knowledge. The model evolves with available data sources and desired analytics. Because it tracks the relationships between entities, it provides context for reacting appropriately to attacks and protecting mission-critical assets.

The security graph also incorporates mission dependencies, showing how objectives, tasks and information all depend on other cyber assets. Intrusion alerts can be correlated to known vulnerability paths, suggesting courses of action. It also makes post-attack forensics easier, revealing vulnerable paths that may warrant deeper investigation.

Cybersecurity is always going to be a cat-and-mouse game, with defences and attack methods both continuing to increase in sophistication. It will likely never be possible to guarantee complete security, which makes using a security to detect breaches more critical if measures to limit the attack are to be taken quickly.

By Nik Vora, APAC vice president, Neo4j

This article was first published by Asia Pacific Security Magazine