Security vendor Sift Security emerged from stealth mode on July 20 with $3.25 million in an angel round of funding and the promise of using graph database technology to enable threat hunting and incident response.
At the core of Sift Security's threat hunting and incident response platform is a graph database, which is different from a traditional structured SQL or unstructured NoSQL database.
"Our mission is to make it easier, faster and less frustrating for security operations teams to get their jobs done," Neil King, CEO of Sift Security, told eWEEK. "We're enabling our mission through the use of open big data platforms, graph data structures and some innovative data science."
The Sift Security platform has a data ingestion capability called graph mapper, which creates graph data structures and indices from raw logs, King explained.
To help enable graph mapper, the company is using some third-party technology, including logstash, a popular open-source tool for managing events and logs, explained Raymond Canzanese, CTO of Sift Security.
"The graph mapping itself is all custom code we have written," Canzanese told eWEEK. "So we developed the schema for describing what the map is from an organization's data logs to the graph database."
Sift Security's platform also uses the open-source Apache Spark big data platform to enable the data analysis to run as a distributed process. Canzanese explained that from a data flow perspective, data comes into logstash and then is processed in Apache Spark; the processed data is then written to a graph database where more advanced data navigation and threat correlation is possible.
Sift is using the open-source Titan graph database, Canzanese said. Using an open-source graph database will enable others to extend the built-in capabilities that Sift is providing, he said.
A graph database provides a different type of representation than a traditional SQL database, which Canzanese said is helpful for security analysis. In security investigations, researchers will typically run queries such as where does a given IP address log into a system, or with a given user, what are they running.
"The graph data structure is completely agnostic to the data source itself," Canzanese said.
As such, it doesn't matter if the IP address or the user came from a host, server or application log; in the graph database, it's just a user or just an IP address, regardless of the data source, he said.
Canzanese explained that a graph data structure can help make sense of disparate sources of threat intelligence. So, for example, alerts come in from antivirus, firewall and other security technologies that in isolation don't always tell the full story.
"Knowing that a firewall blocked something as an isolated event is quite boring," Canzanese said. "But as that firewall-blocked event is related to the whole chain of events around the same user credentials or IP address, the event becomes more interesting."
Sift Security does not rely on an organization first defining a baseline level of normal activity in order to determine potential outliers and threats.
"The algorithms we use can work with corrupted data, so an organization doesn't have to provide a baseline in order to find potential risks," Canzanese said. "You can just throw data at the algorithms, and it will show you where the outliers are."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.